User Tag List

.exe duplicate

This is a discussion on .exe duplicate within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi guys, I'm using a compaq laptop with windows vista basic OS. my comp got infected with some sorta trojan


 
 
Thread Tools Search this Thread
Old 05-25-2010, 02:49 AM   #1
Registered Member
 
Join Date: Jun 2009
Posts: 26
OS: Windows Vista



Hi guys,

I'm using a compaq laptop with windows vista basic OS. my comp got infected with some sorta trojan i guess. It keeps duplicating all my folders with .exe extensions of itself and has disabled task manager. I have partitions and within those partitions it create these two folders:
1.) new folder.exe (539kb)
2.) system_3.exe (539kb)

I was using NOD32 anti-virus but it couldn't clean it. I've uninstalled it cause it was a cracked one with unlimited updates. Stupid of me to have used it in the first place. But i think the virus got in through a flash drive.

Anyways, could you help me get rid of it. Attached are the ark.txt and attach.txt and below is the DDS.

_________________________________________________________________

DDS (Ver_10-03-17.01) - NTFSx86
Run by jblxXx at 20:11:32.88 on Tue 25/05/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.61.1033.18.1978.990 [GMT 12:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\WINDOWS\System32\wpcumi.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\WordWeb\wweb32.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\jblxXx\Desktop\system3_.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Users\jblxXx\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\jblxXx\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_fj&c=83&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
mWinlogon: Taskman=c:\recycler\s-1-5-21-8097865874-0038352208-406627776-6842\MsMxEng.exe
uWinlogon: Shell=explorer.exe,c:\recycler\s-1-5-21-8097865874-0038352208-406627776-6842\MsMxEng.exe
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WordWeb] "c:\program files\wordweb\wweb32.exe" -startup
uRun: [ISUSPM] "c:\programdata\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\users\jblxxx\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Speech Recognition] "c:\windows\speech\common\sapisvr.exe" -SpeechUX -Startup
uRun: [Yahoo Messengger] c:\users\jblxxx\desktop\system3_.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\jblxxx\appdata\roaming\mozilla\firefox\profiles\4mtemwwt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/cse?cx=partner-pub-3540673482024757:xbhdw8hkfz5&ie=ISO-8859-1&q=&sa=Search
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\jblxxx\appdata\roaming\mozilla\firefox\profiles\4mtemwwt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\jblxxx\appdata\roaming\mozilla\firefox\profiles\4mtemwwt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\microsoft silverlight\npctrl.1.0.20926.0.dll
FF - plugin: c:\users\jblxxx\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-2 361808]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-3-13 24576]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-8-2 193840]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-5 113664]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2006-11-2 9216]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]

=============== Created Last 30 ================

2010-05-16 23:24:42 0 ----a-w- C:\MsMxEng
2010-05-16 22:14:01 77824 ----a-w- c:\windows\system32\FLKill.exe
2010-05-16 22:14:01 380928 ----a-w- c:\windows\system32\vaultskn.ocx
2010-05-16 22:14:01 20992 ----a-w- c:\windows\system32\hhopen.ocx
2010-05-16 22:14:01 110592 ----a-w- c:\windows\system32\suppdll.dll
2010-05-16 22:14:00 35363 ----a-w- c:\windows\system32\windrvNT.sys
2010-05-16 22:13:56 0 d-----w- c:\program files\Folder Lock
2010-05-16 21:28:42 632 --sha-r- c:\users\jblxxx\ntuser.pol
2010-05-15 23:45:50 0 d-----w- c:\programdata\PlayFirst
2010-05-12 04:09:54 0 d-----w- c:\program files\Microsoft Web Designer Tools
2010-05-12 01:49:06 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-08 07:42:21 0 d-----w- c:\programdata\Steam
2010-05-08 07:42:18 0 d-----w- c:\programdata\PopCap Games
2010-05-08 06:30:18 0 d-----w- c:\users\jblxxx\appdata\roaming\funkitron
2010-04-29 08:13:27 65536 --sha-w- c:\users\jblxxx\ntuser.dat{d8932e6c-6a6f-11db-b6ab-a038f15a5785}.TxR.blf
2010-04-29 08:13:27 1048576 --sha-w- c:\users\jblxxx\ntuser.dat{d8932e6c-6a6f-11db-b6ab-a038f15a5785}.TxR.2.regtrans-ms
2010-04-29 08:13:27 1048576 --sha-w- c:\users\jblxxx\ntuser.dat{d8932e6c-6a6f-11db-b6ab-a038f15a5785}.TxR.1.regtrans-ms
2010-04-29 08:13:27 1048576 --sha-w- c:\users\jblxxx\ntuser.dat{d8932e6c-6a6f-11db-b6ab-a038f15a5785}.TxR.0.regtrans-ms
2010-04-27 21:37:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-27 02:14:53 1908 ----a-w- c:\windows\diagwrn.xml
2010-04-27 02:14:53 1908 ----a-w- c:\windows\diagerr.xml
2010-04-26 22:43:54 835 ----a-w- c:\windows\ARPR.INI
2010-04-26 22:43:41 0 d-----w- c:\program files\ElcomSoft

==================== Find3M ====================

2010-05-11 23:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-01 02:54:10 2828 --sha-w- c:\programdata\KGyGaAvL.sys
2010-04-18 23:17:39 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-05 20:18:55 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-05 20:18:55 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-05 20:18:55 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-05 20:18:55 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-05 20:18:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-04-04 20:43:47 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-03-12 05:02:38 261632 ----a-w- c:\windows\PEV.exe
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 08:12:22 729088 ----a-w- c:\windows\iun6002.exe
2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-08-01 22:13:24 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:13:09.86 ===============
Attached Files
File Type: txt Attach.txt (10.2 KB, 35 views)
File Type: txt ark.txt (10.9 KB, 42 views)
Ben Lutua is offline  
Sponsored Links
Advertisement
 
Old 06-09-2010, 06:27 PM   #2
Registered Member
 
Join Date: Jun 2009
Posts: 26
OS: Windows Vista



Okay was able to get back task manager by following some steps in other posts. I was able to delete all instances of the virus without using any anti-virus. Took me a while but i had to do it cause i didnt want to click on another .exe infected folder.

But im sure this hasn't solved the problem! help would be much appreciated.

thanx
Ben Lutua is offline  
Old 06-12-2010, 08:35 AM   #3
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hello Ben,

I can't help you out without seeing what remains.

Please run a new scan with dds.scr and post a fresh dds.txt.

Also, I'll need to know what steps you followed from other threads.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Sponsored Links
Advertisement
 
Old 06-13-2010, 04:28 PM   #4
Registered Member
 
Join Date: Jun 2009
Posts: 26
OS: Windows Vista



Steps:
i went to System configuration and then startup..went through the startup programs and noticed a yahoo messenger application (i dont use yahoo)..checked the command location and it was in the system3_.exe folder that was created on my desktop.

I disabled it and restarted..then tried task manager again. Got through. Before this, i tried deleting the system3_.exe folder and i couldn't. But after i got back task manager i was able to delete it and all other .exe folders in my drives..this i did manually.



DDS (Ver_10-03-17.01) - NTFSx86
Run by jblxXx at 9:57:08.71 on Mon 14/06/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.61.1033.18.1978.910 [GMT 12:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\igfxsrvc.exe
C:\WINDOWS\System32\wpcumi.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\WordWeb\wweb32.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\jblxXx\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\jblxXx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jblxXx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\system32\msiexec.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\jblxXx\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_fj&c=83&bd=Presario&pf=cnnb
mURLSearchHooks: H - No File
uWinlogon: Shell=explorer.exe,c:\recycler\s-1-5-21-8097865874-0038352208-406627776-6842\MsMxEng.exe
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WordWeb] "c:\program files\wordweb\wweb32.exe" -startup
uRun: [ISUSPM] "c:\programdata\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\users\jblxxx\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Speech Recognition] "c:\windows\speech\common\sapisvr.exe" -SpeechUX -Startup
uRun: [Registry Cleaner Scheduler] "c:\program files\cleanmypc\registry cleaner\RCHelper.exe" /startup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {FCB04CC6-EBBD-41DE-BD9A-E971953D519F} = 202.170.36.72 202.170.36.73
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\jblxxx\appdata\roaming\mozilla\firefox\profiles\4mtemwwt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/cse?cx=partner-pub-3540673482024757:xbhdw8hkfz5&ie=ISO-8859-1&q=&sa=Search
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\jblxxx\appdata\roaming\mozilla\firefox\profiles\4mtemwwt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\jblxxx\appdata\roaming\mozilla\firefox\profiles\4mtemwwt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\microsoft silverlight\npctrl.1.0.20926.0.dll
FF - plugin: c:\users\jblxxx\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\jblxxx\appdata\roaming\mozilla\firefox\profiles\4mtemwwt.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-3-19 731840]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-2 361808]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-3-13 24576]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-8-2 193840]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-5 113664]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]

=============== Created Last 30 ================

2010-06-10 02:49:47 0 d-----w- c:\program files\common files\Akamai
2010-06-10 00:18:39 0 d-----w- c:\programdata\NOS
2010-06-09 04:49:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-09 04:49:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-06-09 04:48:59 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-09 04:48:59 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-09 04:48:58 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-09 04:48:58 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-06-09 04:00:11 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-09 04:00:08 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-09 04:00:07 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 02:01:27 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 06:27:11 0 d-----w- c:\users\jblxxx\appdata\roaming\FDRLab
2010-06-08 02:00:22 0 d---a-w- c:\programdata\TEMP
2010-06-08 02:00:22 0 d-----w- c:\users\jblxxx\appdata\roaming\CleanMyPC Software
2010-06-08 02:00:00 0 d-----w- c:\program files\CleanMyPC
2010-06-03 21:02:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-05-28 01:45:59 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-16 23:24:42 0 ----a-w- C:\MsMxEng
2010-05-16 22:14:01 77824 ----a-w- c:\windows\system32\FLKill.exe
2010-05-16 22:14:01 380928 ----a-w- c:\windows\system32\vaultskn.ocx
2010-05-16 22:14:01 20992 ----a-w- c:\windows\system32\hhopen.ocx
2010-05-16 22:14:01 110592 ----a-w- c:\windows\system32\suppdll.dll
2010-05-16 22:14:00 35363 ----a-w- c:\windows\system32\windrvNT.sys
2010-05-16 22:13:56 0 d-----w- c:\program files\Folder Lock
2010-05-16 21:28:42 632 --sha-r- c:\users\jblxxx\ntuser.pol
2010-05-15 23:45:50 0 d-----w- c:\programdata\PlayFirst

==================== Find3M ====================

2010-06-11 00:25:23 88 --sh--r- c:\programdata\15D15BEB78.sys
2010-06-11 00:25:23 2828 --sha-w- c:\programdata\KGyGaAvL.sys
2010-05-21 02:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-27 21:37:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-18 23:17:39 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-05 20:18:55 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-05 20:18:55 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-05 20:18:55 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-05 20:18:55 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-04 20:43:47 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-03-11 21:45:31 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-08-01 22:13:24 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 9:58:40.54 ===============
Attached Files
File Type: txt Attach.txt (11.3 KB, 40 views)
Ben Lutua is offline  
Old 06-13-2010, 10:35 PM   #5
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Thank you. :)

You are still infected. Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-14-2010, 04:18 AM   #6
Registered Member
 
Join Date: Jun 2009
Posts: 26
OS: Windows Vista



Okay Reid,

i've attached the file.

ComboFix 10-06-13.01 - jblxXx 14/06/2010 21:14:40.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.61.1033.18.1978.1126 [GMT 12:00]
Running from: c:\users\jblxXx\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-8097865874-0038352208-406627776-6842\MsMxEng.exe
E:\Autorun.inf
F:\Autorun.inf
D:\autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-05-14 to 2010-06-14 )))))))))))))))))))))))))))))))
.

2010-06-14 09:23 . 2010-06-14 09:23 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-14 09:23 . 2010-06-14 09:23 -------- d-----w- c:\users\Others\AppData\Local\temp
2010-06-14 09:23 . 2010-06-14 09:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-14 09:23 . 2010-06-14 09:23 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-06-10 02:49 . 2010-06-10 02:49 -------- d-----w- c:\program files\Common Files\Akamai
2010-06-10 00:18 . 2010-06-10 00:18 -------- d-----w- c:\programdata\NOS
2010-06-10 00:18 . 2010-06-10 00:18 -------- d-----w- c:\program files\NOS
2010-06-09 23:05 . 2010-06-09 23:05 -------- d-----w- c:\users\Others\AppData\Local\Mozilla
2010-06-09 04:49 . 2010-05-04 05:59 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-09 04:48 . 2010-05-04 05:55 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-09 04:48 . 2010-05-04 04:31 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-09 04:48 . 2010-05-04 05:55 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-09 04:00 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-09 04:00 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-09 04:00 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 02:01 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 06:27 . 2010-06-08 06:27 -------- d-----w- c:\users\jblxXx\AppData\Roaming\FDRLab
2010-06-08 02:00 . 2010-06-08 02:00 -------- d-----w- c:\users\jblxXx\AppData\Roaming\CleanMyPC Software
2010-06-08 02:00 . 2010-06-08 02:00 -------- d-----w- c:\program files\CleanMyPC
2010-06-06 03:48 . 2010-06-06 03:48 -------- d-----w- c:\users\Others\AppData\Roaming\ESTSoft
2010-05-28 01:45 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-27 03:05 . 2010-05-29 04:25 5972 ----a-w- c:\users\Others\AppData\Local\d3d9caps.dat
2010-05-24 01:44 . 2010-05-24 01:44 -------- d-----w- c:\users\Others\AppData\Roaming\CyberLink
2010-05-24 01:44 . 2010-06-09 23:14 -------- d-----w- c:\users\Others\AppData\Local\QuickPlay
2010-05-16 22:14 . 2007-02-07 07:50 77824 ----a-w- c:\windows\system32\FLKill.exe
2010-05-16 22:14 . 2004-05-10 00:42 110592 ----a-w- c:\windows\system32\suppdll.dll
2010-05-16 22:14 . 2010-05-16 22:14 35363 ----a-w- c:\windows\system32\windrvNT.sys
2010-05-16 22:13 . 2010-05-16 22:14 -------- d-----w- c:\program files\Folder Lock
2010-05-16 21:55 . 2010-05-16 21:55 113848 ----a-w- c:\users\Others\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-15 23:45 . 2010-05-15 23:45 -------- d-----w- c:\programdata\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 05:50 . 2008-08-02 01:45 -------- d-----w- c:\program files\Java
2010-06-11 00:25 . 2010-02-10 22:01 88 --sh--r- c:\programdata\15D15BEB78.sys
2010-06-11 00:25 . 2010-02-10 22:01 88 --sh--r- c:\programdata\15D15BEB78.sys
2010-06-11 00:25 . 2010-02-10 22:01 2828 --sha-w- c:\programdata\KGyGaAvL.sys
2010-06-11 00:25 . 2010-02-10 22:01 2828 --sha-w- c:\programdata\KGyGaAvL.sys
2010-06-10 04:07 . 2010-02-08 08:27 -------- d-----w- c:\program files\Youtube Downloader HD
2010-06-09 23:28 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-08 10:20 . 2008-08-02 00:07 -------- d-----w- c:\programdata\WildTangent
2010-06-08 04:16 . 2010-05-12 04:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-07 08:32 . 2010-04-08 00:38 5972 ----a-w- c:\users\jblxXx\AppData\Local\d3d9caps.dat
2010-06-03 21:02 . 2010-06-03 21:02 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-05-26 02:24 . 2010-06-10 03:52 18488 ----a-w- c:\windows\Help\OEM\scripts\HPHC_BUY_BATTERY.exe
2010-05-25 08:07 . 2010-02-17 23:15 -------- d-----w- c:\users\jblxXx\AppData\Roaming\uTorrent
2010-05-21 02:14 . 2010-02-17 06:22 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-16 23:58 . 2006-11-02 12:35 -------- d-----w- c:\program files\Microsoft Games
2010-05-16 21:54 . 2010-05-16 21:54 -------- d-----w- c:\users\Others\AppData\Roaming\Vodafone
2010-05-15 23:55 . 2010-02-16 08:16 -------- d-----w- c:\users\jblxXx\AppData\Roaming\PlayFirst
2010-05-12 21:00 . 2010-02-04 07:35 -------- d-----w- c:\program files\Common Files\Nero
2010-05-12 10:25 . 2010-04-06 23:41 -------- d-----w- c:\users\jblxXx\AppData\Roaming\SlimBrowser
2010-05-12 10:24 . 2010-02-04 07:33 -------- d-----w- c:\program files\Common Files\Ahead
2010-05-12 04:28 . 2010-05-12 04:16 234080 ----a-w- c:\programdata\Microsoft\VWDExpress\9.0\1033\ResourceCache.dll
2010-05-12 04:26 . 2008-08-02 00:37 -------- d-----w- c:\program files\Microsoft SQL Server
2010-05-12 04:18 . 2008-08-02 00:33 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 04:17 . 2010-05-12 04:10 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-05-12 04:13 . 2010-05-12 04:13 416 ----a-w- c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2010-05-12 04:09 . 2010-05-12 04:09 -------- d-----w- c:\program files\Microsoft Web Designer Tools
2010-05-12 04:07 . 2010-05-12 04:07 -------- d-----w- c:\program files\Microsoft SDKs
2010-05-08 08:19 . 2010-05-08 07:42 -------- d-----w- c:\programdata\PopCap Games
2010-05-08 07:42 . 2010-05-08 07:42 -------- d-----w- c:\programdata\Steam
2010-05-08 06:30 . 2010-05-08 06:30 -------- d-----w- c:\users\jblxXx\AppData\Roaming\funkitron
2010-05-02 22:32 . 2010-02-04 03:30 -------- d-----w- c:\programdata\CyberLink
2010-05-02 12:20 . 2010-05-02 12:20 1925088 ----a-w- c:\users\jblxXx\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-05-02 08:03 . 2010-03-19 07:21 -------- d-----w- c:\program files\Vodafone
2010-04-27 21:37 . 2010-04-27 21:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-26 22:47 . 2010-04-26 22:43 -------- d-----w- c:\program files\ElcomSoft
2010-04-26 10:55 . 2010-02-03 07:55 113848 ----a-w- c:\users\jblxXx\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-20 21:11 . 2010-04-20 21:11 -------- d-----w- c:\program files\ESET
2010-04-18 23:17 . 2010-04-18 23:17 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-16 21:23 . 2010-04-16 21:21 -------- d-----w- c:\users\jblxXx\AppData\Roaming\Audacity
2010-04-15 20:25 . 2010-04-15 20:25 -------- d-----w- c:\program files\Recuva
2010-04-15 05:49 . 2010-06-10 03:52 1335048 ----a-w- c:\windows\Help\OEM\scripts\SamsungHDDFW1HC.exe
2010-04-08 03:48 . 2010-06-10 03:52 17160 ----a-w- c:\windows\Help\OEM\scripts\HPHCDisableObject.exe
2010-04-06 23:36 . 2010-04-06 23:36 0 ----a-w- c:\windows\nsreg.dat
2010-04-06 04:52 . 2010-06-10 03:52 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_Launch.exe
2010-04-05 20:18 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-28 20:53 . 2010-06-10 00:18 32576 ----a-w- c:\users\jblxXx\AppData\Roaming\Mozilla\Firefox\Profiles\4mtemwwt.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-28 20:53 . 2010-06-10 00:18 29984 ----a-w- c:\users\jblxXx\AppData\Roaming\Mozilla\Firefox\Profiles\4mtemwwt.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2008-08-01 22:13 . 2008-08-01 22:13 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
"WordWeb"="c:\program files\WordWeb\wweb32.exe" [2009-11-08 65216]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"Google Update"="c:\users\jblxXx\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-20 136176]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2008-01-21 49664]
"Registry Cleaner Scheduler"="c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe" [2009-08-01 1401096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-17 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-17 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-17 145944]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-06-12 468264]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-12 202032]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-24 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-03-13 2060288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-03-18 2029640]

c:\users\Others\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office Groove.lnk - c:\program files\Microsoft Office\Office12\GROOVE.EXE [2009-2-14 337264]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2005-12-09 06:30 35328 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):20,3b,87,c9,39,d4,ca,01

R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-04-18 721904]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-03-18 731840]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-26 361808]
S2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2008-03-13 24576]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-04 113664]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1542645392-1324768224-174245433-1003Core.job
- c:\users\jblxXx\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-20 05:18]

2010-06-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1542645392-1324768224-174245433-1003UA.job
- c:\users\jblxXx\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-20 05:18]

2010-06-10 c:\windows\Tasks\HPCeeScheduleForjblxXx.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-08-01 22:14]

2010-06-14 c:\windows\Tasks\User_Feed_Synchronization-{779663F3-4626-4E3E-A218-D1737BD5899E}.job
- c:\windows\system32\msfeedssync.exe [2010-06-09 04:30]

2010-06-14 c:\windows\Tasks\User_Feed_Synchronization-{7A1DFD42-CA85-4ED5-BE56-46947FC1CAE9}.job
- c:\windows\system32\msfeedssync.exe [2010-06-09 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_fj&c=83&bd=Presario&pf=cnnb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: {FCB04CC6-EBBD-41DE-BD9A-E971953D519F} = 202.170.36.72 202.170.36.73
FF - ProfilePath - c:\users\jblxXx\AppData\Roaming\Mozilla\Firefox\Profiles\4mtemwwt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/cse?cx=partner-pub-3540673482024757:xbhdw8hkfz5&ie=ISO-8859-1&q=&sa=Search
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\jblxXx\AppData\Roaming\Mozilla\Firefox\Profiles\4mtemwwt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\jblxXx\AppData\Roaming\Mozilla\Firefox\Profiles\4mtemwwt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Microsoft Silverlight\npctrl.1.0.20926.0.dll
FF - plugin: c:\users\jblxXx\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\jblxXx\AppData\Roaming\Mozilla\Firefox\Profiles\4mtemwwt.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-Yahoo Messengger - c:\users\jblxXx\Desktop\system3_.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-06-14 21:32:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-14 09:32
ComboFix2.txt 2010-04-20 20:33

Pre-Run: 9,976,782,848 bytes free
Post-Run: 10,014,310,400 bytes free

- - End Of File - - 457CEDC540F77CAF6D1A70E2FE319AFD
Attached Files
File Type: txt ComboFix.txt (18.5 KB, 37 views)
Ben Lutua is offline  
Old 06-14-2010, 10:05 AM   #7
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Good, ComboFix took care of the entry point. Since you worked so hard on your own to remedy this, fyi - this was the loading point:

uWinlogon: Shell=explorer.exe,c:\recycler\s-1-5-21-8097865874-0038352208-406627776-6842\MsMxEng.exe
Quote:
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-8097865874-0038352208-406627776-6842\MsMxEng.exe
What we need to do now is run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-15-2010, 05:09 PM   #8
Registered Member
 
Join Date: Jun 2009
Posts: 26
OS: Windows Vista



Okay I scanned it and the report showed some infections. I've gone through D: and F: drives and followed the location of the infection as in the report and deleted .exe folders (Infected: Worm.Win32.AutoRun.esf). Scanned the drives again with kaspersky online scanner and it showed no infections in both drives this time.

Didnt do anything with C: and G: drives...so they are still as they are in the report.




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, June 15, 2010
Operating system: Microsoft Windows Vista Home Basic Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, June 14, 2010 16:37:40
Records in database: 4276310
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 246190
Threats found: 7
Infected objects found: 75
Suspicious objects found: 0
Scan duration: 05:18:46


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-0174777426-7633872146-549696614-4352\MsMxEng.exe.vir Infected: P2P-Worm.Win32.Palevo.zjw 1
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-8097865874-0038352208-406627776-6842\MsMxEng.exe.vir Infected: Trojan.Win32.Buzus.cbge 1
C:\Qoobox\Quarantine\K\autorun.inf.vir Infected: Trojan.Win32.AutoRun.ait 1
D:\Games\Nintendo 64\Emulator\Emulators\XvsS-AlexZander.Ro\roms\roms.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Emulator\Emulators\XvsS-AlexZander.Ro\state\state.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Docs\3rd Party Plugins\3rd Party Plugins.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Docs\3rd Party Plugins\N-Rage\N-Rage.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Docs\Cheat Codes\Cheat Codes.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Docs\Docs.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Docs\Game FAQ\Game FAQ.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Docs\Plugin Specs\Plugin Specs.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Docs\RDB\RDB.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Docs\RDX\RDX.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Emulator\Emulator.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Lang\Lang.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Logs\Logs.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\007 the World Is Not Enough\007 the World Is Not Enough.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Automobili Lamborghini\Automobili Lamborghini.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Cruis'n World\Cruis'n World.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Disney's Tarzan\Disney's Tarzan.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Fifa 99\Fifa 99.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Fifa Road To The World Cup 98\Fifa Road To The World Cup 98.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Golden Eye 007\Golden Eye 007.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Hydro Thunder\Hydro Thunder.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Mario Kart 64\Mario Kart 64.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Mission Impossible\Mission Impossible.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Monopoly 64\Monopoly 64.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Mortal Kombat 4\Mortal Kombat 4.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Mortal Kombat Trilogy\Mortal Kombat Trilogy.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\NBA Hangtime\NBA Hangtime.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Nitendo 64 Roms.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Rally Challenge\Rally Challenge.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Ridge Racer 64\Ridge Racer 64.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Scooby Doo\Scooby Doo.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Super Mario 64\Super Mario 64.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Tom and Jerry\Tom and Jerry.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Tony Hawk's Pro Skater 2\Tony Hawk's Pro Skater 2.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Tony Hawks Pro Skater\Tony Hawks Pro Skater.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Tony Hawks Pro Skater 3\Tony Hawks Pro Skater 3.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Virtual Chess 64\Virtual Chess 64.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\WWF Attitude\WWF Attitude.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\WWF No Mercy\WWF No Mercy.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Zeld Mask of Majora\Zeld Mask of Majora.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Nitendo 64 Roms\Zelda 64\Zelda 64.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Plugin\Plugin.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Nintendo 64\Nitendo 64\Save\Save.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\Beale Face\Beale Face.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Data\motion\motion.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\Cz\Cz.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\Da\Da.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\De\De.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\en-uk\en-uk.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\Es\Es.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\Fi\Fi.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\fr-fr\fr-fr.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\Hu\Hu.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\It\It.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\NL\NL.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\No\No.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\Pol\Pol.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\pt\pt.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\pt-br\pt-br.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\Ru\Ru.exe Infected: Worm.Win32.AutoRun.esf 1
D:\Games\Rugby08_Upgrade\EA SPORTS(TM) Rugby 08\Support\EA_Help\Sv\Sv.exe Infected: Worm.Win32.AutoRun.esf 1
F:\Programs_Unrun\Adobe.Illustrator.CS3.Portable.zip Infected: Trojan-Dropper.Win32.Agent.bvyu 1
F:\Programs_Unrun\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1
F:\Programs_Unrun\More\Microsoft Office Suite\Visio 2000\Install\BIN\Program Files\Common Files\Common Files.exe Infected: Worm.Win32.AutoRun.esf 1
F:\Programs_Unrun\More\Microsoft Office Suite\Visio 2000\Install\BIN\Program Files\Common Files\Lhspf\Lhspf.exe Infected: Worm.Win32.AutoRun.esf 1
F:\Programs_Unrun\More\Microsoft Office Suite\Visio 2000\Install\BIN\Program Files\Common Files\Lhspf\LingTech\LingTech.exe Infected: Worm.Win32.AutoRun.esf 1
F:\Programs_Unrun\More\Microsoft Office Suite\Visio 2000\Install\BIN\Program Files\Common Files\Visio Shared\Fonts\Fonts.exe Infected: Worm.Win32.AutoRun.esf 1
F:\Programs_Unrun\More\Microsoft Office Suite\Visio 2000\Install\BIN\Program Files\Common Files\Visio Shared\Visio Shared.exe Infected: Worm.Win32.AutoRun.esf 1
F:\Programs_Unrun\More\Microsoft Office Suite\Visio 2000\Install\BIN\Program Files\Common Files\WexTech Shared\WexTech Shared.exe Infected: Worm.Win32.AutoRun.esf 1
F:\Programs_Unrun\pdf_Converters\WrdPdfCoverter\Word 2 PDF\doc2pdf_setup.exe Infected: Trojan.Win32.Chifrax.d 1
G:\autorun.inf\autorun.inf.exe Infected: Worm.Win32.AutoRun.esf 1
G:\RECOVERY\RECOVERY.exe Infected: Worm.Win32.AutoRun.esf 1

Selected area has been scanned.
Ben Lutua is offline  
Old 06-15-2010, 08:14 PM   #9
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Well done.

As you've correctly surmised, the reports on C:\ drive are backups that were created during the course of this fix.

If there aren't any more problems, we can tend to that shortly. Before we do, it would be wise to clear all Restore points, and create a fresh, clean point so you do not inadvertently bring all this infection back onto the system.

o reset System Restore on a Vista machine:

Click the Start button>Control Panel>System and Maintenance>System
  • In the left pane, click System Protection
  • To turn off System Protection for a hard disk, clear the check box next to the disk, and then click OK.
That will clear all restore points.

Now, turn it back on - simply check the box next to disk C:\ and click OK.

If you want to double check yourself and be sure a fresh restore point has been created, still in that System Protection tab, click the System Restore button. (Don't worry, it won't revert your system until you select a restore point listed and OK your way throughout).

In the window that opens, click Next. There, you will see the restore points available to you.

Click Cancel to exit without restoring.

==================================


Next, please do not skip this step as it will implement important cleanup procedures as it uninstalls:

On your keyboard, press the Windows logo key and the letter R to bring up the Run command box. Copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /uninstall

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.


To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - https://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
    • SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

  • WOT, Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE.


  • Scan here https://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • BACKING UP YOUR REGISTRY
    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-17-2010, 08:36 PM   #10
Registered Member
 
Join Date: Jun 2009
Posts: 26
OS: Windows Vista



Hi Reid,

1. restore point done
2. comboFix uninstalled
3. spyware blaster and WOT added

Onel question:

1.) What happens to the infection in my recovery drive stated in the report?
G:\autorun.inf\autorun.inf.exe Infected: Worm.Win32.AutoRun.esf 1 and
G:\RECOVERY\RECOVERY.exe Infected: Worm.Win32.AutoRun.esf 1

Did we also take care of that with ComboFix??
Ben Lutua is offline  
Old 06-17-2010, 10:09 PM   #11
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



My aplogies, I misread your earlier comment and didn't notice that you deleted all except C:\ and G:\ drives.

What is the G:\ drive? Flash drive? External drive? Was it connected when you first ran ComboFix?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-19-2010, 05:09 PM   #12
Registered Member
 
Join Date: Jun 2009
Posts: 26
OS: Windows Vista



thats okay,

its my recovery drive..contains files for pc recovery...i only use it when i format my comp.

its a built in drive.
Ben Lutua is offline  
Old 06-19-2010, 06:20 PM   #13
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Then it is a false detection by Kaspersky and you can safely ignore it.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-19-2010, 07:08 PM   #14
Registered Member
 
Join Date: Jun 2009
Posts: 26
OS: Windows Vista



Oh okay,

well in that case, thank you so much for the help Ried!!!!
Ben Lutua is offline  
Old 06-19-2010, 08:17 PM   #15
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



You're so very welcome, Ben!

Take care.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 06:16 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts