Hi,

Please do the following:

Go to task manager (Ctrl + Alt + Del) > Processes tab and locate the following processes:

Advanced Virus Remover
PAVRM.exe
b.exe
AntipPro2009_100
svchasts.exe

If they are there > End Process

Then run the following program:

Note you may need to run this program in safe mode or rename it to REMG.com

Please download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
• Save it where you can easily find it, such as your desktop, and put it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

Hi, first off thankyou so much for helping me. I downloaded the program and its scanning right now, i just want to make sure im doing it right. I unchecked Sections. IAT/EAT, and Show all, but im confused on the driver part. I left Drive C checked, was i suppose todo this? Because its been scanning for a long time, thanka again for your help.

 

Hi,

That's fine.

It can take a long time to scan, please let it finish and attach the log if it is too large

 

Hi, the other day like i said, i started the root kit scanner but it was so long and i had to shut off my computer. Now im trying to get it started again and it keeps on coming up with the message "C:\DOCUME~1\Crisa\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe Application not found

i have unzipped the program and it worked the other day but now its not working, what can i do?

thankyou so much, Tia

 

Hi,

Please do the following:


Download Combofix from either of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2



During the download, rename Combofix to Combo-Fix as follows:

--------------------------------------------------------------------

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.

-----------------------------------------------------------​

• Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
  **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  
  
  
  -----------------------------------------------------------​
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------​

NOTE:If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

 

ok i renamed it before i saved it and now everything on my desktop that i click on to try and run a box comes up that says "choose the program you want to use to open this file" Do you know any way to get around this? Thankyou, once again

 

Please download exe_fix and save it to your desktop

Double click on exe_fix.com to run it

Type the number 1 at the prompt and allow the tool to run

 

OK i did what you said, and ran combofix. this is the log it came up with. is there anything else i have to do or did it remove the viruses?


ComboFix 09-09-11.01 - Crisa 09/10/2009 21:30.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.192 [GMT -4:00]
Running from: c:\documents and settings\Crisa\Desktop\bubs.exe
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ulejy.inf
c:\documents and settings\All Users\Application Data\ywit.inf
c:\documents and settings\All Users\Documents\duvy.dl
c:\documents and settings\All Users\Documents\enegodihen.scr
c:\documents and settings\All Users\Documents\tivugiha.scr
c:\documents and settings\All Users\Documents\tydonoc.pif
c:\documents and settings\All Users\Documents\uzys.com
c:\documents and settings\Crisa\Application Data\gadcom
c:\documents and settings\Crisa\Application Data\jehepyxi.dl
c:\documents and settings\Crisa\Application Data\uteqav.dll
c:\documents and settings\Crisa\Application Data\wuzawec.lib
c:\documents and settings\Crisa\Cookies\cogenejita.reg
c:\documents and settings\Crisa\Cookies\efefiqyz.ban
c:\documents and settings\Crisa\Cookies\kiny.pif
c:\documents and settings\Crisa\Cookies\safydyceb.sys
c:\documents and settings\Crisa\Desktop\Advanced Virus Remover.lnk
c:\documents and settings\Crisa\Local Settings\Application Data\ydaga._dl
c:\documents and settings\Crisa\Start Menu\Advanced Virus Remover.lnk
c:\documents and settings\Crisa\Temporary Internet Files\nacamigol.bat
c:\documents and settings\Crisa\Temporary Internet Files\neped.dl
c:\documents and settings\Crisa\Temporary Internet Files\suqufaw.com
c:\documents and settings\Crisa\Temporary Internet Files\yfojixal.dll
c:\documents and settings\Crisa\Temporary Internet Files\zehopi.com
c:\documents and settings\NetworkService\Application Data\NetMon
c:\documents and settings\NetworkService\Application Data\NetMon\domains.txt
c:\documents and settings\NetworkService\Application Data\NetMon\log.txt
c:\program files\AdvancedVirusRemover
c:\program files\Microsoft Common
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\tmp\dbsinit.exe
c:\program files\Windows Police Pro\windows Police Pro.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\Fonts\'
c:\windows\Fonts\a.zip
c:\windows\gypicyz.reg
c:\windows\Installer\WMEncoder.msi
c:\windows\jiza.ban
c:\windows\kb913800.exe
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\bennuar.old
c:\windows\system32\bincd32.dat
c:\windows\system32\ddDEsot.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\ewawovilo.bin
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\L5
c:\windows\system32\sonhelp.htm
c:\windows\system32\SrchSTS.exe
c:\windows\system32\sysnet.dat
c:\windows\system32\tapi.nfo
c:\windows\system32\tmp.reg
c:\windows\system32\umory.sys
c:\windows\system32\winupdate.exe
c:\windows\system32\wisdstr.exe
c:\windows\Tasks\tokpeylf.job
c:\windows\UA000035.DLL
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANTIPPRO2009_100
-------\Legacy_icf
-------\Service_AntipPro2009_100


((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-10 00:29 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 05:00 . 2009-09-06 23:30 10752 ----a-w- c:\windows\DCEBoot.exe
2009-09-06 01:54 . 2009-09-06 01:54 12302 ----a-w- c:\windows\mynyhydi.dat
2009-09-06 01:54 . 2009-09-06 01:54 11528 ----a-w- c:\program files\Common Files\vosovy.dat
2009-09-06 01:53 . 2009-09-06 01:57 -------- d-----w- c:\program files\AntivirusPro_2010
2009-09-05 04:36 . 2009-09-05 04:36 705 ----a-w- C:\qhxok.exe
2009-09-05 04:36 . 2009-09-05 04:36 705 ----a-w- C:\dfvwhr.exe
2009-09-05 04:36 . 2009-09-05 04:36 705 ----a-w- C:\lrcov.exe
2009-09-05 04:36 . 2009-09-05 04:36 156672 ----a-w- C:\nehlceu.exe
2009-09-05 04:35 . 2009-09-05 04:35 82944 ----a-w- C:\fyvvqhcu.exe
2009-08-19 02:54 . 2009-08-19 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-19 01:20 . 2009-08-19 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-08-19 01:18 . 2009-08-19 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-08-14 17:01 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 10:09 . 2008-12-30 14:10 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-05 14:48 . 2009-01-04 01:02 -------- d-----w- c:\program files\LimeWire
2009-08-19 03:44 . 2008-01-19 03:27 -------- d-----w- c:\program files\CASIO
2009-08-19 03:44 . 2006-09-12 08:48 -------- d-----w- c:\program files\Yahoo!
2009-08-19 03:43 . 2007-01-21 03:38 -------- d-----w- c:\program files\Google
2009-08-19 03:41 . 2008-03-09 17:48 -------- d-----w- c:\documents and settings\Crisa\Application Data\Any DVD Converter Professional
2009-08-19 03:40 . 2009-07-07 22:05 -------- d-----w- c:\documents and settings\Crisa\Application Data\uTorrent
2009-08-17 05:21 . 2006-12-30 03:38 8950 ----a-w- c:\documents and settings\Crisa\Application Data\wklnhst.dat
2009-08-16 03:26 . 2006-12-30 14:38 90224 ----a-w- c:\documents and settings\Crisa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2006-03-16 04:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 17:48 . 2007-05-06 02:11 -------- d-----w- c:\program files\AIM6
2009-08-02 17:47 . 2009-08-02 17:47 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-08-02 17:46 . 2007-05-06 02:11 -------- d-----w- c:\program files\Viewpoint
2009-08-02 17:46 . 2006-12-30 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-21 19:32 . 2008-06-11 18:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-17 19:01 . 2006-03-16 04:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2006-03-16 04:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-03-16 04:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2005-10-18 05:14 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2005-10-18 05:14 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-17 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=xgusb.cpl
"midi2"=xgusb.cpl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8bixx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MRI_DISABLED]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MRI_DISABLED\ati8bixx]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ITMRTSVC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\1167452568\\ee\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/29/2008 9:19 PM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [12/29/2008 9:14 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [12/29/2008 9:19 PM 677128]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/2/2009 1:46 PM 24652]
R3 SOFTXG;YAMAHA XG SoftSynthesizer;c:\windows\system32\drivers\sxgxgwdm.sys [2/16/2007 8:06 PM 966784]
S2 gupdate1c9fa02c52b18e9;Google Update Service (gupdate1c9fa02c52b18e9);c:\program files\Google\Update\GoogleUpdate.exe [7/1/2009 12:16 AM 133104]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S4 ati8bixx;ati8bixx;c:\windows\system32\Drivers\ati8bixx.sys --> c:\windows\system32\Drivers\ati8bixx.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-01 04:16]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-01 04:16]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
FF - ProfilePath - c:\documents and settings\Crisa\Application Data\Mozilla\Firefox\Profiles\qsq8qcdp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=13920&l=dis
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 21:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????f??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,a1,66,6e,6f,9d,
eb,d8,59,e2,63,26,f1,3f,c8,ff,68,67,b5,44,65,7b,4d,83,a2,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,6f,bb,9b,80,bb,
67,c2,9d,6a,9c,d6,61,af,45,84,18,95,0a,b6,2d,99,7d,1a,29,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,57,e5,f5,01,2f,
74,29,3a,ff,7c,85,e0,43,d4,0e,fe,64,ae,b4,8e,95,fe,4d,e9,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,bc,c8,b8,1f,a8,
1e,46,a6,86,8c,21,01,be,91,eb,e7,4f,e7,67,95,21,10,70,96,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,7e,ec,50,13,6a,
65,e6,06,f5,1d,4d,73,a8,13,5c,05,82,2e,05,ad,9a,69,1a,e9,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,dd,9f,3e,ec,c5,
4f,44,13,df,20,58,62,78,6b,cf,c8,e9,3e,ee,ef,6d,16,ea,d2,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,27,34,3c,5a,5a,
46,f7,c4,fb,a7,78,e6,12,2f,9a,ea,51,2e,d1,d8,b8,f5,a3,2c,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,bb,d9,50,fe,92,
b9,3f,ad,01,3a,48,fc,e8,04,4a,f1,c5,cb,e8,6b,8f,d4,cf,44,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,c2,06,b7,74,18,
2b,ad,0d,f6,0f,4e,58,98,5b,89,c9,23,ee,01,fa,77,87,64,62,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,7f,a4,90,b3,b3,
0a,93,74,3d,ce,ea,26,2d,45,aa,78,76,eb,9f,98,de,3d,45,c3,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,95,bc,f0,d0,bf,
d5,c7,2a,2a,b7,cc,b5,b9,7f,41,e7,5a,63,9b,86,b9,85,c0,55,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:05,73,21,dd,54,d8,4a,c5,15,34,ae,e0,b0,
0e,aa,dd,6c,43,2d,1e,aa,22,2f,9c,16,23,f4,21,c7,ac,a4,9d,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\msv1_0.dll

- - - - - - - > 'explorer.exe'(5600)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\msdtc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-11 21:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-11 01:58

Pre-Run: 6,266,933,248 bytes free
Post-Run: 7,544,537,088 bytes free

385 --- E O F --- 2009-09-10 02:55

 

Hi,

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.techsupportforum.com/f284/windows-police-pro-virus-please-help-me-412025.html#post2339058

Collect::
c:\windows\mynyhydi.dat
c:\program files\Common Files\vosovy.dat
C:\qhxok.exe
C:\dfvwhr.exe
C:\lrcov.exe
C:\nehlceu.exe
C:\fyvvqhcu.exe

Folder::
c:\program files\AntivirusPro_2010

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

NEXT



Please download Malwarebytes' Anti-Malware

• Double Click mbam-setup.exe to install the application.
• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include

• ComboFix Log
• MBAM Log
• Kaspersky report

 

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/sec...-log-help/305963-new-instructions-read-before-posting-malware-removal-help.html