Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I Have Virtumonde?!


  • This topic is locked This topic is locked
4 replies to this topic

#1 wholesale83

wholesale83

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 06 October 2008 - 11:40 AM

New to the Board. So hello to all and thank you in advance.

I have run Spydoctor, Vundofix and VirtumondeBegone and no luck. I am still receiving Pop-ips and Virtumonde keeps coming back when I run Spydoctor.

Here is the log so let me know whats going on:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:14 PM, on 10/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [znekxeavbdz] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\vixhbocsoutisnfkv.dll"
O4 - HKLM\..\Run: [BMd7ebbfc6] Rundll32.exe "C:\WINDOWS\system32\yjrtlsyi.dll",s
O4 - HKLM\..\Run: [d4d88c5a] rundll32.exe "C:\WINDOWS\system32\ptdqkyux.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O20 - AppInit_DLLs: hwfsvq.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 2468 bytes



Thanks for any time that whats devoted to my problem.

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:49 AM

Posted 06 October 2008 - 04:49 PM

Hello wholesale83,

Welcome to Bleeping Computer :thumbsup:

All of the following need to be done in normal mode, not safe mode, K? :)

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 wholesale83

wholesale83
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 06 October 2008 - 09:52 PM

Hello Tea,

Thanks for quick reply and detailed information. I ran combofix per your request. Here is the log followed by a new Hijackthis log.







ComboFix 08-10-06.05 - Owner 2008-10-06 22:06:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.224 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BMd7ebbfc6.txt
C:\WINDOWS\BMd7ebbfc6.xml
C:\WINDOWS\faceback.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aqkangph.dll
C:\WINDOWS\system32\bvsoug.dll
C:\WINDOWS\system32\bxjgwphy.ini
C:\WINDOWS\system32\chvtyldf.dll
C:\WINDOWS\system32\drivers\streamm.sys
C:\WINDOWS\system32\evbpyq.dll
C:\WINDOWS\system32\fdlytvhc.ini
C:\WINDOWS\system32\gxnlfapl.ini
C:\WINDOWS\system32\hadddq.dll
C:\WINDOWS\system32\hwfsvq.dll
C:\WINDOWS\system32\lbtrqjva.dll
C:\WINDOWS\system32\lpaflnxg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nnnkHaAS.dll
C:\WINDOWS\system32\opnnmJbA.dll
C:\WINDOWS\system32\pgdstsxb.dll
C:\WINDOWS\system32\ptdqkyux.dll
C:\WINDOWS\system32\qrfwxhbj.dll
C:\WINDOWS\system32\SAaHknnn.ini
C:\WINDOWS\system32\SAaHknnn.ini2
C:\WINDOWS\system32\xkloffdx.dll
C:\WINDOWS\system32\xuykqdtp.ini
C:\WINDOWS\system32\xxyxUljK.dll.vir
C:\WINDOWS\system32\yhpwgjxb.dll
C:\WINDOWS\system32\yjrtlsyi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_STREAMM
-------\Service_streamm


((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.

2008-10-05 20:25 . 2008-10-05 20:25 <DIR> d-------- C:\VundoFix Backups
2008-10-05 19:12 . 2008-10-05 19:13 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-10-05 18:26 . 2008-10-05 18:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-04 14:54 . 2008-10-04 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-10-04 09:48 . 2006-11-21 03:06 237,568 -ra------ C:\WINDOWS\system32\MacUnInstall.exe
2008-10-04 09:48 . 2006-11-22 04:14 40,448 -ra------ C:\WINDOWS\system32\drivers\MOSUMAC.SYS
2008-10-03 12:58 . 2008-10-03 12:58 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-03 10:59 . 2008-10-03 10:59 156,672 --a------ C:\WINDOWS\system32\vixhbocsoutisnfkv.dll
2008-10-01 16:16 . 2008-10-04 10:30 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-10-01 16:16 . 2008-10-01 16:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-10-01 16:16 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-10-01 16:16 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-10-01 16:16 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-10-01 16:16 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-09-29 18:21 . 2008-09-30 14:15 <DIR> d-------- C:\Program Files\Free Spyware Scanner
2008-09-29 18:21 . 1998-04-24 00:00 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-09-29 15:18 . 2008-09-29 15:18 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-09-29 15:11 . 2008-09-29 15:11 <DIR> d-------- C:\WINDOWS\system32\zep
2008-09-29 15:11 . 2008-09-29 15:11 <DIR> d-------- C:\WINDOWS\system32\tcon
2008-09-29 15:11 . 2008-09-29 15:11 <DIR> d-------- C:\WINDOWS\system32\SP6
2008-09-29 15:11 . 2008-09-29 15:11 <DIR> d-------- C:\WINDOWS\system32\eib
2008-09-29 15:11 . 2008-09-29 23:13 <DIR> d--hs---- C:\WINDOWS\dXNlcg
2008-09-29 15:11 . 2008-10-04 10:22 79,080 --a------ C:\WINDOWS\system32\kspkhdckwj.exe
2008-09-29 15:10 . 2008-09-29 15:10 <DIR> d-------- C:\WINDOWS\system32\EV19
2008-09-29 15:10 . 2008-09-29 15:11 <DIR> d-------- C:\Temp\xp34
2008-09-29 15:10 . 2008-10-06 22:07 <DIR> d-------- C:\Temp
2008-09-19 19:42 . 2008-09-19 19:43 <DIR> d-------- C:\Documents and Settings\Owner\.jpi_cache
2008-09-19 19:42 . 2008-09-19 19:42 <DIR> d-------- C:\Documents and Settings\Owner\.java
2008-09-18 13:50 . 2008-09-18 21:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-09-18 13:50 . 2008-09-18 13:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-09-18 13:44 . 2008-09-18 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-18 13:42 . 2008-09-18 13:44 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-15 15:03 . 2008-09-15 15:03 16,615 --a------ C:\GoogleCheckout_volume.odt
2008-09-15 14:58 . 2008-09-15 14:58 10,966 --a------ C:\Paypal_July.xlsx
2008-09-15 14:58 . 2008-09-15 14:58 10,797 --a------ C:\Paypal_June.xlsx
2008-09-15 14:57 . 2008-09-15 14:57 10,974 --a------ C:\Paypal_August.xlsx
2008-09-15 14:11 . 2008-09-15 14:11 49,819 --a------ C:\monthly_volume.xlsx
2008-09-13 22:16 . 2003-06-28 08:56 229,487 --a------ C:\WINDOWS\system32\jpicpl32.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 01:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-04 14:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-09-29 21:42 --------- d-----w C:\Program Files\Google
2008-09-28 21:36 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-09-28 21:36 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2008-09-14 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-14 02:15 --------- d-----w C:\Program Files\Java
2008-09-14 02:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-12 15:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-31 16:41 --------- d-----w C:\Program Files\Microsoft Works
2008-08-20 03:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Banner Maker Pro 7
2008-08-20 02:15 --------- d-----w C:\Program Files\Banner Maker Pro 7
2005-07-29 20:24 472 --sha-r C:\WINDOWS\dXNlcg\xrh5w0.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e42b66f2-c3ad-384c-3eaf-947da203576d}]
2008-10-03 10:59 156672 --a------ C:\WINDOWS\system32\vixhbocsoutisnfkv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"znekxeavbdz"="C:\WINDOWS\system32\vixhbocsoutisnfkv.dll" [2008-10-03 156672]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-17 185632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=hwfsvq.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\1208824379\\ee\\AOLDesktop.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1208824379\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)

S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160]
S3 MOSUMAC;USB-Ethernet Driver;C:\WINDOWS\system32\DRIVERS\MOSUMAC.SYS [2006-11-22 40448]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1a6a8aa7-03d0-427d-8e67-3eb68438fef2} - C:\WINDOWS\system32\hwfsvq.dll
BHO-{5032E3F1-005B-4BAA-9120-AED475509D7D} - C:\WINDOWS\system32\nnnkHaAS.dll
HKLM-Run-d4d88c5a - C:\WINDOWS\system32\ptdqkyux.dll
HKLM-Run-BMd7ebbfc6 - C:\WINDOWS\system32\yjrtlsyi.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\deszmacz.default\
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJava11.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJava12.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJava13.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJava32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJPI141_04.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPOJI610.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 22:28:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-10-06 22:44:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-07 02:43:44

Pre-Run: 15,392,395,264 bytes free
Post-Run: 16,767,373,312 bytes free

175


-----------------------------------------------------------------------------------------------------------------------------------------------




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:14 PM, on 10/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: innbanner browser enhancer - {e42b66f2-c3ad-384c-3eaf-947da203576d} - C:\WINDOWS\system32\vixhbocsoutisnfkv.dll
O4 - HKLM\..\Run: [znekxeavbdz] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\vixhbocsoutisnfkv.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O20 - AppInit_DLLs: hwfsvq.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 3423 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:49 AM

Posted 07 October 2008 - 12:15 AM

Hello,

You're welcome. :thumbsup:

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:49 AM

Posted 02 November 2008 - 09:50 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users