Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
Please Help Remove Several Viruses
-
07-05-2009 2:27amHi, I just done an online KASPERSKY ONLINE SCANNER of my entire pc which took hours and im shocked at the results below, cant believe ive gotten so many bleedin viruses. my pc is really slow lately and sometimes when searching googles I get alternative sites instead of the ones I want (typical virus crap) other than that it seems to be fine but all is not well behind the scenes.beorehand I scanned with SuperAntiSpywar, malewarebytes and adaware which only removed tracking cookies. heres a hijack log scan followed by KASPERSKY. Please advise. thanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:27:48, on 06/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SoulseekNS\slsk.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {9463F473-68C6-456C-B517-3DAE115F420B} - C:\WINDOWS\system32\avwa.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F866A733-5470-418C-B6E0-0B921047E5B1} - C:\WINDOWS\system32\avwa.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [uiklmnop] C:\WINDOWS\system32\nleowkp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [uiklmnop] C:\WINDOWS\system32\nleowkp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O17 - HKLM\System\CCS\Services\Tcpip\..\{79512720-3E68-429F-96CA-C083889ABCB5}: NameServer = 194.73.106.133,194.74.65.68
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (idrivert) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: TuneUp Drive Defrag Service (tuneup.defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (tuneup.programstatisticssvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 5290 bytes0
Comments
-
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, May 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, May 06, 2009 15:09:49
Records in database: 2137740
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
\
E:\
F:\
G:\
Scan statistics:
Files scanned: 72407
Threat name: 18
Infected objects: 27
Suspicious objects: 0
Duration of the scan: 09:13:52
File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Application Data\psvr32.exe Infected: not-a-virus:Server-Proxy.Win32.3proxy.bo 1
C:\Documents and Settings\NetworkService\Application Data\psvrr.exe Infected: not-a-virus:Server-Proxy.Win32.3proxy.bo 1
C:\Program Files\Native Instruments\Traktor DJ Studio 3\TraktorDJStudio3.exe Infected: Trojan-Dropper.Win32.Agent.ajgz 1
C:\Program Files\Native Instruments\TraktorDJStudio3.exe Infected: Trojan-Dropper.Win32.Agent.ajgz 1
C:\QooBox\Quarantine\C\WINDOWS\system32\1000.exe.vir Infected: Trojan-Downloader.Win32.Tibs.ajc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\frmwrk32.exe.vir Infected: Trojan-Downloader.Win32.Tibs.ajc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ftbsgvjb.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cat 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ntdll64.exe.vir Infected: Trojan-PSW.Win32.LdPinch.afag 1
C:\QooBox\Quarantine\C\WINDOWS\system32\qnljfvok.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cat 1
C:\QooBox\Quarantine\C\WINDOWS\system32\thxosj.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cat 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xnlvdpsf.dll.vir Infected: Trojan.Win32.Agent.bwuo 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xxywWPIB.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\WINDOWS\system32\avwa.dll Infected: Rootkit.Win32.Podnuha.btn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\part.exe Infected: not-a-virus:Server-Proxy.Win32.3proxy.bo 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\zchMiB.exe Infected: Trojan-Downloader.Win32.AutoIt.ji 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1ANCXIB\ldr[1].exe Infected: Backdoor.Win32.AutoIt.o 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\part[2].exe Infected: not-a-virus:Server-Proxy.Win32.3proxy.bo 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\zchMiB[1].exe Infected: Trojan-Downloader.Win32.AutoIt.ji 1
C:\WINDOWS\system32\dLer.exe Infected: Trojan.Win32.VB.lku 1
C:\WINDOWS\system32\drivers\84e94850.sys Infected: Rootkit.Win32.Agent.kfr 1
C:\WINDOWS\system32\drivers\a57f6859.sys Infected: Rootkit.Win32.Agent.irr 1
C:\WINDOWS\system32\ftp_non_crp.exe Infected: Packed.Win32.PolyCrypt.d 1
C:\WINDOWS\system32\nDler2.exe Infected: Trojan.Win32.VB.mtm 1
C:\WINDOWS\system32\nleowkp.exe Infected: Trojan.Win32.Buzus.aurv 1
C:\WINDOWS\system32\vfhr.exe Infected: Backdoor.Win32.AutoIt.o 1
C:\WINDOWS\system32\winglsetup.exe Infected: Trojan-Dropper.Win32.Agent.anrj 1
C:\_OTMoveIt\MovedFiles\03282009_040745\WINDOWS\temp\minisvr4.exe Infected: Trojan-Spy.Win32.AutoIt.c 1
The selected area was scanned.0 -
Microsoft Windows XP Professional (5.1.2600) Service Pack 2
C:\ [Fixed] - NTFS - (Total:149730 Mo/Free:792 Mo)
\ [Fixed] - NTFS - (Total:152625 Mo/Free:1725 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
G:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
H:\ [Fixed] - NTFS - (Total:476937 Mo/Free:3666 Mo)
I:\ [Fixed] - NTFS - (Total:476937 Mo/Free:3592 Mo)
06/05/2009|18:39
\\ Processes..
--Locked-- [System Process]
System
\SystemRoot\System32\smss.exe
\??\C:\WINDOWS\system32\csrss.exe
\??\C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SoulseekNS\slsk.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jkos-Administrator\binaries\ScanningProcess.exe
C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\Rooter$\RK.exe
\\ Search..
\\ ROOTKIT !!
\\ Cracks & Keygens..
C:\DOCUME~1\ADMINI~1\Desktop\Library\Presets\Audio Effects\Vinyl Distortion\Crack.adv
1 - "C:\Rooter$\Rooter_1.txt" - 06/05/2009|18:40
\\ Scan completed at 18:400 -
hello
Please download OTMoveIt3 by OldTimer- Save it to your desktop.
- Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes explorer.exe :Services :Reg :Files C:\Documents and Settings\Administrator\Application Data\psvr32.exe C:\Documents and Settings\NetworkService\Application Data\psvrr.exe C:\Program Files\Native Instruments\Traktor DJ Studio 3\TraktorDJStudio3.exe C:\Program Files\Native Instruments\TraktorDJStudio3.exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\zchMiB.exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1ANCXIB\ldr[1].exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\part[2].exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\zchMiB[1].exe C:\WINDOWS\system32\dLer.exe C:\WINDOWS\system32\drivers\84e94850.sys C:\WINDOWS\system32\drivers\a57f6859.sys C:\WINDOWS\system32\ftp_non_crp.exe C:\WINDOWS\system32\nDler2.exe C:\WINDOWS\system32\nleowkp.exe C:\WINDOWS\system32\vfhr.exe C:\WINDOWS\system32\winglsetup.exe :Commands [purity] [emptytemp] [start explorer] [Reboot]
- Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt3
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.0 -
many thanks actorseeksjob. a great help!! I like your optimism, I was waiting for that machine is screwed you'll have to reload windows. noooooo anyways sorry only getting online now. so here it goes. ill be here for most of the day.
thanks
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bmhacprt.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_9dda1MESl6peUt4Vz2T7 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF8B8A.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF8C3E.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF975D.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF9820.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8TO34DAT\userlogin[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_388.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_e00.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05072009_045351
Files moved on Reboot...
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bmhacprt.dat not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_9dda1MESl6peUt4Vz2T7 not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF8B8A.tmp not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF8C3E.tmp not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF975D.tmp not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF9820.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8TO34DAT\userlogin[1].htm not found!
C:\WINDOWS\temp\Perflib_Perfdata_388.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_e00.dat not found!
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\XUL.mfl moved successfully.0 -
ComboFix 09-05-06.08 - Administrator 07/05/2009 5:16.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.353.1033.18.1271.978 [GMT -7:00]
Running from: c:\documents and settings\Administrator\My Documents\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\84e94850.sys
c:\windows\system32\drivers\ovfsth.sys
c:\windows\system32\drivers\ovfsthbyfnojdgnuqjunpfbajoghjwsyuaqxpf.sys
c:\windows\system32\ovfsthaskyqyxxrmmyxiehsdixpuofyvjjkqgq.dat
c:\windows\system32\ovfsthcexnihigkelpnrwjnsclnnhmnyqtxfop.dll
c:\windows\system32\ovfsthebotapejvxorvepmtvoyvoysepcvlnmf.dll
c:\windows\system32\ovfsthgkalpoigykoeljtwpverdgkyokcnsmgl.dll
c:\windows\system32\ovfsthjthfctknrsameobrjsxunpvctdjaurtn.dat
c:\windows\system32\ovfsthtjlkrppqdmlqdtfecpkalsxmfynyvvmt.dll
c:\windows\system32\ovfsthvgrrnlrpxnxocbavdqjyevviqmwerfhw.db
c:\windows\system32\plugin.dat
C:\xcrashdump.dat
c:\windows\system32\avwa.dll . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Service_ovfsthrqufiyoddwoityxlmnarowakeclktxai
\Service_84e94850
((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.
2009-05-07 11:53 . 2009-05-07 12:21 105170 ----a-w c:\windows\system32\drivers\a57f6859.sys
2009-05-07 01:39 . 2009-05-07 01:40
d
w C:\Rooter$
2009-05-06 13:56 . 2009-05-06 13:56
d
w c:\program files\Java
2009-04-24 05:16 . 2009-04-24 05:16
d
w c:\documents and settings\Administrator\Application Data\MixMeister Technology
2009-04-24 05:15 . 2009-04-24 05:17
d
w c:\program files\MixMeister Fusion
2009-04-21 03:16 . 2009-04-21 03:16
d
w c:\program files\MSN Messenger
2009-04-21 03:07 . 2009-04-21 17:30
d
w c:\windows\SxsCaPendDel
2009-04-08 18:46 . 2009-04-08 18:46 603904 ----a-w c:\windows\system32\TUProgSt.exe
2009-04-08 18:46 . 2008-12-11 20:31 27904 ----a-w c:\windows\system32\uxtuneup.dll
2009-04-08 18:46 . 2009-04-08 18:46 360192 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-04-08 18:46 . 2009-04-08 18:46
d
w c:\documents and settings\Administrator\Application Data\TuneUp Software
2009-04-08 18:45 . 2009-04-08 18:45
d
w c:\documents and settings\All Users\Application Data\TuneUp Software
2009-04-08 18:45 . 2009-04-08 18:46
d
w c:\program files\TuneUp Utilities 2009
2009-04-08 18:45 . 2009-04-08 18:45
d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-08 15:45 . 2009-04-08 15:45 38400 ----a-w c:\windows\system32\winsetupgl.exe
2009-04-07 23:45 . 2009-04-24 10:22 155 ----a-w c:\windows\system32\SelfDel.bat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 12:18 . 2009-03-22 20:54 96256 ----a-w c:\windows\system32\avwa.dll
2009-05-07 11:53 . 2009-03-02 17:45
d
w c:\program files\Native Instruments
2009-05-06 13:57 . 2009-02-02 21:45 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-06 13:41 . 2008-07-01 23:03
d
w c:\program files\SUPERAntiSpyware
2009-05-06 13:39 . 2008-05-19 23:23
d
w c:\program files\DEFRAGER
2009-04-28 23:29 . 2008-05-04 18:11
d
w c:\program files\Common Files\Adobe
2009-04-28 23:21 . 2008-05-14 02:21
d
w c:\program files\Common Files\Real
2009-04-28 23:18 . 2008-10-01 21:53
d
w c:\program files\VirtualDJ
2009-04-28 23:17 . 2008-05-09 16:10
d
w c:\program files\MagicISO
2009-04-09 14:12 . 2008-12-11 21:22
d
w c:\program files\Mixed In Key 4
2009-04-08 19:32 . 2008-05-13 17:30
d
w c:\program files\Exact Audio Copy
2009-04-06 19:39 . 2009-04-06 19:18
d
w c:\program files\ASIO4ALL v2
2009-03-30 20:24 . 2008-05-02 08:22 52528 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-28 11:07 . 2009-03-28 11:05
d
w c:\program files\Microsoft Windows OneCare Live
2009-03-24 19:11 . 2008-05-02 19:26
d
w c:\program files\Google
2009-03-22 20:08 . 2009-02-02 13:14
d
w c:\program files\M-Audio
2009-03-22 18:37 . 2009-03-22 18:37
d
w c:\program files\Common Files\Native Instruments
2009-03-22 18:03 . 2009-02-26 21:26
d
w c:\program files\Soulseek old
2009-03-21 20:30 . 2009-03-20 18:20
d
w c:\program files\Microsoft Silverlight
2009-03-20 18:20 . 2009-03-20 18:20
d
w c:\program files\Microsoft Office Outlook Connector
2009-03-20 18:15 . 2009-03-20 18:15
d
w c:\program files\Microsoft
2009-02-09 10:19 . 2004-08-04 10:00 1846272 ----a-w c:\windows\system32\win32k.sys
2008-08-07 18:34 . 2008-08-07 18:34 117075 ----a-w c:\program files\PeakLimit.zip
2008-05-20 01:33 . 2008-05-20 01:34 483809 -c--a-w c:\program files\ntregopt-setup.exe
2008-05-02 21:19 . 2008-05-02 21:19 1722880 -c--a-w c:\program files\ZuneDesktopTheme(2).msi
2006-03-20 22:37 . 2008-05-24 09:46 5689344 ----a-w c:\program files\mplayerc.exe
2003-04-23 04:02 . 2008-05-27 20:46 135168 -c--a-w c:\program files\AVIPreview.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9463F473-68C6-456C-B517-3DAE115F420B}]
2009-05-07 12:18 96256 ----a-w c:\windows\system32\avwa.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F866A733-5470-418C-B6E0-0B921047E5B1}]
2009-05-07 12:18 96256 ----a-w c:\windows\system32\avwa.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-07 114688]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-13 04:26 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll
"midi1"= ma_cmidn.dll
"midi2"= ma_cmidn.dll
"midi3"= ma_cmidn.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\0autocheck autochk *\0lsdelete
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SrvMod.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SrvMod.lnk
backup=c:\windows\pss\SrvMod.lnkCommon Startup
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Java Load"=c:\windows\system32\config\systemprofile\Local Settings\Application Data\minisvr4.exe
"HDSPTray2"=hdspmix.exe
"HDSPTray1"=hdsp32.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\twain_32\\L12U16U2\\SrvMod.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\WINDOWS\\system32\\config\\systemprofile\\Local Settings\\Application Data\\minisvr4.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
R0 wucfdzmu;wucfdzmu;c:\windows\system32\drivers\wucfdzmu.sys [04/08/2004 03:00 23424]
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [28/05/2008 10:33 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/05/2008 10:33 55024]
R2 tuneup.programstatisticssvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [08/04/2009 11:46 603904]
R3 hdsp;RME Hammerfall Audio Device;c:\windows\system32\drivers\hdsp.sys [02/05/2008 17:59 55808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/05/2008 10:33 7408]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AAAAAAAA-IWE2-R26D-0I80-XP2V372A0343}]
c:\windows\system32\nleowkp.exe Restart
.
Contents of the 'Scheduled Tasks' folder
2009-05-07 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-12 04:30]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-uiklmnop - c:\windows\system32\nleowkp.exe
HKLM-Run-uiklmnop - c:\windows\system32\nleowkp.exe
SafeBoot-Winkq38.sys
.
Supplementary Scan
.
uStart Page = hxxp://mail.google.com/mail/#
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {79512720-3E68-429F-96CA-C083889ABCB5} = 194.73.106.133,194.74.65.68
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - www.google.ie
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 05:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\a57f6859]
"ImagePath"="\SystemRoot\System32\drivers\a57f6859.sys"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(1020)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Other Running Processes
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-05-07 5:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-07 12:24
ComboFix2.txt 2009-03-24 00:41
ComboFix3.txt 2008-08-03 17:41
Pre-Run: 1,191,784,448 bytes free
Post-Run: 1,179,955,200 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
206 --- E O F --- 2009-03-21 17:160 -
Advertisement
-
hi
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:File::
c:\windows\system32\avwa.dll
c:\windows\system32\drivers\a57f6859.sys
c:\windows\system32\winsetupgl.exe
c:\windows\system32\SelfDel.bat
c:\windows\system32\drivers\wucfdzmu.sys
c:\windows\system32\nleowkp.exe
Folder::
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AAAAAAAA-IWE2-R26D-0I80-XP2V372A0343}]
Driver::
wucfdzmu
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.0 -
ComboFix 09-05-07.01 - Administrator 07/05/2009 10:25.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.353.1033.18.1271.887 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
FILE ::
c:\windows\system32\avwa.dll
c:\windows\system32\drivers\a57f6859.sys
c:\windows\system32\drivers\wucfdzmu.sys
c:\windows\system32\nleowkp.exe
c:\windows\system32\SelfDel.bat
c:\windows\system32\winsetupgl.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\a57f6859.sys
c:\windows\system32\drivers\wucfdzmu.sys
c:\windows\system32\SelfDel.bat
c:\windows\system32\winsetupgl.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_WUCFDZMU
\Service_wucfdzmu
\Service_a57f6859
((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.
2009-05-07 13:14 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-07 13:14 . 2009-05-07 13:14
d
w c:\program files\Avira
2009-05-07 13:14 . 2009-05-07 13:14
d
w c:\documents and settings\All Users\Application Data\Avira
2009-05-07 13:02 . 2009-05-07 13:02
d
w c:\documents and settings\All Users\Application Data\Avg8
2009-05-07 13:01 . 2009-05-07 13:01
d
w c:\documents and settings\Administrator\Application Data\AVGTOOLBAR
2009-05-07 01:39 . 2009-05-07 01:40
d
w C:\Rooter$
2009-05-06 13:56 . 2009-05-06 13:56
d
w c:\program files\Java
2009-04-24 05:16 . 2009-04-24 05:16
d
w c:\documents and settings\Administrator\Application Data\MixMeister Technology
2009-04-24 05:15 . 2009-04-24 05:17
d
w c:\program files\MixMeister Fusion
2009-04-21 03:16 . 2009-04-21 03:16
d
w c:\program files\MSN Messenger
2009-04-21 03:07 . 2009-04-21 17:30
d
w c:\windows\SxsCaPendDel
2009-04-08 18:46 . 2009-04-08 18:46 603904 ----a-w c:\windows\system32\TUProgSt.exe
2009-04-08 18:46 . 2008-12-11 20:31 27904 ----a-w c:\windows\system32\uxtuneup.dll
2009-04-08 18:46 . 2009-04-08 18:46 360192 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-04-08 18:46 . 2009-04-08 18:46
d
w c:\documents and settings\Administrator\Application Data\TuneUp Software
2009-04-08 18:45 . 2009-04-08 18:45
d
w c:\documents and settings\All Users\Application Data\TuneUp Software
2009-04-08 18:45 . 2009-04-08 18:46
d
w c:\program files\TuneUp Utilities 2009
2009-04-08 18:45 . 2009-04-08 18:45
d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 17:25 . 2004-08-04 10:00 23424 ----a-w c:\windows\system32\drivers\qoorfhaq.sys
2009-05-07 13:42 . 2008-05-02 08:22 51696 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-07 11:53 . 2009-03-02 17:45
d
w c:\program files\Native Instruments
2009-05-06 13:57 . 2009-02-02 21:45 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-06 13:41 . 2008-07-01 23:03
d
w c:\program files\SUPERAntiSpyware
2009-05-06 13:39 . 2008-05-19 23:23
d
w c:\program files\DEFRAGER
2009-04-28 23:29 . 2008-05-04 18:11
d
w c:\program files\Common Files\Adobe
2009-04-28 23:21 . 2008-05-14 02:21
d
w c:\program files\Common Files\Real
2009-04-28 23:18 . 2008-10-01 21:53
d
w c:\program files\VirtualDJ
2009-04-28 23:17 . 2008-05-09 16:10
d
w c:\program files\MagicISO
2009-04-09 14:12 . 2008-12-11 21:22
d
w c:\program files\Mixed In Key 4
2009-04-08 19:32 . 2008-05-13 17:30
d
w c:\program files\Exact Audio Copy
2009-04-06 19:39 . 2009-04-06 19:18
d
w c:\program files\ASIO4ALL v2
2009-03-28 11:07 . 2009-03-28 11:05
d
w c:\program files\Microsoft Windows OneCare Live
2009-03-24 19:11 . 2008-05-02 19:26
d
w c:\program files\Google
2009-03-22 20:08 . 2009-02-02 13:14
d
w c:\program files\M-Audio
2009-03-22 18:37 . 2009-03-22 18:37
d
w c:\program files\Common Files\Native Instruments
2009-03-22 18:03 . 2009-02-26 21:26
d
w c:\program files\Soulseek old
2009-03-21 20:30 . 2009-03-20 18:20
d
w c:\program files\Microsoft Silverlight
2009-03-20 18:20 . 2009-03-20 18:20
d
w c:\program files\Microsoft Office Outlook Connector
2009-03-20 18:15 . 2009-03-20 18:15
d
w c:\program files\Microsoft
2009-02-09 10:19 . 2004-08-04 10:00 1846272 ----a-w c:\windows\system32\win32k.sys
2008-08-07 18:34 . 2008-08-07 18:34 117075 ----a-w c:\program files\PeakLimit.zip
2008-05-20 01:33 . 2008-05-20 01:34 483809 -c--a-w c:\program files\ntregopt-setup.exe
2008-05-02 21:19 . 2008-05-02 21:19 1722880 -c--a-w c:\program files\ZuneDesktopTheme(2).msi
2006-03-20 22:37 . 2008-05-24 09:46 5689344 ----a-w c:\program files\mplayerc.exe
2003-04-23 04:02 . 2008-05-27 20:46 135168 -c--a-w c:\program files\AVIPreview.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-05-07_12.21.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 09:19 . 2007-11-07 09:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-05-07 17:29 . 2009-05-07 17:29 16384 c:\windows\temp\Perflib_Perfdata_6f0.dat
+ 2008-05-02 20:37 . 2009-02-13 19:50 28376 c:\windows\system32\drivers\ssmdrv.sys
+ 2009-05-07 13:14 . 2009-03-30 17:33 96104 c:\windows\system32\drivers\avipbb.sys
+ 2009-05-07 13:14 . 2009-02-13 19:29 22360 c:\windows\system32\drivers\avgntmgr.sys
+ 2009-05-07 13:14 . 2009-02-13 19:17 45416 c:\windows\system32\drivers\avgntdd.sys
+ 2008-07-29 15:05 . 2008-07-29 15:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 10:54 . 2008-07-29 10:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-07 114688]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-13 04:26 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll
"midi1"= ma_cmidn.dll
"midi2"= ma_cmidn.dll
"midi3"= ma_cmidn.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\0autocheck autochk *\0lsdelete
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SrvMod.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SrvMod.lnk
backup=c:\windows\pss\SrvMod.lnkCommon Startup
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Java Load"=c:\windows\system32\config\systemprofile\Local Settings\Application Data\minisvr4.exe
"HDSPTray2"=hdspmix.exe
"HDSPTray1"=hdsp32.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\twain_32\\L12U16U2\\SrvMod.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\WINDOWS\\system32\\config\\systemprofile\\Local Settings\\Application Data\\minisvr4.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [28/05/2008 10:33 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/05/2008 10:33 55024]
R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [07/05/2009 06:14 108289]
R2 tuneup.programstatisticssvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [08/04/2009 11:46 603904]
R3 hdsp;RME Hammerfall Audio Device;c:\windows\system32\drivers\hdsp.sys [02/05/2008 17:59 55808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/05/2008 10:33 7408]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - WUCFDZMU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
2009-05-07 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-12 04:30]
.
- - - - ORPHANS REMOVED - - - -
BHO-{9463F473-68C6-456C-B517-3DAE115F420B} - c:\windows\system32\avwa.dll
BHO-{F866A733-5470-418C-B6E0-0B921047E5B1} - c:\windows\system32\avwa.dll
.
Supplementary Scan
.
uStart Page = hxxp://mail.google.com/mail/#
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {79512720-3E68-429F-96CA-C083889ABCB5} = 194.73.106.133,194.74.65.68
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - www.google.ie
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 10:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(1064)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Other Running Processes
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-07 10:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-07 17:32
ComboFix2.txt 2009-05-07 12:24
ComboFix3.txt 2009-03-24 00:41
ComboFix4.txt 2008-08-03 17:41
Pre-Run: 1,104,674,816 bytes free
Post-Run: 1,099,321,344 bytes free
226 --- E O F --- 2009-03-21 17:160 -
looking good
Please download OTMoveIt3 by OldTimer- Save it to your desktop.
- Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes explorer.exe :Services :Reg :Files c:\windows\system32\drivers\qoorfhaq.sys :Commands [purity] [emptytemp] [start explorer] [Reboot]
- Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt3
Please download ATF Cleaner by Atribune.-
Double-click
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser-
Click
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser-
Click
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe to install the application.- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Go to Kaspersky website and perform an online antivirus scan.- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Archives
Mail databases
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.0 -
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File move failed. c:\windows\system32\drivers\qoorfhaq.sys scheduled to be moved on reboot.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_0EnAzlRx86fXWegfDldK scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6f0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05072009_111424
Files moved on Reboot...
File c:\windows\system32\drivers\qoorfhaq.sys not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_0EnAzlRx86fXWegfDldK not found!
File C:\WINDOWS\temp\Perflib_Perfdata_6f0.dat not found!
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i2o7rvd2.default\XUL.mfl moved successfully.0 -
Hi, I Ran ATF Cleaner and in the process of running the Kaspersky scanner, if the last one is anything to go by it will take around 8 hours so it will be tommorow perhaps. in the meantime here is the Malewarebytes log and thanks for your help thus far ive learned a great deal
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2
07/05/2009 11:33:41
mbam-log-2009-05-07 (11-33-41).txt
Scan type: Quick Scan
Objects scanned: 67548
Time elapsed: 3 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)0 -
Advertisement
-
leave kaspersky actually, forgot you had already run it
Download RootRepeal.zip and unzip it to your Desktop.- Double click RootRepeal.exe to start the program
- Click on the Report tab at the bottom of the program window
- Click the Scan button
- In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
[*]In the next dialog, select all drives showing
[*]Click OK to start the scanNote: The scan can take some time. DO NOT run any other programs while the scan is running[*]When the scan is complete, the Save Report button will become available
[*]Click this and save the report to your Desktop as RootRepeal.txt
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.
To attach a file, do the following:- Click Add Reply
- Under the reply panel is the Attachments Panel
- Browse for the attachment file you want to upload, then click the green Upload button
- Once it has uploaded, click the Manage Current Attachments drop down box
- Click on to insert the attachment into your post
0 -
Hi. I was halfway through the kaspersky scan and it was still showing 20 viruses (didnt show names) just to let you know. heres the new RootRepeal scan. many thanks0
-
looking good, post a new HJT log0
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:04:22, on 07/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O17 - HKLM\System\CCS\Services\Tcpip\..\{79512720-3E68-429F-96CA-C083889ABCB5}: NameServer = 194.73.106.133,194.74.65.68
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (idrivert) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: TuneUp Drive Defrag Service (tuneup.defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (tuneup.programstatisticssvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 5105 bytes0 -
heres also an antvir scan I just done as its my new antivirus and has detected a few while browsing so I decided to do a scan to see. cheers
Avira AntiVir Personal
Report file date: 07 May 2009 15:21
Scanning for 1383188 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 17/04/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 17/04/2009 16:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 18:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 20:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 11/02/2009 04:33:26
ANTIVIR2.VDF : 7.1.3.137 1810944 Bytes 30/04/2009 17:39:20
ANTIVIR3.VDF : 7.1.3.171 164864 Bytes 07/05/2009 17:39:22
Engineversion : 8.2.0.160
AEVDF.DLL : 8.1.1.1 106868 Bytes 07/05/2009 17:39:36
AESCRIPT.DLL : 8.1.1.79 385403 Bytes 07/05/2009 17:39:36
AESCN.DLL : 8.1.1.10 127348 Bytes 07/05/2009 17:39:34
AERDL.DLL : 8.1.1.3 438645 Bytes 30/10/2008 02:24:41
AEPACK.DLL : 8.1.3.14 397685 Bytes 07/05/2009 17:39:34
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 27/02/2009 04:01:56
AEHEUR.DLL : 8.1.0.122 1737080 Bytes 07/05/2009 17:39:32
AEHELP.DLL : 8.1.2.2 119158 Bytes 27/02/2009 04:01:56
AEGEN.DLL : 8.1.1.39 348532 Bytes 07/05/2009 17:39:24
AEEMU.DLL : 8.1.0.9 393588 Bytes 09/10/2008 22:32:40
AECORE.DLL : 8.1.6.9 176500 Bytes 07/05/2009 17:39:23
AEBB.DLL : 8.1.0.3 53618 Bytes 09/10/2008 22:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 05/12/2008 18:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 22:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 18:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 24/03/2009 23:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 18:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 09/02/2009 19:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 17/04/2009 18:19:48
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, ,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +SPR,
Start of the scan: 07 May 2009 15:21
Starting search for hidden objects.
An ARK library instance is already running.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'BCMSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'TUProgSt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'NBService.exe' - '1' Module(s) have been scanned
Scan process 'MA_CMIDI_Inst.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '55' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\QooBox\Quarantine\C\WINDOWS\system32\ovfsthtjlkrppqdmlqdtfecpkalsxmfynyvvmt.dll.vir
[DETECTION] Is the TR/Tibs.ZA Trojan
C:\QooBox\Quarantine\C\WINDOWS\system32\___c00FB010_.dat.zip
[0] Archive type: ZIP
--> __c00FB010.dat
[DETECTION] Is the TR/Vundo.BR.1 Trojan
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ovfsthbyfnojdgnuqjunpfbajoghjwsyuaqxpf.sys.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\minisvr4.exe
[DETECTION] Is the TR/Dldr.AutoIt.JK Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\part.exe
[DETECTION] Contains recognition pattern of the SPR/AutoIt.Gen program
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\_OTMoveIt\MovedFiles\03282009_040745\WINDOWS\temp\minisvr4.exe
[DETECTION] Is the TR/Agent.qka Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\Documents and Settings\NetworkService\Application Data\psvrr.exe
[DETECTION] Contains recognition pattern of the SPR/AutoIt.Gen program
C:\_OTMoveIt\MovedFiles\05072009_045351\Program Files\Native Instruments\TraktorDJStudio3.exe
[0] Archive type: RSRC
--> Object
[1] Archive type: CAB (Microsoft)
--> setup.exe
[DETECTION] Is the TR/Agent.xnc Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\Program Files\Native Instruments\Traktor DJ Studio 3\TraktorDJStudio3.exe
[0] Archive type: RSRC
--> Object
[1] Archive type: CAB (Microsoft)
--> setup.exe
[DETECTION] Is the TR/Agent.xnc Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\dLer.exe
[DETECTION] Is the TR/VB.LKU.3 Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\ftp_non_crp.exe
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\nDler2.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\nleowkp.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\vfhr.exe
[DETECTION] Contains recognition pattern of the DR/Autoit.O dropper
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\winglsetup.exe
[DETECTION] Is the TR/Drop.Agent.39936 Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\zchMiB.exe
[DETECTION] Is the TR/Autoit.GFQ Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1ANCXIB\ldr[1].exe
[DETECTION] Contains recognition pattern of the DR/Autoit.O dropper
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\part[2].exe
[DETECTION] Contains recognition pattern of the SPR/AutoIt.Gen program
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\zchMiB[1].exe
[DETECTION] Is the TR/Autoit.GFQ Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\drivers\84e94850.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\drivers\a57f6859.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
Begin scan in 'D:\' <Local Disc>
Beginning disinfection:
C:\QooBox\Quarantine\C\WINDOWS\system32\ovfsthtjlkrppqdmlqdtfecpkalsxmfynyvvmt.dll.vir
[DETECTION] Is the TR/Tibs.ZA Trojan
[NOTE] The file was moved to '4a696f51.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\___c00FB010_.dat.zip
[NOTE] The file was moved to '4a626f3a.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ovfsthbyfnojdgnuqjunpfbajoghjwsyuaqxpf.sys.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4b133c92.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\minisvr4.exe
[DETECTION] Is the TR/Dldr.AutoIt.JK Trojan
[NOTE] The file was moved to '4a716f44.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\part.exe
[DETECTION] Contains recognition pattern of the SPR/AutoIt.Gen program
[NOTE] The file was moved to '4a756f3c.qua'!
C:\_OTMoveIt\MovedFiles\03282009_040745\WINDOWS\temp\minisvr4.exe
[DETECTION] Is the TR/Agent.qka Trojan
[NOTE] The file was moved to '4b092b75.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\Documents and Settings\NetworkService\Application Data\psvrr.exe
[DETECTION] Contains recognition pattern of the SPR/AutoIt.Gen program
[NOTE] The file was moved to '4a796f4f.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\Program Files\Native Instruments\TraktorDJStudio3.exe
[NOTE] The file was moved to '4a646f4e.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\Program Files\Native Instruments\Traktor DJ Studio 3\TraktorDJStudio3.exe
[NOTE] The file was moved to '49677b87.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\dLer.exe
[DETECTION] Is the TR/VB.LKU.3 Trojan
[NOTE] The file was moved to '4a686f28.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\ftp_non_crp.exe
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
[NOTE] The file was moved to '4a736f50.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\nDler2.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a6f6f20.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\nleowkp.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4a686f48.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\vfhr.exe
[DETECTION] Contains recognition pattern of the DR/Autoit.O dropper
[NOTE] The file was moved to '4a6b6f42.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\winglsetup.exe
[DETECTION] Is the TR/Drop.Agent.39936 Trojan
[NOTE] The file was moved to '4a716f45.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\zchMiB.exe
[DETECTION] Is the TR/Autoit.GFQ Trojan
[NOTE] The file was moved to '4a6b6f3f.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1ANCXIB\ldr[1].exe
[DETECTION] Contains recognition pattern of the DR/Autoit.O dropper
[NOTE] The file was moved to '4a756f40.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\part[2].exe
[DETECTION] Contains recognition pattern of the SPR/AutoIt.Gen program
[NOTE] The file was moved to '4a756f3d.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7896V\zchMiB[1].exe
[DETECTION] Is the TR/Autoit.GFQ Trojan
[NOTE] The file was moved to '4e437c60.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\drivers\84e94850.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4a686f11.qua'!
C:\_OTMoveIt\MovedFiles\05072009_045351\WINDOWS\system32\drivers\a57f6859.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4a3a6f12.qua'!
End of the scan: 07 May 2009 16:29
Used time: 1:06:29 Hour(s)
The scan has been done completely.
6989 Scanned directories
253396 Files were scanned
21 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
21 Files were moved to quarantine
0 Files were renamed
3 Files cannot be scanned
253372 Files not concerned
1482 Archives were scanned
3 Warnings
23 Notes0 -
Your logs are clean
Follow these steps to uninstall Combofix and tools used in the removal of malware- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
- Download OTCleanIt to your desktop and run it
- Click Yes to beginning the Cleanup process and remove these components, including this application.
- You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
Below I have included a number of recommendations for how to protect your computer against malware infections.- Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer. - SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
- SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
- Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
- ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
- MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
- Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here
If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.- NoScript - for blocking ads and other potential website attacks
- McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
- Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
- ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
- FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
- Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
- Please read my guide on how to prevent malware and about safe computing here
0 -
Hi. so everything is clear now? wonderful!! so all those detections on antvir are quarintined and wont reapear elsewhere I take it? I am still getting alternative sites while searching google on firefox. sometimes four-five attempts before I get the webpage I want. still must be something holding on somewhere. I have tried all of the above you mentioned also. great help thanks0
-
must be something still there then
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2- Double-click GooredFix.exe to run it.
- Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
- A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Download RootRepeal.zip and unzip it to your Desktop.- Double click RootRepeal.exe to start the program
- Click on the Report tab at the bottom of the program window
- Click the Scan button
- In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
[*]In the next dialog, select all drives showing
[*]Click OK to start the scanNote: The scan can take some time. DO NOT run any other programs while the scan is running[*]When the scan is complete, the Save Report button will become available
[*]Click this and save the report to your Desktop as RootRepeal.txt
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.
To attach a file, do the following:- Click Add Reply
- Under the reply panel is the Attachments Panel
- Browse for the attachment file you want to upload, then click the green Upload button
- Once it has uploaded, click the Manage Current Attachments drop down box
- Click on to insert the attachment into your post
0 -
GooredFix v1.92 by jpshortstuff Log created at 02:18 on 09/05/2009 running Option #1 (Administrator) Firefox version 3.0.10 (en-GB) =====Suspect Goored Entries===== C:\Program Files\Mozilla Firefox\extensions\{D1662CC1-6981-4F30-A44B-3E6F4318C995} =====Dumping Registry Values===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\mozilla firefox 3.0.10\extensions] "Plugins"="C:\Program Files\Mozilla Firefox\plugins" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\mozilla firefox 3.0.10\extensions] "Components"="C:\Program Files\Mozilla Firefox\components"0
-
many thanks0
-
Advertisement
-
this should fix it
Please double-click GooredFix.exe on your Desktop to run it.- Select "2. Fix Goored" by typing 2 and pressing Enter.
- Make sure all instances of Firefox are closed at this point.
- Type y at the prompt and press Enter again.
- A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
then tell me how the pc is running0 -
Hi. sorry I havent gotten back sooner. I said id give it a day or so of browsing and see if It happened again. well it hasnt and all seems fine after doing what you mentioned above. I am absolutely delighted. Pc is really quick also. the best its been in a long long. Id just like to say thanks very much you're an asset on here and have been a wonderful help and ive learned alot. I think if I got riddled again id probably be able to do it myself .0
Advertisement