Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Pc Is Infected With Viruses And Spywares


  • Please log in to reply
24 replies to this topic

#1 sam-my

sam-my

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 18 October 2007 - 04:25 PM

My PC has been infected by different viruses and trojans.
- I downloaded Spybot and Stringer and ran them
Stringer didn't find any malware.
Spybot found Virtumonde, Virtumonde generic and LocusSoftware BestsellerAntivirus. At all 15
locations.
I run it three times and each time it Virtumonde was found.

- In addition I have a continuous warning 'yellow triangle' (with a warning balloon) on the system tray, pushing me to download a 'certified antivirus'.

- On the desktop two additional icons appeared 'Online Security Guide' and 'Live Safety Center'.
I am removing them but they reappears after a short while.

- Previously I ran AVG anti-spyware which found and quarantined 'Trojan Susear.a' and various cookies.

Please find as follows my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:46:41, on 18/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HDDSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\bypfllqb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HDInspector.exe] C:\Program Files\Hard Drive Inspector\HDInspector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\fxbbrjmq.dll",sitypnow
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA59] command /c del "C:\WINDOWS\system32\bypfllqb.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6520] cmd /c del "C:\WINDOWS\system32\bypfllqb.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1711] command /c del "C:\WINDOWS\system32\bypfllqb.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3352] cmd /c del "C:\WINDOWS\system32\bypfllqb.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1879] command /c del "C:\WINDOWS\system32\bypfllqb.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC802] cmd /c del "C:\WINDOWS\system32\bypfllqb.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB102] command /c del "C:\WINDOWS\system32\bypfllqb.dllbox"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8898] cmd /c del "C:\WINDOWS\system32\bypfllqb.dllbox"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9365] command /c del "C:\WINDOWS\system32\bypfllqb.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3229] cmd /c del "C:\WINDOWS\system32\bypfllqb.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6260] command /c del "C:\WINDOWS\system32\bypfllqb.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1298] cmd /c del "C:\WINDOWS\system32\bypfllqb.dll"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: ???? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HDD Information Service (HDDSvc) - AltrixSoft (http://www.altrixsoft.com/) - C:\WINDOWS\system32\HDDSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7152 bytes

Thanks

BC AdBot (Login to Remove)

 


#2 sam-my

sam-my
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 18 October 2007 - 05:09 PM

Would like to add that I can't open a2 program or update Spybot.

thanks for your assistance.

#3 sam-my

sam-my
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 19 October 2007 - 08:10 AM

After sending this thread I read similar ones on the same subject (and trojans) I performed the following:
1/ Using a rescue BartPE disk I just compiled few days ago I performed different
scans of the PC (booting through the disc). With AntiVir7 I removed some 25 'nasties'
and an additional numbers using a2 and spybot scans.
2. Following instructions the expert in this forum provided in similar situation, I downloaded
VundoFix and ComboFix.
VundoFix removed two viruses, and since then, continue running clean .
Attached here the first log.
3/ I scan the PC (deep manual scan) using Nod32, Spybot and a2 with no
findings.
4. I ran an additional HijackThis. The log is attached here.
5. A ComboFix log is also here.
6. the PC seems to run smooth now. I hope all the nasties are all vanished.

Note: For a while, when I was restarting the PC I got a window with the
title 'RUNDLL' and the following wording:
"error loading
C:\WINDOWS\System32\fxbbrjmq.dll
the specific module could not be found"

After the PC cleaning as mentioned above this windows didn't reappeared.

Attached files:

a) VundowFix scan log (prior to cleaning the PC):


VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 09:49:46 19/10/2007

Listing files found while scanning....

C:\WINDOWS\system32\ggsaijwq.dll
C:\WINDOWS\system32\rqrsqrq.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 09:55:07 19/10/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 14:35:04 19/10/2007

Listing files found while scanning....

No infected files were found.

:thumbsup: The new Hijackthis log after cleaning the PC:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:37:44, on 19/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HDDSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ED2CA8FA-5EA1-441F-89B9-0D105280C9F9} - C:\WINDOWS\system32\pmnlj.dll (file missing)
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HDInspector.exe] C:\Program Files\Hard Drive Inspector\HDInspector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O9 - Extra button: ???? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: rqrsqrq - rqrsqrq.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HDD Information Service (HDDSvc) - AltrixSoft (http://www.altrixsoft.com/) - C:\WINDOWS\system32\HDDSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6503 bytes


c) the new Combofix log (after cleaning):


ComboFix 07-10-19.1 - SAMY 10/19/2007 15:01:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.381 [GMT 2:00]
Running from: C:\Documents and Settings\SAMY\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 08:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-19 07:23 --------- d-----w C:\Program Files\a-squared Free
2007-10-19 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-18 20:29 --------- d-----w C:\Program Files\Trend Micro
2007-10-18 19:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-17 23:24 105,324 --sh--w C:\WINDOWS\system32\jlnmp.bak2
2007-10-17 15:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-17 10:21 6,505 --sh--w C:\WINDOWS\system32\jlnmp.bak1
2007-10-17 09:39 --------- d-----w C:\Program Files\Driver-Soft
2007-10-15 23:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-14 16:50 --------- d-----w C:\Program Files\Smart Projects
2007-10-14 16:25 --------- d-----w C:\Documents and Settings\SAMY\Application Data\Ahead
2007-10-13 22:50 --------- d-----w C:\Program Files\Lavasoft
2007-10-13 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-13 22:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-13 22:37 --------- d-----w C:\Program Files\jv16 PowerTools 2007
2007-10-13 21:45 --------- d-----w C:\Program Files\MagicISO
2007-10-13 21:01 --------- d-----w C:\Documents and Settings\SAMY\Application Data\Publish Providers
2007-10-13 20:48 --------- d-----w C:\Documents and Settings\SAMY\Application Data\Sony
2007-10-13 20:46 --------- d-----w C:\Program Files\Vstplugins
2007-10-13 20:46 --------- d-----w C:\Program Files\Sony
2007-10-13 20:40 --------- d-----w C:\Program Files\Sony Setup
2007-10-13 20:40 --------- d-----w C:\Documents and Settings\SAMY\Application Data\Sony Setup
2007-10-13 20:36 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-10-13 20:35 --------- d-----w C:\Documents and Settings\SAMY\Application Data\TuneUp Software
2007-10-13 20:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-10-13 19:54 --------- d-----w C:\Program Files\Common Files\Raxco
2007-10-13 19:53 --------- d-----w C:\Program Files\RAXCO
2007-10-13 19:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-13 19:42 --------- d-----w C:\Program Files\Nero
2007-10-13 19:42 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-13 19:10 --------- d-----w C:\Program Files\AskTBar
2007-10-13 19:04 --------- d-----w C:\Program Files\Hard Drive Inspector
2007-10-13 19:01 --------- d-----w C:\Program Files\totalcmd
2007-10-13 18:57 --------- d-----w C:\Program Files\Lavalys
2007-10-13 12:21 1,390,768 ----a-w C:\WINDOWS\system32\AutoPartNt.exe
2007-10-12 12:51 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-11 20:32 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-11 20:31 --------- d-----w C:\Program Files\Microsoft Works
2007-10-11 00:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2007-10-11 00:39 395,744 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2007-10-11 00:39 39,712 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-10-11 00:39 114,048 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2007-10-11 00:39 --------- d-----w C:\Program Files\Common Files\Acronis
2007-10-11 00:39 --------- d-----w C:\Program Files\Acronis
2007-10-10 23:09 --------- d-----w C:\Program Files\Sygate
2007-10-10 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-10 21:55 --------- d-----w C:\Program Files\Ace Utilities
2007-10-10 21:06 --------- d-----w C:\Program Files\CCleaner
2007-10-10 20:45 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-10-10 20:45 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-10-10 20:45 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2007-10-10 20:04 --------- d-----w C:\Program Files\microsoft frontpage
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-13 16:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 16:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 16:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 16:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 16:42 17,408 ----a-w C:\WINDOWS\system32\corpol.dll
2007-08-13 16:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 16:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 16:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 16:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 16:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot@Fri 10-19-2007_ 9.59.59.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 06:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2007-03-29 07:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 14:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 12:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 09:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 11:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2006-02-16 16:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-25 16:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2004-05-04 13:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 11:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 08:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 11:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-16 16:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 14:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2006-06-30 12:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 12:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2006-08-01 11:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2006-08-23 11:06:08 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2006-08-17 09:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 09:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 06:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 12:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 08:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 08:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 14:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 07:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 08:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 12:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 12:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 11:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 06:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 06:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-04-18 15:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 12:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 1997-09-18 04:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 15:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2006-08-02 10:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
+ 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2003-03-25 16:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED2CA8FA-5EA1-441F-89B9-0D105280C9F9}]
C:\WINDOWS\system32\pmnlj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [08/03/2006 05:12 AM C:\WINDOWS\SOUNDMAN.EXE]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [10/10/2007 10:45 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [10/10/2007 11:23 PM]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [06/06/2005 06:05 PM]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [01/31/2007 12:59 PM]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [01/31/2007 01:03 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [01/31/2007 01:01 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"HDInspector.exe"="C:\Program Files\Hard Drive Inspector\HDInspector.exe" [04/03/2007 10:09 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 04:40 PM]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [09/07/2006 07:19 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [08/22/2006 09:52 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrsqrq]
rqrsqrq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3adff7b9-7776-11dc-af47-000fea5afb99}]
Auto\command - activexdebugger32.exe f
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
explore\Command - activexdebugger32.exe f
open\Command - activexdebugger32.exe f

.
Contents of the 'Scheduled Tasks' folder
"2007-10-13 20:35:46 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 15:03:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 10/19/2007 15:03:45
C:\ComboFix2.txt ... 10/19/2007 10:00 AM
.
--- E O F ---

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 October 2007 - 04:11 PM

HI sam-my and Welcome to the Bleeping Computer.

Sorry your post got overlooked and you had to wait so long.

If you will,download a fresh copy of ComboFix and scan the system,post the new log in the next reply please.

#5 sam-my

sam-my
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  

Posted 24 October 2007 - 05:37 PM

Hello Cretemonster

First thanks for your time.

I ran a ComboFix scan.
when the scan process reached "Stage 8" I got a window:
"Sed.cfexe has encountered a problem and need to close"
I clicked on the 'Don't send' button. The scanning continued.
at the end of the process, this window poped up again.

as follows the log:

ComboFix 07-10-19.1 - SAMY 10/25/2007 0:27:13.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.404 [GMT 2:00]
Running from: C:\Documents and Settings\SAMY\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 20:36 --------- d-----w C:\Program Files\ICQToolbar
2007-10-24 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-24 20:34 --------- d-----w C:\Program Files\a-squared Free
2007-10-24 15:45 --------- d-----w C:\Documents and Settings\yael\Application Data\ICQ Toolbar
2007-10-22 20:48 --------- d-----w C:\Program Files\jv16 PowerTools 2005
2007-10-20 15:29 --------- d-----w C:\Documents and Settings\SAMY\Application Data\Ahead
2007-10-20 11:46 --------- d-----w C:\Documents and Settings\SAMY\Application Data\ICQ Toolbar
2007-10-19 13:17 --------- d-----w C:\Program Files\ICQLite
2007-10-19 13:17 --------- d-----w C:\Documents and Settings\nissim\Application Data\ICQLite
2007-10-19 08:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-18 20:29 --------- d-----w C:\Program Files\Trend Micro
2007-10-18 19:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-17 23:24 105,324 --sh--w C:\WINDOWS\system32\jlnmp.bak2
2007-10-17 15:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-17 10:21 6,505 --sh--w C:\WINDOWS\system32\jlnmp.bak1
2007-10-17 09:39 --------- d-----w C:\Program Files\Driver-Soft
2007-10-15 23:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-14 16:50 --------- d-----w C:\Program Files\Smart Projects
2007-10-13 22:50 --------- d-----w C:\Program Files\Lavasoft
2007-10-13 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-13 22:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-13 22:37 --------- d-----w C:\Program Files\jv16 PowerTools 2007
2007-10-13 21:45 --------- d-----w C:\Program Files\MagicISO
2007-10-13 21:01 --------- d-----w C:\Documents and Settings\SAMY\Application Data\Publish Providers
2007-10-13 20:48 --------- d-----w C:\Documents and Settings\SAMY\Application Data\Sony
2007-10-13 20:46 --------- d-----w C:\Program Files\Vstplugins
2007-10-13 20:46 --------- d-----w C:\Program Files\Sony
2007-10-13 20:40 --------- d-----w C:\Program Files\Sony Setup
2007-10-13 20:40 --------- d-----w C:\Documents and Settings\SAMY\Application Data\Sony Setup
2007-10-13 20:36 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-10-13 20:35 --------- d-----w C:\Documents and Settings\SAMY\Application Data\TuneUp Software
2007-10-13 20:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-10-13 19:54 --------- d-----w C:\Program Files\Common Files\Raxco
2007-10-13 19:53 --------- d-----w C:\Program Files\RAXCO
2007-10-13 19:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-13 19:42 --------- d-----w C:\Program Files\Nero
2007-10-13 19:42 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-13 19:10 --------- d-----w C:\Program Files\AskTBar
2007-10-13 19:04 --------- d-----w C:\Program Files\Hard Drive Inspector
2007-10-13 19:01 --------- d-----w C:\Program Files\totalcmd
2007-10-13 18:57 --------- d-----w C:\Program Files\Lavalys
2007-10-13 12:21 1,390,768 ----a-w C:\WINDOWS\system32\AutoPartNt.exe
2007-10-12 12:51 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-11 20:32 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-11 20:31 --------- d-----w C:\Program Files\Microsoft Works
2007-10-11 00:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2007-10-11 00:39 395,744 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2007-10-11 00:39 39,712 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-10-11 00:39 114,048 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2007-10-11 00:39 --------- d-----w C:\Program Files\Common Files\Acronis
2007-10-11 00:39 --------- d-----w C:\Program Files\Acronis
2007-10-10 23:09 --------- d-----w C:\Program Files\Sygate
2007-10-10 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-10 21:55 --------- d-----w C:\Program Files\Ace Utilities
2007-10-10 21:06 --------- d-----w C:\Program Files\CCleaner
2007-10-10 20:45 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-10-10 20:45 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-10-10 20:45 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2007-10-10 20:04 --------- d-----w C:\Program Files\microsoft frontpage
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-13 16:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 16:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 16:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 16:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 16:42 17,408 ----a-w C:\WINDOWS\system32\corpol.dll
2007-08-13 16:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 16:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 16:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 16:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 16:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [08/03/2006 05:12 AM C:\WINDOWS\SOUNDMAN.EXE]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [10/10/2007 10:45 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [10/10/2007 11:23 PM]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [06/06/2005 06:05 PM]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [01/31/2007 12:59 PM]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [01/31/2007 01:03 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [01/31/2007 01:01 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [08/22/2006 09:52 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrsqrq]
rqrsqrq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"HDInspector.exe"=C:\Program Files\Hard Drive Inspector\HDInspector.exe
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe"
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" -minimize

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3adff7b9-7776-11dc-af47-000fea5afb99}]
Auto\command - activexdebugger32.exe f
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
explore\Command - activexdebugger32.exe f
open\Command - activexdebugger32.exe f

.
Contents of the 'Scheduled Tasks' folder
"2007-10-13 20:35:46 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 00:29:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 10/25/2007 0:29:56
C:\ComboFix1.txt ... 10/19/2007 03:03 PM
.
--- E O F ---



Many Thanks

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 October 2007 - 05:46 PM

Copy the text below to notepad and save it to the desktop with the name CFScript.txt

File::
C:\WINDOWS\system32\activexdebugger32.exe
C:\WINDOWS\system32\jlnmp.bak2
C:\WINDOWS\system32\jlnmp.bak1
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrsqrq]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3adff7b9-7776-11dc-af47-000fea5afb99}]

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log and a fresh HijackThis log.

#7 sam-my

sam-my
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 24 October 2007 - 06:35 PM

"Sorry for the stupid question":
How to generate a NotePad?


Thanks

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 October 2007 - 02:26 AM

Thats OK...to get to the notepad program--> Click Start--> Click Run--> Type in notepad.exe and click OK.

Notepad should open up and you just copy&paste the info I provided in,look up in the upper left hand corner,click File,then from the list click save,when the new window appears,select the desktop as the destination to save to and in the lower section,you have to type in the name you want to save it as--> CFScript.txt :thumbsup:

#9 sam-my

sam-my
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  

Posted 25 October 2007 - 04:14 PM

Cretemonster
Thanks for your guidance.

I performed the insert and the scan. Again,
when the scan process reached "Stage 8" I got the same window:
"Sed.cfexe has encountered a problem and have to close"
I clicked on the 'Don't send' button. the process ran smoothly after that.

the log:

ComboFix 07-10-19.1 - SAMY 10/25/2007 23:03:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.453 [GMT 2:00]
Running from: C:\Documents and Settings\SAMY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\SAMY\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\activexdebugger32.exe
C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.bak2

.
((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-25 16:06 --------- d-----w C:\Program Files\ICQToolbar
2007-10-25 13:53 --------- d-----w C:\Documents and Settings\nissim\Application Data\ICQ Toolbar
2007-10-24 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-24 20:34 --------- d-----w C:\Program Files\a-squared Free
2007-10-24 15:45 --------- d-----w C:\Documents and Settings\yael\Application Data\ICQ Toolbar
2007-10-22 20:48 --------- d-----w C:\Program Files\jv16 PowerTools 2005
2007-10-20 15:29 --------- d-----w C:\Documents and Settings\SAMY\Application Data\Ahead
2007-10-20 11:46 --------- d-----w C:\Documents and Settings\SAMY\Application Data\ICQ Toolbar
2007-10-19 13:17 --------- d-----w C:\Program Files\ICQLite
2007-10-19 13:17 --------- d-----w C:\Documents and Settings\nissim\Application Data\ICQLite
2007-10-19 08:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-18 20:29 --------- d-----w C:\Program Files\Trend Micro
2007-10-18 19:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-17 15:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-17 09:39 --------- d-----w C:\Program Files\Driver-Soft
2007-10-15 23:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-14 16:50 --------- d-----w C:\Program Files\Smart Projects
2007-10-13 22:50 --------- d-----w C:\Program Files\Lavasoft
2007-10-13 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-13 22:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-13 22:37 --------- d-----w C:\Program Files\jv16 PowerTools 2007
2007-10-13 21:45 --------- d-----w C:\Program Files\MagicISO
2007-10-13 21:01 --------- d-----w C:\Documents and Settings\SAMY\Application Data\Publish Providers
2007-10-13 20:48 --------- d-----w C:\Documents and Settings\SAMY\Application Data\Sony
2007-10-13 20:46 --------- d-----w C:\Program Files\Vstplugins
2007-10-13 20:46 --------- d-----w C:\Program Files\Sony
2007-10-13 20:40 --------- d-----w C:\Program Files\Sony Setup
2007-10-13 20:40 --------- d-----w C:\Documents and Settings\SAMY\Application Data\Sony Setup
2007-10-13 20:36 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-10-13 20:35 --------- d-----w C:\Documents and Settings\SAMY\Application Data\TuneUp Software
2007-10-13 20:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-10-13 19:54 --------- d-----w C:\Program Files\Common Files\Raxco
2007-10-13 19:53 --------- d-----w C:\Program Files\RAXCO
2007-10-13 19:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-13 19:42 --------- d-----w C:\Program Files\Nero
2007-10-13 19:42 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-13 19:10 --------- d-----w C:\Program Files\AskTBar
2007-10-13 19:04 --------- d-----w C:\Program Files\Hard Drive Inspector
2007-10-13 19:01 --------- d-----w C:\Program Files\totalcmd
2007-10-13 18:57 --------- d-----w C:\Program Files\Lavalys
2007-10-13 12:21 1,390,768 ----a-w C:\WINDOWS\system32\AutoPartNt.exe
2007-10-12 12:51 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-11 20:32 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-11 20:31 --------- d-----w C:\Program Files\Microsoft Works
2007-10-11 00:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2007-10-11 00:39 395,744 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2007-10-11 00:39 39,712 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-10-11 00:39 114,048 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2007-10-11 00:39 --------- d-----w C:\Program Files\Common Files\Acronis
2007-10-11 00:39 --------- d-----w C:\Program Files\Acronis
2007-10-10 23:09 --------- d-----w C:\Program Files\Sygate
2007-10-10 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-10 21:55 --------- d-----w C:\Program Files\Ace Utilities
2007-10-10 21:06 --------- d-----w C:\Program Files\CCleaner
2007-10-10 20:45 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-10-10 20:45 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-10-10 20:45 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2007-10-10 20:04 --------- d-----w C:\Program Files\microsoft frontpage
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-13 16:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 16:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 16:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 16:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 16:42 17,408 ----a-w C:\WINDOWS\system32\corpol.dll
2007-08-13 16:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 16:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 16:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 16:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 16:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [08/03/2006 05:12 AM C:\WINDOWS\SOUNDMAN.EXE]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [10/10/2007 10:45 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [10/10/2007 11:23 PM]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [06/06/2005 06:05 PM]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [01/31/2007 12:59 PM]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [01/31/2007 01:03 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [01/31/2007 01:01 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [08/22/2006 09:52 AM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"HDInspector.exe"=C:\Program Files\Hard Drive Inspector\HDInspector.exe
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe"
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" -minimize

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2007-10-13 20:35:46 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 23:05:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 10/25/2007 23:05:27
C:\ComboFix1.txt ... 10/19/2007 03:03 PM
C:\ComboFix2.txt ... 10/25/2007 12:29 AM
.
--- E O F ---


Thanks

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 October 2007 - 05:25 PM

Allright,lets see if we have any leftovers to deal with.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#11 sam-my

sam-my
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 25 October 2007 - 07:17 PM

Hello Cretemonster

As follows the antivirus scan: It found the hidden virus "vundo.gen45"
Good Job

Scanning Report
Friday, October 26, 2007 00:49:01 - 02:11:07
Computer name: MATRIX-BC794FAD
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\ F:\ G:\


--------------------------------------------------------------------------------

Result: 4 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
Vundo.gen45 (virus)
C:\WINDOWS\SYSTEM32\QMJRBBXF.INI (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 35311
System: 3865
Not scanned: 3
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 3
Submitted: 1
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 October 2007 - 02:42 AM

See if you can locate and delete that file--> C:\WINDOWS\SYSTEM32\QMJRBBXF.INI

Be sure to Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...showtutorial=62


Give the Eset Online Scanner.
http://www.eset.com/onlinescan/index.php
1.Accept the terms of use and click the Start button.
2.When prompted to install an ActiveX Control, click the yellow notification bar and select Install ActiveX Control..
3.Click the Install button on the Security Warning window which appears.
4.Once the ActiveX installs click the Start button to download the signature database when prompted.
5.On the "Computer Scan" options window select Remove found threats but leave Scan unwanted applications unchecked, then hit the Scan button.
6.A log file of the results can be found at C:/Program Files/EsetOnlineScanner/log.txt
7.Post the results in your next reply please.

#13 sam-my

sam-my
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  

Posted 26 October 2007 - 03:56 AM

Hello Cretemonster

1. I opened all the hidden files as recommended.
2. Open folder C:\WINDOWS\SYSTEM32\ . visually check for the file named QMJRBBXF.INI
it was not there.
3. I tried to open the file directly, i.e. to put C:\WINDOWS\SYSTEM32\QMJRBBXF.INI
in the address bar and click the Go button.
a notpad named QMJRBBXF.INI poped out full (very big size) of en-readable characters/signs, (just an example):

QJ EH [ DEYW[DJY^PCQ
YLCVP]]ZHNB]UJZCOMEBQD
\Y

DQ 9SW>TM9UY'JQV@RVo@RV Z ]UCCPCL
SW
U@WN_M
OW \
QJ YVO_UWQ[N DAK ]VIPB]CVP
CLSL ZHBMKGW


Where this notpad is located? Do I have to clean these signs?

4. Scanning of the PC using NOD32 give "no threats found"

Thanks

#14 sam-my

sam-my
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 26 October 2007 - 05:53 AM

Eset online scanner found No Threat". but I was not quite.
I performed a deep scan using my NOD32. The following was reported:
" File C:\System Volume Information\_restore{1607C6C3-EB45-47FB-B061-5B7812D494A8}\RP32\A0014531.bat is infected with application Win32/Adware.Virtumonde. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed."

I cleaned the file.

For information . Thanks

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 October 2007 - 02:35 PM

Give this a try,go to start-->click run-->type in cmd and click ok.

When the command prompt opens,type in cd\ and hit enter

Next,type in del C:\WINDOWS\SYSTEM32\QMJRBBXF.INI

Be sure to make the space between del and C and if the file wont delete that way,it will display a message saying so,if it does delete it will just go back to C:\>

Let me know what happens.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users