BleepingComputer.com: i am infected with c:\windows\system32\msivxcount

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

i am infected with c:\windows\system32\msivxcount dont know how to remove it

#1 User is offline   boon1 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 26-June 09

Posted 26 June 2009 - 04:51 AM

keep getting dodgey popups and cant seem to be able to burn cds or dvd. malwarebytes can find this but cant remove it completely. also as i said for some reason when i try to burn a cd or dvd i am being told to download nero burning rights, which i have but still wont work, i have also downloaded imageburn but it cant find any burning devices. my computer knows it there but something is stopping me from using it. all this has happened since i found out i had winbluesoft malware which i managed to remove. i had to rename the exe file to make it work.i dont know if the above problems are related but they both happened at the same time, it would be great if someone could help. thanks


DDS (Ver_09-06-26.01) - NTFSx86
Run by kens at 10:09:20.10 on 26/06/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.471 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\Wireless\RF Keyboard\1.0\ZPKBDLED.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe
C:\Program Files\Slim Multimedia Keyboard\OSD.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Bit Comet\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.atcomet.com/b/
uSearch Page = hxxp://search.live.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://search.live.com/sphome.aspx
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SMSystemAnalyzer] "c:\program files\iolo\system mechanic professional 6\SMSystemAnalyzer.exe"
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [ZPLED] c:\program files\wireless\rf keyboard\1.0\ZPKBDLED.exe
mRun: [HTpatch] c:\windows\htpatch.exe
mRun: [SystemGuardAlerter] "c:\program files\iolo\system mechanic professional 6\SystemGuardAlerter.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\killer.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\slimmu~1.lnk - c:\program files\slim multimedia keyboard\MagicKey.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236454020609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kens\applic~1\mozilla\firefox\profiles\fqh5sc8z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://google.atcomet.com/b/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\documents and settings\kens\application data\mozilla\firefox\profiles\fqh5sc8z.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-7 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-7 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-7 108552]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2009-3-8 11886]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-7 298776]
R2 USBDriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-24 38160]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-7 906520]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra professional business 2009.sp2\RpcAgentSrv.exe [2009-3-8 98488]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-06-26 08:54 61,440 a------- c:\windows\system32\drivers\gllhd.sys
2009-06-26 08:51 <DIR> --d----- c:\docume~1\kens\applic~1\AVG8
2009-06-25 06:08 8,192 a------- c:\windows\system32\6335s5zrse1499.bin
2009-06-25 02:52 3,354 a------- c:\windows\system32\24779h9cztoo56cd.cpl
2009-06-24 23:03 <DIR> --d----- c:\windows\system32\NtmsData
2009-06-24 22:42 <DIR> --d----- c:\program files\Windows Resource Kits
2009-06-24 22:16 2,031,616 a------- c:\windows\UNNeroBurnRights.exe
2009-06-24 22:16 65,536 a------- c:\windows\system32\NeroCo.dll
2009-06-24 22:16 57,344 a------- c:\windows\system32\NeroBurnRights.cpl
2009-06-24 22:16 23,936 a------- c:\windows\UNNeroBurnRights.cfg
2009-06-24 22:10 221,184 a------- c:\windows\system32\wmpns.dll
2009-06-24 21:15 155,648 a------- c:\windows\system32\NeroCheck.exe
2009-06-24 21:13 2,973,696 a------- c:\windows\UNNeroVision.exe
2009-06-24 21:13 192,817 a------- c:\windows\UNNeroVision.cfg
2009-06-24 21:12 1,568,768 a------- c:\windows\system32\ImagX7.dll
2009-06-24 21:12 476,320 a------- c:\windows\system32\ImagXpr7.dll
2009-06-24 21:12 471,040 a------- c:\windows\system32\ImagXRA7.dll
2009-06-24 21:12 364,544 a------- c:\windows\system32\TwnLib4.dll
2009-06-24 21:12 262,144 a------- c:\windows\system32\ImagXR7.dll
2009-06-24 21:12 106,496 a------- c:\windows\system32\TwnLib20.dll
2009-06-24 21:12 38,912 a------- c:\windows\system32\picn20.dll
2009-06-24 21:06 <DIR> --d----- c:\program files\QSuite
2009-06-24 17:28 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-24 17:28 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-24 17:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-24 16:39 <DIR> --d----- c:\docume~1\kens\applic~1\Malwarebytes
2009-06-24 15:59 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-06-24 15:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-24 11:30 1,158 a------- c:\windows\system32\uzcxcwgd.dat
2009-06-24 10:35 93 a------- c:\windows\system32\kungsfqmaxxtpd.dat
2009-06-24 10:27 69,627 a------- c:\windows\system32\kungsfkwboyrkd.dat
2009-06-24 10:27 108,343 a------- c:\windows\system32\uzcxcwgd.dll
2009-06-24 10:27 106,297 a------- c:\windows\system32\uzcxcwgd.dxx
2009-06-24 10:24 108,343 a------- c:\windows\system32\dlyynmfi.duu
2009-06-24 10:24 1,153 a------- c:\windows\system32\dlyynmfi.dat
2009-06-24 10:22 106,297 a------- c:\windows\system32\dlyynmfi.dll
2009-06-24 10:21 93 a------- c:\windows\system32\kungsfexmoqesi.dat
2009-06-24 10:21 108,343 a------- c:\windows\system32\ijjgmeov.duu
2009-06-24 10:21 1,154 a------- c:\windows\system32\ijjgmeov.dat
2009-06-24 10:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-06-24 10:19 2,570 a------- c:\windows\system32\kungsfrwxwbduj.dat
2009-06-24 10:19 106,297 a------- c:\windows\system32\ijjgmeov.dll
2009-06-24 10:19 106,297 a------- c:\windows\system32\gopwlrjl.dll
2009-06-24 09:41 <DIR> --d----- c:\program files\Spyware Doctor
2009-06-23 21:51 626,688 a------- c:\windows\system32\msvcr80.dll
2009-06-23 17:58 13,801 a------- c:\windows\system32\184zsteal9051.dll
2009-06-20 20:05 6,872 a------- c:\windows\system32\6baddo9nloade519z8.cpl
2009-06-20 08:03 4,439 a------- c:\windows\50ac9ownlzad5r2335.cpl
2009-06-19 20:46 6,601 a------- c:\windows\system32\8930s5yza9.cpl
2009-06-19 19:48 12,121 a------- c:\windows\5686dzwnlo5de91089.dll
2009-06-18 23:18 16,986 a------- c:\windows\26418h5cktz9l5c3.ocx
2009-06-16 03:10 7,005 a------- c:\windows\system32\97508spamboz6cd.bin
2009-06-15 23:21 9,561 a------- c:\windows\45d0tz9eat5050.ocx
2009-06-10 15:29 6,290 a------- c:\windows\3215zha95tool780.dll
2009-06-07 13:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Autodata Limited
2009-06-07 13:02 <DIR> --d----- c:\program files\common files\Autodata Limited Shared
2009-06-07 13:02 <DIR> --d----- C:\ADCD
2009-06-03 22:20 10,751 a------- c:\windows\649aspy9zr52083.ocx
2009-06-03 11:08 8,453 a------- c:\windows\system32\9ceasteaz17665.cpl
2009-06-03 09:01 18,419 a------- c:\windows\system32\79z5st5al2470.bin
2009-06-01 14:01 <DIR> --d----- c:\program files\Xilisoft
2009-06-01 11:03 16,995 a------- c:\windows\system32\5185hzc9tool726.exe
2009-06-01 02:30 7,477 a------- c:\windows\system32\10484virzs995.bin
2009-05-27 12:11 3,276 a------- c:\windows\214edownlo9der5894z.exe

==================== Find3M ====================

2009-06-26 08:50 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 08:50 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-27 03:55 16,465 a------- c:\windows\system32\z55sp59are688.bin
2009-05-20 08:13 17,867 a------- c:\windows\system32\2z9305orm58e9.exe
2009-05-17 15:16 130,933 a------- c:\windows\hpoins12.dat
2009-05-17 05:09 11,570 a------- c:\windows\system32\z2311worm59f.bin
2009-05-16 23:35 3,318 a------- c:\windows\5a07sparse3z19.bin
2009-05-16 16:17 18,120 a------- c:\windows\system32\127b59reat805z.bin
2009-05-15 06:49 12,325 a------- c:\windows\5907v5ruscz9.dll
2009-05-10 00:11 6,778 a------- c:\windows\1z89a5kdoor495.bin
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-06 19:29 12,977 a------- c:\windows\53z99spy401.bin
2009-05-06 00:32 3,293 a------- c:\windows\5389spar5ez555.dll
2009-05-04 09:28 8,362 a------- c:\windows\system32\z5026v5ru92a7.exe
2009-05-04 08:39 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 05:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 05:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-24 12:44 5,411 a------- c:\windows\5843zp5war91633.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 12:51 15,396 a------- c:\windows\32zste5l1299.dll
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 02:47 14,538 a------- c:\windows\system32\3524z5t-a-vi9us142.exe
2009-04-12 08:25 13,108 a------- c:\windows\7de7bzck5oor2199.bin
2009-04-10 01:06 10,243 a------- c:\windows\25943v9ruszad.dll
2009-04-07 10:28 9,012 a------- c:\windows\985s9amzot71f.exe
2009-04-05 08:06 10,121 a------- c:\windows\system32\21565wor93zd.dll
2009-04-05 03:26 7,570 a------- c:\windows\system32\7z79vi51990.exe
2009-04-01 07:35 13,606 a------- c:\windows\3399sparsz30515.dll
2008-11-05 17:03 167,444 a------- c:\documents and settings\kens\cc_20081105_160306.reg
2008-02-25 00:52 12,282 a------- c:\documents and settings\kens\cc_20080224_2352.reg
2001-11-23 05:08 712,704 a------- c:\windows\inf\other\AUDIO3D.DLL

============= FINISH: 10:09:44.54 ===============

Attached File(s)


#2 User is offline   syler 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 8,150
  • Joined: 07-November 07
  • Gender:Male
  • Location:Warrington, UK

Posted 30 June 2009 - 09:08 PM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.

  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.

  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.

  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.

  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.


We will begin with ComboFix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Posted Image
If I have helped you, and you would like to make a donation to me, click here

#3 User is offline   syler 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 8,150
  • Joined: 07-November 07
  • Gender:Male
  • Location:Warrington, UK

Posted 04 July 2009 - 04:17 PM

PM by OP, they are going to format.

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
If I have helped you, and you would like to make a donation to me, click here

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users