Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

virus prompting me to install fake anti-virus software.. "Worm.Win32.Netsky"

This is a discussion on virus prompting me to install fake anti-virus software.. "Worm.Win32.Netsky" within the Resolved HJT Threads forums, part of the Tech Support Forum category. hi, was in the middle of browsing last night and got hit with this virus. a screen popped up and


 
 
Thread Tools Search this Thread
Old 01-28-2010, 01:39 AM   #1
Guest
 
Join Date: Jan 2010
Posts: 8
OS:



hi,

was in the middle of browsing last night and got hit with this virus. a screen popped up and said my computer was infected and to scan my drives. at the same time, it shut down chrome and my ad-aware watch popped up and said started a live scan. I let ad-aware finish, restarted my computer, and I got the same fake antivirus pop ups as before. ad-aware started again in the background. I let it finish again and restarted again, and the same process happened. this is the popup I get after I restart:


it also turns my desktop white after I click OK.

I stopped the scan and tried to open chrome, firefox, IE, nothing works. sometimes they won't even open (and a popup will say that the file is infected) and sometimes it will open but will not display any websites; the browser just remains white or gives me a "this webpage cannot be displayed" general error.

I tried to open add/remove programs and nothing shows up (the window opens but I do not get a list of programs, the area is just white).

I was able to save GMER and DDS to a flash drive and ran them from the desktop.

during my GMER scan I had periodic popups saying my files were infected and that a scan would begin (which of course it didn't). eventually the pop ups stopped but all 3 browsers still don't work.

also, regarding the GMER scan, I have two hard drives, C: and F: (not partitioned, 2 actual drives). I unchecked F and left C checked. while the main drive is C, most of my actual files are on the F drive. don't know if you need to know that but thought I should mention it.

===
DDS
===


DDS (Ver_09-12-01.01) - NTFSx86
Run by kelsey at 0:10:27.98 on Thu 01/28/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2550.1907 [GMT -8:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
C:\Documents and Settings\kelsey\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://twitter.com/
uDefault_Page_URL = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\winlogon32.exe
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {2D7FF6B9-D495-42D9-BC54-2DCB29BE0648} - No File
BHO: {36d2ff50-9f55-4999-b1a4-2f4571fa621b} - c:\windows\system32\yayvWpmM.dll
BHO: {48C2D762-89DE-420E-87C5-949734B281AF} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {B8297676-7E5B-49CB-9E18-32003D9FC464} - No File
BHO: {de29cf05-95b2-4a26-9969-4bbb436aee70} - c:\windows\system32\urqrPGwT.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [EPSON Stylus CX4600 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [smss32.exe] c:\windows\system32\smss32.exe
mRun: [Swixa] rundll32.exe "c:\windows\ofipepac.dll",Startup
StartupFolder: c:\docume~1\kelsey\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\kelsey\startm~1\programs\startup\lastfm~1.lnk - c:\program files\last.fm\LastFMHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: c:\windows\system32\helper32.dll
Trusted Zone: clubbox.co.kr
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {7606693A-C18D-4567-AF85-6194FF70761E} - hxxp://app.ipop.co.kr/gom/GomWeb.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} - hxxp://install.bugs.co.kr/install/BugsInstallerEx.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli BDEFMUXY.dll
mASetup: {23KLN5J0-4OPM-11WE-AAX5-24EF1F387232} - c:\recycler\k-1-3542-4232123213-7676767-8888886\hn.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kelsey\applic~1\mozilla\firefox\profiles\default user\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com
FF - plugin: c:\documents and settings\kelsey\application data\mozilla\firefox\profiles\default user\extensions\[email protected]\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJava11.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJava12.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJava131_04.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJava32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOJI600.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {96A03216-10D9-4A4F-94D6-AA8A20057320} - c:\documents and settings\kelsey\local settings\application data\{96A03216-10D9-4A4F-94D6-AA8A20057320}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-9 64288]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-6-2 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-6-2 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-6-2 171400]
S2 gupdate1ca78abc423de8a;Google Update Service (gupdate1ca78abc423de8a);c:\program files\google\update\GoogleUpdate.exe [2009-12-9 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-9 38224]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2007-8-3 42512]

=============== Created Last 30 ================

2010-01-27 08:09:32 0 ----a-w- c:\windows\system32\IS15.exe
2010-01-27 08:09:31 0 ----a-w- c:\windows\system32\helper32.dll
2010-01-27 08:07:57 22528 ----a-w- c:\windows\system32\smss32.exe
2010-01-27 07:58:16 0 ----a-w- c:\windows\Nlufako.bin
2010-01-27 07:58:15 120 ----a-w- c:\windows\Kqatezivanomo.dat
2010-01-27 07:54:58 0 ----a-w- c:\windows\system32\41.exe
2010-01-27 07:54:21 22528 ----a-w- c:\windows\system32\winlogon32.exe
2010-01-13 06:28:49 470528 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-01 06:21:53 223744 ----a-w- c:\windows\system32\CNMLM97.DLL

==================== Find3M ====================

2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-21 06:42:51 4 ----a-w- c:\docume~1\kelsey\applic~1\avdrn.dat
2009-12-09 08:46:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-09 08:41:56 77086488 ----a-w- C:\Ad-AwareInstallation.exe
2009-12-09 08:41:45 4844296 ----a-w- C:\mbam-setup.exe
2009-12-04 00:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-05 21:49:49 12307750 ----a-w- c:\program files\FreeSoundRecorder.exe
2008-03-20 02:44:55 1612672 ----a-w- c:\program files\CuteWriter.exe
2006-05-02 19:49:56 21031280 ----a-w- c:\program files\aaw2007.exe
2008-05-04 17:00:02 524554 --sha-w- c:\windows\system32\MmpWvyay.ini2
2006-05-04 04:33:22 540158 --sha-w- c:\windows\system32\TwGPrqru.ini2

============= FINISH: 0:13:18.51 ===============

also, I do not have access to a windows install cd.

any help you can provide me would be great. thank you so much for your time!
Attached Files
File Type: zip Attach.zip (4.9 KB, 13 views)
marshierunt is offline  
Sponsored Links
Advertisement
 
Old 01-30-2010, 01:24 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

https://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Please see this >> https://img.photobucket.com/albums/v6...ee_disable.gif

Please post the C:\ComboFix.txt in your next reply for further review.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-01-2010, 12:50 AM   #3
Guest
 
Join Date: Jan 2010
Posts: 8
OS:



hi chemist,

thank you very much for your reply. following is my combofix log. throughout the beginning of the scan (before the stages were completed) a window kept popping up with the following message:

PEV.cfxxe - Bad Image

The application or DLL C:/windows/system32/helper32.dll is not a valid Windows image. Please check this against your installation diskette.


This popped up a few times and I kept clicking OK and then once the scan began, it stopped.

ComboFix 10-01-31.01 - kelsey 01/31/2010 22:36:51.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2550.2076 [GMT -8:00]
Running from: c:\documents and settings\kelsey\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\kelsey\Application Data\avdrn.dat
c:\documents and settings\kelsey\Local Settings\Temporary Internet Files\BugsM.cfg
c:\documents and settings\kelsey\Local Settings\Temporary Internet Files\BugsM0.che
c:\documents and settings\kelsey\Local Settings\Temporary Internet Files\BugsM1.che
c:\documents and settings\kelsey\Local Settings\Temporary Internet Files\BugsM2.che
c:\documents and settings\kelsey\Local Settings\Temporary Internet Files\BugsM3.che
c:\documents and settings\kelsey\Local Settings\Temporary Internet Files\BugsM4.che
c:\documents and settings\kelsey\Local Settings\Temporary Internet Files\BugsM5.che
c:\documents and settings\kelsey\Local Settings\Temporary Internet Files\BugsM6.che
c:\documents and settings\kelsey\Local Settings\Temporary Internet Files\BugsM7.che
c:\documents and settings\kelsey\Local Settings\Temporary Internet Files\BugsM8.che
c:\documents and settings\kelsey\Local Settings\Temporary Internet Files\BugsM9.che
c:\recycler\k-1-3542-4232123213-7676767-8888886
C:\Thumbs.db
c:\windows\BM8b0c7363.txt
c:\windows\BM8b0c7363.xml
c:\windows\cookies.ini
c:\windows\Fonts\MyriadPro-Regular.otf
c:\windows\ofipepac.dll
c:\windows\pskt.ini
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\cxvkbhdu.ini
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\helper32.dll
c:\windows\system32\IS15.exe
c:\windows\system32\jsnjugnk.ini
c:\windows\system32\mawgxluq.ini
c:\windows\system32\MmpWvyay.ini
c:\windows\SYSTEM32\MmpWvyay.ini2
c:\windows\system32\nscmfwvq.ini
c:\windows\system32\Packet.dll
c:\windows\system32\smss32.exe
c:\windows\system32\TwGPrqru.ini
c:\windows\system32\TwGPrqru.ini2
c:\windows\system32\winlogon32.exe
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-01-01 to 2010-02-01 )))))))))))))))))))))))))))))))
.

2010-01-28 08:21 . 2010-01-28 08:21 -------- d-----w- C:\spoolerlogs
2010-01-27 08:09 . 2010-01-27 08:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-27 07:58 . 2010-02-01 06:21 0 ----a-w- c:\windows\Nlufako.bin
2010-01-27 07:58 . 2010-01-27 07:58 120 ----a-w- c:\windows\Kqatezivanomo.dat
2010-01-27 07:58 . 2010-01-27 07:58 -------- d-----w- c:\documents and settings\kelsey\Local Settings\Application Data\{96A03216-10D9-4A4F-94D6-AA8A20057320}
2010-01-13 06:28 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 07:47 . 2007-05-12 01:30 -------- d-----w- c:\documents and settings\kelsey\Application Data\uTorrent
2010-01-21 03:37 . 2009-09-09 02:53 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-01 06:26 . 2007-04-22 02:40 -------- d-----w- c:\program files\Canon
2010-01-01 06:22 . 2010-01-01 06:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-01-01 06:21 . 2010-01-01 06:21 -------- d--h--w- c:\program files\CanonBJ
2009-12-31 06:54 . 2009-12-22 02:12 -------- d-----w- c:\documents and settings\kelsey\Application Data\Skype
2009-12-31 05:22 . 2009-12-22 02:16 -------- d-----w- c:\documents and settings\kelsey\Application Data\skypePM
2009-12-22 02:16 . 2009-12-22 02:16 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-22 02:12 . 2009-12-22 02:12 -------- d-----r- c:\program files\Skype
2009-12-22 02:12 . 2009-12-22 02:12 -------- d-----w- c:\program files\Common Files\Skype
2009-12-22 02:12 . 2009-12-22 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-21 19:14 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 02:39 . 2007-10-11 06:40 40 ----a-w- c:\windows\popcinfo.dat
2009-12-09 08:59 . 2006-06-19 14:45 -------- d-----w- c:\program files\Google
2009-12-09 08:49 . 2009-12-09 08:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 08:46 . 2009-12-09 10:27 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-09 08:43 . 2009-12-09 08:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-09 08:43 . 2007-04-22 02:41 -------- d-----w- c:\program files\Lavasoft
2009-12-09 08:43 . 2006-05-02 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-09 08:41 . 2009-12-09 08:41 77086488 ----a-w- C:\Ad-AwareInstallation.exe
2009-12-09 08:41 . 2009-12-09 08:41 4844296 ----a-w- C:\mbam-setup.exe
2009-12-04 00:14 . 2009-12-09 08:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13 . 2008-05-08 02:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 16:36 . 2004-08-04 11:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-08-05 21:49 . 2009-08-05 21:49 12307750 ----a-w- c:\program files\FreeSoundRecorder.exe
2008-03-20 02:44 . 2008-03-20 02:44 1612672 ----a-w- c:\program files\CuteWriter.exe
2006-05-02 19:49 . 2006-05-02 19:49 21031280 ----a-w- c:\program files\aaw2007.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"EPSON Stylus CX4600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" [2004-03-04 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"Swixa"="c:\windows\eqehicek.dll" [2007-03-08 151552]

c:\documents and settings\kelsey\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli BDEFMUXY.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\SYSTEM32\\grdmgr.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\SYSTEM32\\BugsSvr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [12/9/2009 12:47 AM 64288]
R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [6/14/2007 10:29 AM 682232]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1181328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/27/2007 8:59 PM 24652]
S2 gupdate1ca78abc423de8a;Google Update Service (gupdate1ca78abc423de8a);c:\program files\Google\Update\GoogleUpdate.exe [12/9/2009 12:44 AM 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [12/9/2009 12:49 AM 38224]
.
Contents of the 'Scheduled Tasks' folder

2010-02-01 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 02:46]

2010-02-01 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 02:46]

2010-02-01 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 02:46]

2010-02-01 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 02:46]

2010-02-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 02:46]

2010-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-09 08:43]

2010-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-09 08:43]

2010-02-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-05 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://twitter.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: clubbox.co.kr
DPF: {7606693A-C18D-4567-AF85-6194FF70761E} - hxxp://app.ipop.co.kr/gom/GomWeb.cab
DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} - hxxp://install.bugs.co.kr/install/BugsInstallerEx.cab
FF - ProfilePath - c:\documents and settings\kelsey\Application Data\Mozilla\Firefox\Profiles\Default User\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com
FF - plugin: c:\documents and settings\kelsey\Application Data\Mozilla\Firefox\Profiles\Default User\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava11.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava12.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava131_04.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOJI600.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {96A03216-10D9-4A4F-94D6-AA8A20057320} - c:\documents and settings\kelsey\Local Settings\Application Data\{96A03216-10D9-4A4F-94D6-AA8A20057320}
.
- - - - ORPHANS REMOVED - - - -

BHO-{2D7FF6B9-D495-42D9-BC54-2DCB29BE0648} - (no file)
BHO-{48C2D762-89DE-420E-87C5-949734B281AF} - (no file)
BHO-{B8297676-7E5B-49CB-9E18-32003D9FC464} - (no file)
BHO-{DE29CF05-95B2-4A26-9969-4BBB436AEE70} - c:\windows\system32\urqrPGwT.dll
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
ActiveSetup-{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232} - c:\recycler\k-1-3542-4232123213-7676767-8888886\hn.exe
AddRemove-Adobe Premiere 6.5 - f:\adobe\premiere 6.5\DeIsL1.isu
AddRemove-RNCompiler 6.0 - f:\adobe\premiere 6.5\Plug-ins\RNCompiler\rnuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-01-31 22:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(928)
c:\windows\BDEFMUXY.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2728)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\BDEFMUXY.dll
c:\windows\eqehicek.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\basfipm.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre1.6.0_06\bin\jucheck.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2010-01-31 23:00:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-01 07:00

Pre-Run: 32,681,062,400 bytes free
Post-Run: 33,295,077,376 bytes free

- - End Of File - - C3F3D79F8E5B0B7930F69267FD14A242
marshierunt is offline  
Sponsored Links
Advertisement
 
Old 02-01-2010, 05:39 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello marshierunt. Why didn't you install the Recovery Console? And did you uninstall uTorrent?

Please go to: VirusTotal
  • On the page you'll find a Browse button.
  • Next to the Browse button you'll see a box to enter text.
  • Please copy/paste the following bolded text into the box:

    c:\windows\eqehicek.dll

  • Click Open then click the Send File button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analysed: click Reanalyse file now
  • Once scanned, copy and paste the URL from your browser address bar in your next reply.
  • Please repeat for the following file:

    c:\windows\BDEFMUXY.dll
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-01-2010, 06:30 PM   #5
Guest
 
Join Date: Jan 2010
Posts: 8
OS:



hello,

I uninstalled utorrent. it did not install the recovery console because it said I wasn't connected to the internet. I had my wireless stick plugged in, and it was blinking indicating I was connected to the internet. I tried to exit combofix to start over, to perhaps check my connection and try the scan again, but it just skipped the download and continued with the scan, and I didn't think it was safe to stop it mid-scan... please advise if I should scan again.

virustotal scan for eqehicek.dll:
https://www.virustotal.com/analisis/c...fcf-1265073815

virustotal scan for BDEFMUXY.dll:
(I got the "this file has already been analysed, so I hit "reanalyse file now")
https://www.virustotal.com/analisis/4...a90-1265074062

obviously, all 3 of my browsers are now working (chrome, ie, firefox), since I was able to do this scan, already an improvement from before! thanks so much for your prompt response. I will await your reply.
marshierunt is offline  
Old 02-01-2010, 07:00 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, marshierunt. The Recovery Console should install this time.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

To open Notepad, go Start > Run and type Notepad then click 'OK'.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
https://www.techsupportforum.com/f100/virus-prompting-me-to-install-fake-anti-virus-software-worm-win32-netsky-456467.html#post2572588

Collect::
c:\windows\eqehicek.dll
c:\windows\BDEFMUXY.dll
c:\windows\Kqatezivanomo.dat

File::
c:\windows\Nlufako.bin

Folder::
c:\documents and settings\kelsey\Application Data\uTorrent
c:\documents and settings\kelsey\Local Settings\Application Data\{96A03216-10D9-4A4F-94D6-AA8A20057320}

DDS::
DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} - hxxp://install.bugs.co.kr/install/BugsInstallerEx.cab

Registry::
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]-
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix.

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-01-2010, 07:53 PM   #7
Guest
 
Join Date: Jan 2010
Posts: 8
OS:



hi,

thanks for your quick reply. below is the result of the newest scan.

ComboFix 10-02-01.02 - kelsey 02/01/2010 18:23:35.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2550.2031 [GMT -8:00]
Running from: c:\documents and settings\kelsey\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kelsey\Desktop\CFScript.txt

FILE ::
"c:\windows\Nlufako.bin"

file zipped: c:\windows\BDEFMUXY.dll
file zipped: c:\windows\eqehicek.dll
file zipped: c:\windows\Kqatezivanomo.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\kelsey\Application Data\uTorrent
c:\documents and settings\kelsey\Application Data\uTorrent\dht.dat
c:\documents and settings\kelsey\Application Data\uTorrent\dht.dat.old
c:\documents and settings\kelsey\Application Data\uTorrent\resume.dat
c:\documents and settings\kelsey\Application Data\uTorrent\resume.dat.old
c:\documents and settings\kelsey\Application Data\uTorrent\rss.dat
c:\documents and settings\kelsey\Application Data\uTorrent\rss.dat.old
c:\documents and settings\kelsey\Application Data\uTorrent\settings.dat
c:\documents and settings\kelsey\Application Data\uTorrent\settings.dat.old
c:\documents and settings\kelsey\Application Data\uTorrent\utorrent-help.zip
c:\documents and settings\kelsey\Application Data\uTorrent\utorrent.chm
c:\documents and settings\kelsey\Application Data\uTorrent\utorrent.lng
c:\documents and settings\kelsey\Local Settings\Application Data\{96A03216-10D9-4A4F-94D6-AA8A20057320}
c:\documents and settings\kelsey\Local Settings\Application Data\{96A03216-10D9-4A4F-94D6-AA8A20057320}\chrome.manifest
c:\documents and settings\kelsey\Local Settings\Application Data\{96A03216-10D9-4A4F-94D6-AA8A20057320}\chrome\content\_cfg.js
c:\documents and settings\kelsey\Local Settings\Application Data\{96A03216-10D9-4A4F-94D6-AA8A20057320}\chrome\content\overlay.xul
c:\documents and settings\kelsey\Local Settings\Application Data\{96A03216-10D9-4A4F-94D6-AA8A20057320}\install.rdf
c:\windows\BDEFMUXY.dll
c:\windows\eqehicek.dll
c:\windows\Kqatezivanomo.dat
c:\windows\Nlufako.bin

.
((((((((((((((((((((((((( Files Created from 2010-01-02 to 2010-02-02 )))))))))))))))))))))))))))))))
.

2010-01-28 08:21 . 2010-01-28 08:21 -------- d-----w- C:\spoolerlogs
2010-01-27 08:09 . 2010-01-27 08:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-13 06:28 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 01:17 . 2007-05-12 01:30 -------- d-----w- c:\program files\uTorrent
2010-02-02 01:16 . 2007-04-22 02:36 -------- d-----w- c:\program files\LimeWire
2010-01-21 03:37 . 2009-09-09 02:53 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-01 06:26 . 2007-04-22 02:40 -------- d-----w- c:\program files\Canon
2010-01-01 06:22 . 2010-01-01 06:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-01-01 06:21 . 2010-01-01 06:21 -------- d--h--w- c:\program files\CanonBJ
2009-12-31 06:54 . 2009-12-22 02:12 -------- d-----w- c:\documents and settings\kelsey\Application Data\Skype
2009-12-31 05:22 . 2009-12-22 02:16 -------- d-----w- c:\documents and settings\kelsey\Application Data\skypePM
2009-12-22 02:16 . 2009-12-22 02:16 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-22 02:12 . 2009-12-22 02:12 -------- d-----r- c:\program files\Skype
2009-12-22 02:12 . 2009-12-22 02:12 -------- d-----w- c:\program files\Common Files\Skype
2009-12-22 02:12 . 2009-12-22 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-21 19:14 . 2004-08-04 11:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 02:39 . 2007-10-11 06:40 40 ----a-w- c:\windows\popcinfo.dat
2009-12-09 08:59 . 2006-06-19 14:45 -------- d-----w- c:\program files\Google
2009-12-09 08:49 . 2009-12-09 08:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 08:46 . 2009-12-09 10:27 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-09 08:43 . 2009-12-09 08:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-09 08:43 . 2007-04-22 02:41 -------- d-----w- c:\program files\Lavasoft
2009-12-09 08:43 . 2006-05-02 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-09 08:41 . 2009-12-09 08:41 77086488 ----a-w- C:\Ad-AwareInstallation.exe
2009-12-09 08:41 . 2009-12-09 08:41 4844296 ----a-w- C:\mbam-setup.exe
2009-12-04 00:14 . 2009-12-09 08:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13 . 2008-05-08 02:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 16:36 . 2004-08-04 11:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-08-05 21:49 . 2009-08-05 21:49 12307750 ----a-w- c:\program files\FreeSoundRecorder.exe
2008-03-20 02:44 . 2008-03-20 02:44 1612672 ----a-w- c:\program files\CuteWriter.exe
2006-05-02 19:49 . 2006-05-02 19:49 21031280 ----a-w- c:\program files\aaw2007.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"EPSON Stylus CX4600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" [2004-03-04 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]

c:\documents and settings\kelsey\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\grdmgr.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\WINDOWS\\SYSTEM32\\BugsSvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [12/9/2009 12:47 AM 64288]
R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [6/14/2007 10:29 AM 682232]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1181328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/27/2007 8:59 PM 24652]
S2 gupdate1ca78abc423de8a;Google Update Service (gupdate1ca78abc423de8a);c:\program files\Google\Update\GoogleUpdate.exe [12/9/2009 12:44 AM 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [12/9/2009 12:49 AM 38224]
.
Contents of the 'Scheduled Tasks' folder

2010-02-02 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 08:46]

2010-02-02 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 08:46]

2010-02-02 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 08:46]

2010-02-02 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 08:46]

2010-02-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 08:46]

2010-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-09 08:43]

2010-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-09 08:43]

2010-02-02 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-05 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://twitter.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: clubbox.co.kr
DPF: {7606693A-C18D-4567-AF85-6194FF70761E} - hxxp://app.ipop.co.kr/gom/GomWeb.cab
FF - ProfilePath - c:\documents and settings\kelsey\Application Data\Mozilla\Firefox\Profiles\Default User\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com
FF - plugin: c:\documents and settings\kelsey\Application Data\Mozilla\Firefox\Profiles\Default User\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava11.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava12.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava131_04.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOJI600.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Swixa - c:\windows\eqehicek.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-02-01 18:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3456)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\basfipm.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Java\jre1.6.0_06\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-02-01 18:42:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-02 02:42
ComboFix2.txt 2010-02-01 07:00

Pre-Run: 33,728,446,464 bytes free
Post-Run: 33,692,631,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 37D044CF73ADD6125CD17C786826B99D
marshierunt is offline  
Old 02-01-2010, 09:01 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, marshierunt. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

It appears the file didn't get submitted.

There should be a file named [4][email protected] with today's date located here:

C:\Qoobox\Quarantine\[4][email protected]

Please submit it to this site ==> https://www.bleepingcomputer.com/subm....php?channel=4

and include this link in the message:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/456467-virus-prompting-me-install-fake-anti-virus-software-worm-win32-netsky.html#post2572588


Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says JDK 6 Update 18 (JDK or JRE)
  • Click the Download JRE button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click Continue The page will refresh.
  • Click on the link to download Windows Offline Installation and Save the file to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start(or My Computer) > Control Panel and double-click on Add or Remove Programs and remove all older versions of Java.
  • Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
    • Delete jre-6u18-windows-i586-p.exe from your desktop.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected.
  • It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-03-2010, 08:25 AM   #9
Guest
 
Join Date: Jan 2010
Posts: 8
OS:



hi chemist,

I submitted the file & updated java/deleted all previous versions of java.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, February 3, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, February 03, 2010 06:54:00
Records in database: 3400275
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 195414
Threats found: 5
Infected objects found: 12
Suspicious objects found: 0
Scan duration: 05:58:00


File name / Threat / Threats count
C:\daemon4091-x86.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\Program Files\FreeSoundRecorder.exe Infected: Virus.Win32.Induc.a 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\smss32.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.wxtw 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winlogon32.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.wxtw 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1033\A0069458.dll Infected: Trojan.Win32.Agent.dggu 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1033\A0069483.exe Infected: Trojan-Downloader.Win32.FraudLoad.wxtw 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1033\A0069501.exe Infected: Trojan-Downloader.Win32.FraudLoad.wxtw 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1033\A0069516.exe Infected: Trojan-Downloader.Win32.FraudLoad.wxtw 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1034\A0069531.exe Infected: Trojan-Downloader.Win32.FraudLoad.wxtw 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1034\A0069620.exe Infected: Trojan-Downloader.Win32.FraudLoad.wxtw 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1034\A0069622.exe Infected: Trojan-Downloader.Win32.FraudLoad.wxtw 1
C:\yahoo_zuma_tm1-1.exe Infected: Backdoor.Win32.Agent.yag 1

Selected area has been scanned.
---

that's my kaspersky report. and my system is running great so far. everything is faster (faster than before I even got the virus! ). I've been using IE to carry out all these procedures, and I never use IE because it's so slow.. but it's going super fast! but all I notice that's different from before is that now my chrome toolbar looks funky. here's what it's supposed to look like:


but here's what mine looks like:


the black and white pattern in mine is supposed to be there (as opposed to the blue in the other screen shot), but I can't see any of the buttons anymore and the color is all off. should I just delete chrome and re-download?

thank you so so so much for all your time and effort into my problem. you're amazing!
marshierunt is offline  
Old 02-03-2010, 09:17 AM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, marshierunt. Thanks for submitting the file.

Qoobox is ComboFix's quarantine folder. System Volume Information is where Windows keeps old system restore points. Both will get deleted when we uninstall ComboFix.

------------------------------------------------------

I'm not familiar with chrome and its settings. You should be able to change the background back. If not, yes uninstall and re-install.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\daemon4091-x86.exe"
"C:\Program Files\FreeSoundRecorder.exe"
"C:\yahoo_zuma_tm1-1.exe"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-03-2010, 06:49 PM   #11
Guest
 
Join Date: Jan 2010
Posts: 8
OS:



done and done. it said "Deleted Successfully! Press any key to continue." I pressed any key, the window closed and fix.bat deleted itself from the desktop.
marshierunt is offline  
Old 02-03-2010, 07:24 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Any luck with chrome?
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-03-2010, 07:25 PM   #13
Guest
 
Join Date: Jan 2010
Posts: 8
OS:



I uninstalled and reinstalled, and the problem remained. so I uninstalled again, restarted the computer, reinstalled, and now it's fixed. no comprende
marshierunt is offline  
Old 02-03-2010, 07:44 PM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



It seems the reboot made the difference.

Congratulations. Well done! Your logs appear clean. You should be good to go.

As far as those infected objects listed in the Kaspersky report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Please disable VirusScan before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for both Firefox and IE.
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
    • Download Host.zip and Save it to your Desktop.
    • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
    • Follow the prompts and click 'Finish'.
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-03-2010, 07:59 PM   #15
Guest
 
Join Date: Jan 2010
Posts: 8
OS:



done and done. everything works great now. kinda scared me when the comp restarted and it took forever to show my desktop have to admit I kinda panicked!

thanks SO much chemist! you are amazing! kudos kudos kudos x 100. thank you for devoting so much time and energy to helping me!
marshierunt is offline  
Old 02-03-2010, 08:44 PM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're very welcome, marshierunt! Glad to have helped.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 07:02 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts