Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
Please Help Remove Several Viruses
-
07-05-2009 2:27am#1
Comments
-
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, May 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, May 06, 2009 15:09:49
Records in database: 2137740
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
\
E:\
F:\
G:\
Scan statistics:
Files scanned: 72407
Threat name: 18
Infected objects: 27
Suspicious objects: 0
Duration of the scan: 09:13:52
File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Application Data\psvr32.exe Infected: not-a-virus:Server-Proxy.Win32.3proxy.bo 1
C:\Documents and Settings\NetworkService\Application Data\psvrr.exe Infected: not-a-virus:Server-Proxy.Win32.3proxy.bo 1
C:\Program Files\Native Instruments\Traktor DJ Studio 3\TraktorDJStudio3.exe Infected: Trojan-Dropper.Win32.Agent.ajgz 1
C:\Program Files\Native Instruments\TraktorDJStudio3.exe Infected: Trojan-Dropper.Win32.Agent.ajgz 1
C:\QooBox\Quarantine\C\WINDOWS\system32\1000.exe.vir Infected: Trojan-Downloader.Win32.Tibs.ajc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\frmwrk32.exe.vir Infected: Trojan-Downloader.Win32.Tibs.ajc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ftbsgvjb.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cat 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ntdll64.exe.vir Infected: Trojan-PSW.Win32.LdPinch.afag 1
C:\QooBox\Quarantine\C\WINDOWS\system32\qnljfvok.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cat 1
C:\QooBox\Quarantine\C\WINDOWS\system32\thxosj.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cat 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xnlvdpsf.dll.vir Infected: Trojan.Win32.Agent.bwuo 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xxywWPIB.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\WINDOWS\system32\avwa.dll Infected: Rootkit.Win32.Podnuha.btn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\part.exe Infected: not-a-virus:Server-Proxy.Win32.3proxy.bo 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\zchMiB.exe Infected: Trojan-Downloader.Win32.AutoIt.ji 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1ANCXIB\ldr[1].exe Infected: Backdoor.Win32.AutoIt.o 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\part[2].exe Infected: not-a-virus:Server-Proxy.Win32.3proxy.bo 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\zchMiB[1].exe Infected: Trojan-Downloader.Win32.AutoIt.ji 1
C:\WINDOWS\system32\dLer.exe Infected: Trojan.Win32.VB.lku 1
C:\WINDOWS\system32\drivers\84e94850.sys Infected: Rootkit.Win32.Agent.kfr 1
C:\WINDOWS\system32\drivers\a57f6859.sys Infected: Rootkit.Win32.Agent.irr 1
C:\WINDOWS\system32\ftp_non_crp.exe Infected: Packed.Win32.PolyCrypt.d 1
C:\WINDOWS\system32\nDler2.exe Infected: Trojan.Win32.VB.mtm 1
C:\WINDOWS\system32\nleowkp.exe Infected: Trojan.Win32.Buzus.aurv 1
C:\WINDOWS\system32\vfhr.exe Infected: Backdoor.Win32.AutoIt.o 1
C:\WINDOWS\system32\winglsetup.exe Infected: Trojan-Dropper.Win32.Agent.anrj 1
C:\_OTMoveIt\MovedFiles\03282009_040745\WINDOWS\temp\minisvr4.exe Infected: Trojan-Spy.Win32.AutoIt.c 1
The selected area was scanned.0 -
Microsoft Windows XP Professional (5.1.2600) Service Pack 2
C:\ [Fixed] - NTFS - (Total:149730 Mo/Free:792 Mo)\ [Fixed] - NTFS - (Total:152625 Mo/Free:1725 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
G:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
H:\ [Fixed] - NTFS - (Total:476937 Mo/Free:3666 Mo)
I:\ [Fixed] - NTFS - (Total:476937 Mo/Free:3592 Mo)
06/05/2009|18:39
\\ Processes..
--Locked-- [System Process]
System
\SystemRoot\System32\smss.exe
\??\C:\WINDOWS\system32\csrss.exe
\??\C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SoulseekNS\slsk.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jkos-Administrator\binaries\ScanningProcess.exe
C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\Rooter$\RK.exe
\\ Search..
\\ ROOTKIT !!
\\ Cracks & Keygens..
C:\DOCUME~1\ADMINI~1\Desktop\Library\Presets\Audio Effects\Vinyl Distortion\Crack.adv
1 - "C:\Rooter$\Rooter_1.txt" - 06/05/2009|18:40
\\ Scan completed at 18:400 -
hello
Please download OTMoveIt3 by OldTimer- Save it to your desktop.
- Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes explorer.exe :Services :Reg :Files C:\Documents and Settings\Administrator\Application Data\psvr32.exe C:\Documents and Settings\NetworkService\Application Data\psvrr.exe C:\Program Files\Native Instruments\Traktor DJ Studio 3\TraktorDJStudio3.exe C:\Program Files\Native Instruments\TraktorDJStudio3.exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\zchMiB.exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1ANCXIB\ldr[1].exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\part[2].exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\zchMiB[1].exe C:\WINDOWS\system32\dLer.exe C:\WINDOWS\system32\drivers\84e94850.sys C:\WINDOWS\system32\drivers\a57f6859.sys C:\WINDOWS\system32\ftp_non_crp.exe C:\WINDOWS\system32\nDler2.exe C:\WINDOWS\system32\nleowkp.exe C:\WINDOWS\system32\vfhr.exe C:\WINDOWS\system32\winglsetup.exe :Commands [purity] [emptytemp] [start explorer] [Reboot]
- Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt3
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.0 -
many thanks actorseeksjob. a great help!! I like your optimism, I was waiting for that machine is screwed you'll have to reload windows. noooooo
anyways sorry only getting online now. so here it goes. ill be here for most of the day.
thanks
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bmhacprt.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_9dda1MESl6peUt4Vz2T7 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF8B8A.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF8C3E.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF975D.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF9820.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8TO34DAT\userlogin[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_388.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_e00.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05072009_045351
Files moved on Reboot...
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bmhacprt.dat not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_9dda1MESl6peUt4Vz2T7 not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF8B8A.tmp not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF8C3E.tmp not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF975D.tmp not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF9820.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8TO34DAT\userlogin[1].htm not found!
C:\WINDOWS\temp\Perflib_Perfdata_388.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_e00.dat not found!
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\XUL.mfl moved successfully.0 -
-
Advertisement
-
hi
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:File::
c:\windows\system32\avwa.dll
c:\windows\system32\drivers\a57f6859.sys
c:\windows\system32\winsetupgl.exe
c:\windows\system32\SelfDel.bat
c:\windows\system32\drivers\wucfdzmu.sys
c:\windows\system32\nleowkp.exe
Folder::
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AAAAAAAA-IWE2-R26D-0I80-XP2V372A0343}]
Driver::
wucfdzmu
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.0 -
-
-
-
Hi, I Ran ATF Cleaner and in the process of running the Kaspersky scanner, if the last one is anything to go by it will take around 8 hours so it will be tommorow perhaps. in the meantime here is the Malewarebytes log and thanks for your help thus far ive learned a great deal
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2
07/05/2009 11:33:41
mbam-log-2009-05-07 (11-33-41).txt
Scan type: Quick Scan
Objects scanned: 67548
Time elapsed: 3 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)0 -
Advertisement
-
leave kaspersky actually, forgot you had already run it
Download RootRepeal.zip and unzip it to your Desktop.- Double click RootRepeal.exe to start the program
- Click on the Report tab at the bottom of the program window
- Click the Scan button
- In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
[*]In the next dialog, select all drives showing
[*]Click OK to start the scanNote: The scan can take some time. DO NOT run any other programs while the scan is running[*]When the scan is complete, the Save Report button will become available
[*]Click this and save the report to your Desktop as RootRepeal.txt
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.
To attach a file, do the following:- Click Add Reply
- Under the reply panel is the Attachments Panel
- Browse for the attachment file you want to upload, then click the green Upload button
- Once it has uploaded, click the Manage Current Attachments drop down box
- Click on
to insert the attachment into your post
0 -
-
-
-
heres also an antvir scan I just done as its my new antivirus and has detected a few while browsing so I decided to do a scan to see. cheers
Avira AntiVir Personal
Report file date: 07 May 2009 15:21
Scanning for 1383188 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 17/04/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 17/04/2009 16:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 18:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 20:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 11/02/2009 04:33:26
ANTIVIR2.VDF : 7.1.3.137 1810944 Bytes 30/04/2009 17:39:20
ANTIVIR3.VDF : 7.1.3.171 164864 Bytes 07/05/2009 17:39:22
Engineversion : 8.2.0.160
AEVDF.DLL : 8.1.1.1 106868 Bytes 07/05/2009 17:39:36
AESCRIPT.DLL : 8.1.1.79 385403 Bytes 07/05/2009 17:39:36
AESCN.DLL : 8.1.1.10 127348 Bytes 07/05/2009 17:39:34
AERDL.DLL : 8.1.1.3 438645 Bytes 30/10/2008 02:24:41
AEPACK.DLL : 8.1.3.14 397685 Bytes 07/05/2009 17:39:34
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 27/02/2009 04:01:56
AEHEUR.DLL : 8.1.0.122 1737080 Bytes 07/05/2009 17:39:32
AEHELP.DLL : 8.1.2.2 119158 Bytes 27/02/2009 04:01:56
AEGEN.DLL : 8.1.1.39 348532 Bytes 07/05/2009 17:39:24
AEEMU.DLL : 8.1.0.9 393588 Bytes 09/10/2008 22:32:40
AECORE.DLL : 8.1.6.9 176500 Bytes 07/05/2009 17:39:23
AEBB.DLL : 8.1.0.3 53618 Bytes 09/10/2008 22:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 05/12/2008 18:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 22:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 18:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 24/03/2009 23:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 18:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 09/02/2009 19:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 17/04/2009 18:19:48
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +SPR,
Start of the scan: 07 May 2009 15:21
Starting search for hidden objects.
An ARK library instance is already running.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'BCMSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'TUProgSt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'NBService.exe' - '1' Module(s) have been scanned
Scan process 'MA_CMIDI_Inst.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '55' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\QooBox\Quarantine\C\WINDOWS\system32\ovfsthtjlkrppqdmlqdtfecpkalsxmfynyvvmt.dll.vir
[DETECTION] Is the TR/Tibs.ZA Trojan
C:\QooBox\Quarantine\C\WINDOWS\system32\___c00FB010_.dat.zip
[0] Archive type: ZIP
--> __c00FB010.dat
[DETECTION] Is the TR/Vundo.BR.1 Trojan
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ovfsthbyfnojdgnuqjunpfbajoghjwsyuaqxpf.sys.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\minisvr4.exe
[DETECTION] Is the TR/Dldr.AutoIt.JK Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\part.exe
[DETECTION] Contains recognition pattern of the SPR/AutoIt.Gen program
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\_OTMoveIt\MovedFiles\03282009_040745\WINDOWS\temp\minisvr4.exe
[DETECTION] Is the TR/Agent.qka Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\Documents and Settings\NetworkService\Application Data\psvrr.exe
[DETECTION] Contains recognition pattern of the SPR/AutoIt.Gen program
C:\_OTMoveIt\MovedFiles\05072009_045351\Program Files\Native Instruments\TraktorDJStudio3.exe
[0] Archive type: RSRC
--> Object
[1] Archive type: CAB (Microsoft)
--> setup.exe
[DETECTION] Is the TR/Agent.xnc Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\Program Files\Native Instruments\Traktor DJ Studio 3\TraktorDJStudio3.exe
[0] Archive type: RSRC
--> Object
[1] Archive type: CAB (Microsoft)
--> setup.exe
[DETECTION] Is the TR/Agent.xnc Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\dLer.exe
[DETECTION] Is the TR/VB.LKU.3 Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\ftp_non_crp.exe
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\nDler2.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\nleowkp.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\vfhr.exe
[DETECTION] Contains recognition pattern of the DR/Autoit.O dropper
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\winglsetup.exe
[DETECTION] Is the TR/Drop.Agent.39936 Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\zchMiB.exe
[DETECTION] Is the TR/Autoit.GFQ Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1ANCXIB\ldr[1].exe
[DETECTION] Contains recognition pattern of the DR/Autoit.O dropper
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\part[2].exe
[DETECTION] Contains recognition pattern of the SPR/AutoIt.Gen program
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\zchMiB[1].exe
[DETECTION] Is the TR/Autoit.GFQ Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\drivers\84e94850.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\drivers\a57f6859.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
Begin scan in 'D:\' <Local Disc>
Beginning disinfection:
C:\QooBox\Quarantine\C\WINDOWS\system32\ovfsthtjlkrppqdmlqdtfecpkalsxmfynyvvmt.dll.vir
[DETECTION] Is the TR/Tibs.ZA Trojan
[NOTE] The file was moved to '4a696f51.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\___c00FB010_.dat.zip
[NOTE] The file was moved to '4a626f3a.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ovfsthbyfnojdgnuqjunpfbajoghjwsyuaqxpf.sys.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4b133c92.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\minisvr4.exe
[DETECTION] Is the TR/Dldr.AutoIt.JK Trojan
[NOTE] The file was moved to '4a716f44.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\part.exe
[DETECTION] Contains recognition pattern of the SPR/AutoIt.Gen program
[NOTE] The file was moved to '4a756f3c.qua'!
C:\_OTMoveIt\MovedFiles\03282009_040745\WINDOWS\temp\minisvr4.exe
[DETECTION] Is the TR/Agent.qka Trojan
[NOTE] The file was moved to '4b092b75.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\Documents and Settings\NetworkService\Application Data\psvrr.exe
[DETECTION] Contains recognition pattern of the SPR/AutoIt.Gen program
[NOTE] The file was moved to '4a796f4f.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\Program Files\Native Instruments\TraktorDJStudio3.exe
[NOTE] The file was moved to '4a646f4e.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\Program Files\Native Instruments\Traktor DJ Studio 3\TraktorDJStudio3.exe
[NOTE] The file was moved to '49677b87.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\dLer.exe
[DETECTION] Is the TR/VB.LKU.3 Trojan
[NOTE] The file was moved to '4a686f28.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\ftp_non_crp.exe
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
[NOTE] The file was moved to '4a736f50.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\nDler2.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a6f6f20.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\nleowkp.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4a686f48.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\vfhr.exe
[DETECTION] Contains recognition pattern of the DR/Autoit.O dropper
[NOTE] The file was moved to '4a6b6f42.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\winglsetup.exe
[DETECTION] Is the TR/Drop.Agent.39936 Trojan
[NOTE] The file was moved to '4a716f45.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\zchMiB.exe
[DETECTION] Is the TR/Autoit.GFQ Trojan
[NOTE] The file was moved to '4a6b6f3f.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1ANCXIB\ldr[1].exe
[DETECTION] Contains recognition pattern of the DR/Autoit.O dropper
[NOTE] The file was moved to '4a756f40.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\part[2].exe
[DETECTION] Contains recognition pattern of the SPR/AutoIt.Gen program
[NOTE] The file was moved to '4a756f3d.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\zchMiB[1].exe
[DETECTION] Is the TR/Autoit.GFQ Trojan
[NOTE] The file was moved to '4e437c60.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\drivers\84e94850.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4a686f11.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\drivers\a57f6859.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4a3a6f12.qua'!
End of the scan: 07 May 2009 16:29
Used time: 1:06:29 Hour(s)
The scan has been done completely.
6989 Scanned directories
253396 Files were scanned
21 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
21 Files were moved to quarantine
0 Files were renamed
3 Files cannot be scanned
253372 Files not concerned
1482 Archives were scanned
3 Warnings
23 Notes0 -
Your logs are clean
Follow these steps to uninstall Combofix and tools used in the removal of malware- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
- Download OTCleanIt to your desktop and run it
- Click Yes to beginning the Cleanup process and remove these components, including this application.
- You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
Below I have included a number of recommendations for how to protect your computer against malware infections.- Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer. - SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
- SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
- Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
- ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
- MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
- Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here
If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.- NoScript - for blocking ads and other potential website attacks
- McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
- Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
- ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
- FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
- Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
- Please read my guide on how to prevent malware and about safe computing here
0 -
-
must be something still there then
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2- Double-click GooredFix.exe to run it.
- Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
- A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Download RootRepeal.zip and unzip it to your Desktop.- Double click RootRepeal.exe to start the program
- Click on the Report tab at the bottom of the program window
- Click the Scan button
- In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
[*]In the next dialog, select all drives showing
[*]Click OK to start the scanNote: The scan can take some time. DO NOT run any other programs while the scan is running[*]When the scan is complete, the Save Report button will become available
[*]Click this and save the report to your Desktop as RootRepeal.txt
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.
To attach a file, do the following:- Click Add Reply
- Under the reply panel is the Attachments Panel
- Browse for the attachment file you want to upload, then click the green Upload button
- Once it has uploaded, click the Manage Current Attachments drop down box
- Click on to insert the attachment into your post
0 -
-
-
Advertisement
-
-
Hi. sorry I havent gotten back sooner. I said id give it a day or so of browsing and see if It happened again. well it hasnt and all seems fine after doing what you mentioned above. I am absolutely delighted. Pc is really quick also. the best its been in a long long. Id just like to say thanks very much you're an asset on here and have been a wonderful help and ive learned alot. I think if I got riddled again id probably be able to do it myself . 0
Advertisement