|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
Possible Malware
I have 2 viruses or spyware (not sure which one) on my computer. I have been using Avast AntiVirus to try and get rid of it, but whenever I scan it, it says I do not have any viruses but then it comes back and it says I have two viruses. Even though it says I delete them, the Avast AntiVirus says its still here when ever I restart my computer.
Here is my "HiJackThis Log" in this EXACT quote: Quote:
|
#2
|
|||
|
|||
If any of the admins here have any helpful advice, please help me.
|
#3
|
|||
|
|||
I also tried to install AVG AntiVirus but it wouldn't let me install because of this message below:
Quote:
I also tried to restore my files too but it did not work as well. It said "system cannot be restored". ONE MORE PROBLEM PLEASE READ: My desktop background got changed to a big sign saying "WARNING! Spyware detected on your computer". It shows me two spywares that are in danger and in my "Display Properties", I am missing two tabs which are "Desktop" and "Screensaver". If there is any possible way to fix this, please help me. Here is the image as my desktop EXACTLY what it said: http://img440.imageshack.us/my.php?i...desktopti4.png Last edited by bkbigshow; October 2nd, 2008 at 06:56 AM. |
#4
|
||||
|
||||
Welcome to CTH bkbigshow,
Free repair guidance offered by a few trained volunteers and of course a lot of requests for that. So patience is a must. Fortunately for you our other volunteers have been in top form responding and assisting, so a response in your request the same day it was made. the logs do show infection there, so we will need to get more details to work from before we start repairs. The logs also show you have two antivirus softwares installed with Avast and Network Associates. Small wonder AVG would not install. having more than one antivirus software will cause conflicts and corruption. You need to choose one of those, disable all security software and then uninstall the other. Then make sure to reboot after. Then To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Download RSIT (random's system information tool) from here to your desktop, then click on the RSIT.exe to start the scan. If necessary allow it to locate or download a copy of HijackThis as needed. Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt. RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt). You can use separate posts here when replying and posting the log files if needed. |
#5
|
|||
|
|||
Ok here is my first log:
Quote:
|
#6
|
|||
|
|||
Here is the 2nd part:
Quote:
|
#7
|
|||
|
|||
Also, for some reason this time when I restarted my computer, all my virus seems to be gone (UNCONFIRMED) and my screen changed back to normal. If there is an explanation for this and you can answer it, it would be greatly appreciated.
|
#8
|
||||
|
||||
These Zlob/Vundo rogue variants have some smart clown behind them who makes changes to the techniques they use in deploying, so tough to second guess exactly what this or that version is doing. The fake security software is showing as installed, but may have instead set some unseen rootkit elements and needed the disruption you have been experiencing to mask that while installing it. But we'll address all of it.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Download SDFix.exe and save it to your desktop. However, I would like you to rename the file as you download it (do not download it directly without renaming it).Rename the download file to george.exe, so george.exe is downloaded and saved to your desktop. ================================================== = Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode). Click on the renamed SDFix file george.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script. Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here. ============================= After the reboot Download Malwarebytes' Anti-Malware from Here or Here. Double Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Quick Scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then. ============================ Run a new RSIT scan, and post that one log along with the Malwarebytes log and the SDFix report.txt log please. When posting no need to use the Quote method - just click Post Reply in the left corners of this thread and post directly in the response textbox. |
#9
|
|||
|
|||
Logfile of random's system information tool 1.04 (written by random/random)
Run by Alex Vu at 2008-10-03 17:36:38 Microsoft Windows XP Professional Service Pack 1 System drive C: has 50 GB (38%) free of 131 GB Total RAM: 511 MB (20% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:36:38 PM, on 10/3/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Browser Mouse\mouse32a.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\ZipToA.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Alex Vu.ALEXROOM\Desktop\RSIT.exe C:\Program Files\Trend Micro\HijackThis\Alex Vu.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [EPSON Stylus CX7000F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIB KA.EXE /FU "C:\WINDOWS\TEMP\E_S2A2.tmp" /EF "HKCU" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: officejet 6100.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe -- End of file - 6307 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1157912972.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINDOWS\System32\msdxm.ocx [2002-08-29 842268] {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2005-08-04 343112] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run] "SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2004-12-01 77824] "RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768] "ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-09-29 344064] "FLMOFFICE4DMOUSE"=C:\Program Files\Browser Mouse\mouse32a.exe [2005-12-25 360448] "ShStatEXE"=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE [2004-09-22 94208] "McAfeeUpdaterUI"=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe [2004-08-06 139320] "Network Associates Error Reporting Service"=C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe [2003-10-07 147514] "Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [2002-04-11 69632] "SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [2005-11-10 36975] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2007-06-29 286720] "avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.e xe [2008-07-19 78008] |
#10
|
|||
|
|||
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]
"Steam"=C:\Program Files\Steam\Steam.exe [2008-03-28 1271032] "EPSON Stylus CX7000F Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3 \E_FATIBKA.EXE [2006-09-26 139264] "MsnMsgr"=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM] C:\PROGRA~1\AIM\\DeadAIM.ocm [2004-02-28 144896] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe [2000-06-13 36864] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe [2000-06-02 32768] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe [2002-08-29 1511453] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [2002-04-11 69632] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2005-09-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp instant support.lnk] C:\PROGRA~1\HEWLET~1\HPINST~1\bin\matcli.exe [2002-05-09 208896] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE [2006-06-14 180224] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^KODAK Software Updater.lnk] C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\KODAKS~ 1.EXE [2004-02-13 16423] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\Documents and Settings\Alex Vu.ALEXROOM\Start Menu\Programs\Startup Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] C:\WINDOWS\system32\Ati2evxx.dll [2004-09-29 90112] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\network\UploadMgr] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list] ======List of files/folders created in the last 1 months====== 2008-10-03 17:02:01 ----D---- C:\Documents and Settings\Alex Vu.ALEXROOM\Application Data\Malwarebytes 2008-10-03 17:01:58 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-03 17:01:58 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes 2008-10-03 11:59:52 ----D---- C:\WINDOWS\ERUNT 2008-10-03 11:48:05 ----D---- C:\SDFix 2008-10-02 21:16:49 ----D---- C:\rsit 2008-10-01 21:10:08 ----D---- C:\Program Files\Trend Micro 2008-10-01 20:51:37 ----A---- C:\WINDOWS\ntbtlog.txt 2008-09-30 13:16:01 ----D---- C:\Documents and Settings\Alex Vu.ALEXROOM\Application Data\Apple Computer 2008-09-05 00:39:35 ----A---- C:\WINDOWS\System32\MFC71.dll 2008-09-05 00:39:35 ----A---- C:\WINDOWS\System32\aswBoot.exe 2008-09-05 00:39:32 ----D---- C:\Program Files\Alwil Software 2008-09-05 00:07:45 ----A---- C:\WINDOWS\System32\usam.vbs 2008-09-05 00:07:45 ----A---- C:\WINDOWS\ahymesof.bat 2008-09-05 00:07:45 ----A---- C:\Documents and Settings\All Users.WINDOWS\Application Data\yfapudelem.exe 2008-09-05 00:07:45 ----A---- C:\Documents and Settings\All Users.WINDOWS\Application Data\okutazi.bat 2008-09-05 00:01:33 ----A---- C:\Program Files\Common Files\vugyl.bat 2008-09-05 00:01:33 ----A---- C:\Documents and Settings\Alex Vu.ALEXROOM\Application Data\wufedecozi.bat 2008-09-04 23:46:01 ----A---- C:\WINDOWS\System32\cawogocux.exe 2008-09-04 23:46:01 ----A---- C:\Program Files\Common Files\pisagod.exe 2008-09-04 23:46:01 ----A---- C:\Documents and Settings\Alex Vu.ALEXROOM\Application Data\ryha.com 2008-09-04 23:46:00 ----A---- C:\WINDOWS\qivarywel.dll 2008-09-04 23:19:16 ----A---- C:\WINDOWS\lexu.bat 2008-09-04 23:19:16 ----A---- C:\Documents and Settings\All Users.WINDOWS\Application Data\rinyjos.dll 2008-09-04 23:19:16 ----A---- C:\Documents and Settings\All Users.WINDOWS\Application Data\gaxocudom.dll 2008-09-04 23:19:14 ----A---- C:\WINDOWS\zadigise.dll 2008-09-04 23:19:14 ----A---- C:\WINDOWS\ficowi.dll 2008-09-04 23:19:14 ----A---- C:\WINDOWS\awifeluxa.exe 2008-09-04 23:19:14 ----A---- C:\Program Files\Common Files\kurirad.com ======List of files/folders modified in the last 1 months====== 2008-10-03 17:35:35 ----D---- C:\WINDOWS\Prefetch 2008-10-03 17:32:06 ----D---- C:\WINDOWS\Temp 2008-10-03 17:31:30 ----D---- C:\Program Files\Mozilla Firefox 2008-10-03 17:30:22 ----D---- C:\WINDOWS\Debug 2008-10-03 17:30:16 ----D---- C:\Program Files\Steam 2008-10-03 17:28:55 ----A---- C:\WINDOWS\SchedLgU.Txt 2008-10-03 17:02:33 ----D---- C:\WINDOWS\System32\drivers 2008-10-03 17:01:58 ----RD---- C:\Program Files 2008-10-03 13:51:41 ----D---- C:\Documents and Settings 2008-10-03 12:07:20 ----D---- C:\WINDOWS\system32 2008-10-03 12:03:38 ----RSHDC---- C:\WINDOWS\System32\dllcache 2008-10-03 11:59:52 ----D---- C:\WINDOWS 2008-10-02 16:20:12 ----D---- C:\WINDOWS\System32\CatRoot2 2008-10-01 20:33:32 ----D---- C:\WINDOWS\System32\Restore 2008-10-01 16:53:30 ----A---- C:\WINDOWS\NeroDigital.ini 2008-10-01 12:31:45 ----D---- C:\QUARANTINE 2008-10-01 12:21:32 ----D---- C:\Program Files\PCFriendly 2008-09-29 18:15:13 ----A---- C:\WINDOWS\winamp.ini 2008-09-24 23:06:41 ----D---- C:\Program Files\World of Warcraft 2008-09-21 14:03:46 ----D---- C:\Program Files\Wrath of the Lich King Beta 2008-09-12 12:27:48 ----D---- C:\Program Files\Common Files\Blizzard Entertainment 2008-09-05 02:11:30 ----D---- C:\WINDOWS\System32\config 2008-09-05 00:07:45 ----D---- C:\Program Files\Common Files ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\System32\drivers\Aavmker4.sys [2008-07-19 26944] R1 AFS2K;AFS2k; C:\WINDOWS\System32\drivers\AFS2K.sys [2006-09-10 82380] R1 aswSP;avast! Self Protection; C:\WINDOWS\System32\drivers\aswSP.sys [2008-07-19 78416] R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\System32\drivers\aswTdi.sys [2008-07-19 42912] R1 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2007-02-28 15440] R1 NaiAvTdi1;NaiAvTdi1; C:\WINDOWS\system32\drivers\mvstdi5x.sys [2004-10-15 58464] R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\System32\drivers\aswMon2.sys [2008-07-19 94416] R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter; C:\WINDOWS\System32\DRIVERS\ADM8511.SYS [2001-08-17 20160] R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2005-02-23 11776] R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-12-01 2300928] R3 aswRdr;aswRdr; C:\WINDOWS\System32\drivers\aswRdr.sys [2008-07-19 23152] R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2004-09-29 800256] R3 ElbyDelay;ElbyDelay; C:\WINDOWS\System32\Drivers\ElbyDelay.sys [2006-12-13 11984] R3 EntDrv51;EntDrv51; \??\C:\WINDOWS\System32\drivers\EntDrv51.sys [] R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600] R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160] R3 NaiAvFilter1;NaiAvFilter1; C:\WINDOWS\system32\drivers\naiavf5x.sys [2004-09-22 108256] R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\System32\DRIVERS\Rtlnicxp.sys [2005-03-03 74496] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2002-08-29 28160] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2002-08-29 19328] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2002-08-29 51968] R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2002-08-29 24960] R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 14208] R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-08-29 21760] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2002-08-29 19328] S3 catchme;catchme; \??\C:\DOCUME~1\ALEXVU~1.ALE\LOCALS~1\Temp\catchme .sys [] S3 GMSIPCI;GMSIPCI; \??\E:\INSTALL\GMSIPCI.SYS [] S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [2002-02-15 50960] S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [2002-03-21 16112] S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [2002-03-08 22512] S3 NTACCESS;NTACCESS; \??\E:\NTACCESS.sys [] S3 Pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\Pcouffin.sys [2007-04-09 47360] S3 SetupNTGLM7X;SetupNTGLM7X; \??\E:\NTGLM7X.sys [] S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552] S4 IntelIde;IntelIde; C:\WINDOWS\System32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-19 16056] R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2004-09-29 405504] R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-19 147640] R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2005-11-28 229376] R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\Network Associates\Common Framework\FrameworkService.exe [2004-08-06 102463] R2 McShield;Network Associates McShield; C:\Program Files\Network Associates\VirusScan\mcshield.exe [2004-09-22 221191] R2 McTaskManager;Network Associates Task Manager; C:\Program Files\Network Associates\VirusScan\vstskmgr.exe [2004-09-22 28672] R2 ZipToA;ZipToA; C:\WINDOWS\System32\ZipToA.exe [2000-02-10 356352] R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-19 250040] R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344] S2 IomegaAccess;IomegaAccess; C:\WINDOWS\System32\IomegaAccess.exe [2000-02-10 352256] S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2007-01-03 72704] S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\HPZipm12.exe [2002-03-15 81920] S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136] -----------------EOF----------------- |
#11
|
|||
|
|||
Malwarebytes' Anti-Malware 1.28
Database version: 1226 Windows 5.1.2600 Service Pack 1 10/3/2008 5:27:14 PM mbam-log-2008-10-03 (17-27-14).txt Scan type: Quick Scan Objects scanned: 118618 Time elapsed: 23 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) |
#12
|
|||
|
|||
SDFix: Version 1.230
Run by Alex Vu on Fri 10/03/2008 at 04:36 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Folder C:\Program Files\rhcgerj0e981 - Removed Folder C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008 - Removed Folder C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\XPSecurityCenter - Removed Folder C:\Program Files\XPSecurityCenter - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-03 16:49:27 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: Remaining Files : Files with Hidden Attributes : Thu 23 Aug 2001 24,448 A.SHR --- "C:\NTBOOTDD.SYS" Tue 19 Dec 2006 39,424 ...H. --- "C:\Documents and Settings\Alex Vu.ALEXROOM\Desktop\~WRL2567.tmp" Mon 13 Sep 2004 94,458 A..H. --- "C:\Program Files\Ahead\Nero PhotoShow\data\Nero PhotoShow Express.exe" Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe" Sat 7 Jan 2006 20,992 A..H. --- "C:\Documents and Settings\Alex Vu.ALEXROOM\My Documents\Alex's Files\Alex's School Work\High School\11th grade stuff\~WRL0258.tmp" Sat 7 Jan 2006 20,480 A..H. --- "C:\Documents and Settings\Alex Vu.ALEXROOM\My Documents\Alex's Files\Alex's School Work\High School\11th grade stuff\~WRL0771.tmp" Sat 7 Jan 2006 20,992 A..H. --- "C:\Documents and Settings\Alex Vu.ALEXROOM\My Documents\Alex's Files\Alex's School Work\High School\11th grade stuff\~WRL3452.tmp" Finished! |
#13
|
|||
|
|||
"Registry Values Infected: 1
Registry Data Items Infected: 1" Yep I have some files infected that were infected. |
#14
|
||||
|
||||
Not quite sure what you indicated there bkbigshow in reposting a piece of the Malwarebytes log. More infection remains, but before we continue you will need to uninstall one of those two antivirus software you have installed there. I missed that the first go round, but left like this they will interfere with and corrupt each others functions and settings, as well as corrupt other Windows functions. Choose one, disable both and then uninstall the other.
One you have done that continue to leave security software temp disabled fro these next steps. Download OTMoveIt3 by OldTimer to your desktop. Then click OTMoveIt3.exe to run it. Copy the file path(s) below to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy): Code:
:files C:\WINDOWS\System32\usam.vbs C:\WINDOWS\ahymesof.bat C:\Documents and Settings\All Users.WINDOWS\Application Data\yfapudelem.exe C:\Documents and Settings\All Users.WINDOWS\Application Data\okutazi.bat C:\Program Files\Common Files\vugyl.bat C:\Documents and Settings\Alex Vu.ALEXROOM\Application Data\wufedecozi.bat C:\WINDOWS\System32\cawogocux.exe C:\Program Files\Common Files\pisagod.exe C:\Documents and Settings\Alex Vu.ALEXROOM\Application Data\ryha.com C:\WINDOWS\qivarywel.dll C:\WINDOWS\lexu.bat C:\Documents and Settings\All Users.WINDOWS\Application Data\rinyjos.dll C:\Documents and Settings\All Users.WINDOWS\Application Data\gaxocudom.dll C:\WINDOWS\zadigise.dll C:\WINDOWS\ficowi.dll C:\WINDOWS\awifeluxa.exe C:\Program Files\Common Files\kurirad.com Then click the red MoveIt! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes". ----------------------------------- Then Go here and run the Kaspersky online scan, and post back the log it creates. To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top if needed to allow this). Once the Database download is completed, under Scan in the left column click My Computer to start the scan. This may take a very long time, so allow the scan to run and perhaps find something else to do. When the scan completes click View Scan Report. Then click Save Report As, and using the dropdown box save the report as "Files of Type: -> Text file (.txt)" to a location where you can find it again. Use any name you wish for the log. Then locate that log and copy/paste those contents back here please. ------------------------------------- Run a new RSIT scan, and post that log along with the OTMoveIt log and the Kaspersky log please. --------------------------- Since the removed files include some .vbs and .bat file indications that Malwarebytes did not target, I would like to check those out as well. This variant may include a different method we will need to complete the job here. Navigate to the following folder: C:\_OTMoveIt\MovedFiles And locate that zipped copy of those files just removed. It also will be named using a method similar to date_time.zip. Then go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the OTMoveIt zipped file on your computer. You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded. |
#15
|
|||
|
|||
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT Saturday, October 4, 2008 Operating System: Microsoft Windows XP Professional Service Pack 1 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, October 04, 2008 02:05:02 Records in database: 1287555 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ H:\ Scan statistics: Files scanned: 122502 Threat name: 4 Infected objects: 5 Suspicious objects: 0 Duration of the scan: 01:19:06 File name / Threat name / Threats count C:\Documents and Settings\Alex Vu.ALEXROOM\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvm impro.jar-3ad601a5-291d694f.zip Infected: Exploit.Java.Gimsh.b 1 C:\Documents and Settings\Alex Vu.ALEXROOM\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvm impro.jar-6b13a7e7-36bd75f4.zip Infected: Exploit.Java.Gimsh.b 1 C:\Documents and Settings\Alex Vu.ALEXROOM\Local Settings\Temporary Internet Files\Content.IE5\Q7MZOLOR\sp2-sinaloa-728[1].swf Infected: Hoax.SWF.Alerter.a 1 C:\Documents and Settings\Alex Vu.ALEXROOM\Local Settings\Temporary Internet Files\Content.IE5\YDO3EPY5\aznsilverstar712[2] Infected: Trojan.JS.Cardst 1 C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1 The selected area was scanned. |
Bookmarks |
«
Previous Topic
|
Next Topic
»
Topic Tools | |
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
Can Malwarebytes Anti Malware actually get rid of malware such as Windows System? | dwilliams1578 | Malware Removal | 2 | June 4th, 2011 09:39 AM |
AVG keeps blocking "UK9.exe" malware, Firefox keeps redirecting to malware. | Vulpix | Malware Removal | 5 | March 2nd, 2010 03:00 AM |
Malware? | Bremang | Malware Removal | 1 | October 16th, 2008 08:12 PM |
new malware j | Bmxrider | Malware Removal | 1 | May 28th, 2008 01:09 PM |
291 Malware even though.... | just lost | Malware Removal | 2 | May 29th, 2005 01:32 AM |
All times are GMT +1. The time now is 12:57 PM.