Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dont know what type of infection


  • This topic is locked This topic is locked
25 replies to this topic

#1 nats4584

nats4584

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 17 February 2009 - 04:35 AM

DDS (Ver_09-02-01.01) - NTFSx86
Run by Natalie Roberts at 1:18:00.50 on Tue 02/17/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.341 [GMT -8:00]

AV: AVG Anti-Virus *On-access scanning disabled* (Outdated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\ZoneTick\timesync.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Smileycons\smileycons.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe C:\WINDOWS\TEMP\VRTC.tmp
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
svchost.exe C:\WINDOWS\TEMP\VRT3C.tmp
C:\WINDOWS\system32\ntvdm.exe
svchost.exe C:\WINDOWS\TEMP\VRT44.tmp
C:\WINDOWS\system32\ntvdm.exe
svchost.exe C:\WINDOWS\TEMP\VRT4B.tmp
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Natalie Roberts\Local Settings\Temporary Internet Files\Content.IE5\4P2BCLEZ\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] "c:\program files\toshiba\toscdspd\toscdspd.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Smileycons] c:\program files\smileycons\smileycons.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Blubster] c:\program files\blubster\Blubster.exe SILENT
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
dRun: [msiexec.exe] msiconf.exe
dRun: [MS AntiSpyware 2009] "c:\documents and settings\all users\application data\crucialsoft ltd\ms antispyware 2009\msas2009.exe" /autorun
StartupFolder: c:\docume~1\natali~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://0-site.ebrary.com.ignacio.usfca.edu/lib/usflibrary/support/plugins/ebraryRdr.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://aolsvc.aol.com/onlinegames/free-trial-chocolatier/ChocolatierWeb.1.0.0.13.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/amun/default/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://zone.msn.com/bingame/feed/default/SproutLauncher.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-2-3 12552]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-3 11840]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-3 324872]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-3 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-3 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-3 85761]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-3 298264]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 116224]
R2 ZTime;ZoneTick Time;c:\program files\zonetick\timesync.exe [2008-10-23 98304]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-3 168193]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-3 52032]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\1.tmp [2009-2-15 5760]

=============== Created Last 30 ================

2009-02-17 01:14 81,931 a------- c:\windows\system32\4E.tmp
2009-02-17 01:14 1 a------- c:\windows\system32\4D.tmp
2009-02-17 01:14 88 a------- c:\windows\system32\4C.tmp
2009-02-17 01:10 81,931 a------- c:\windows\system32\47.tmp
2009-02-17 01:10 1 a------- c:\windows\system32\46.tmp
2009-02-17 01:10 88 a------- c:\windows\system32\45.tmp
2009-02-17 01:06 81,931 a------- c:\windows\system32\40.tmp
2009-02-17 01:06 1 a------- c:\windows\system32\3F.tmp
2009-02-17 01:06 88 a------- c:\windows\system32\3E.tmp
2009-02-17 00:39 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-17 00:39 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-17 00:06 81,931 a------- c:\windows\system32\F.tmp
2009-02-17 00:06 1 a------- c:\windows\system32\E.tmp
2009-02-17 00:06 88 a------- c:\windows\system32\D.tmp
2009-02-16 23:58 81,931 a------- c:\windows\system32\44.tmp
2009-02-16 23:58 1 a------- c:\windows\system32\43.tmp
2009-02-16 23:58 88 a------- c:\windows\system32\42.tmp
2009-02-16 23:54 81,931 a------- c:\windows\system32\3D.tmp
2009-02-16 23:54 1 a------- c:\windows\system32\3C.tmp
2009-02-16 23:54 88 a------- c:\windows\system32\3B.tmp
2009-02-16 23:19 81,931 a------- c:\windows\system32\36.tmp
2009-02-16 23:19 1 a------- c:\windows\system32\35.tmp
2009-02-16 23:19 88 a------- c:\windows\system32\34.tmp
2009-02-16 23:03 81,931 a------- c:\windows\system32\28.tmp
2009-02-16 23:03 1 a------- c:\windows\system32\27.tmp
2009-02-16 23:03 88 a------- c:\windows\system32\26.tmp
2009-02-16 13:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-02-16 13:39 81,931 a------- c:\windows\system32\1A.tmp
2009-02-16 13:39 1 a------- c:\windows\system32\19.tmp
2009-02-16 13:39 88 a------- c:\windows\system32\18.tmp
2009-02-15 21:18 54,784 a------- c:\windows\system32\4.tmp
2009-02-15 21:18 1 a------- c:\windows\system32\3.tmp
2009-02-15 21:18 84 a------- c:\windows\system32\2.tmp
2009-02-15 21:08 5,760 -------- c:\windows\system32\1.tmp
2009-02-13 19:09 3,840 a------- c:\windows\system32\drivers\BANTExt.sys
2009-02-13 19:09 <DIR> --d----- c:\program files\Belarc
2009-02-12 03:04 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-12 03:03 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-02-12 03:03 614,912 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-12 03:03 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-12 03:03 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-12 03:03 <DIR> --d----- C:\4394a2848b39883846291d3f
2009-02-12 03:03 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-12 03:03 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-12 03:03 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-12 02:00 <DIR> --d----- c:\program files\ACW
2009-02-12 01:13 488 a------- c:\documents and settings\natalie roberts\reset.cmd
2009-02-12 01:10 <DIR> --d----- c:\program files\Windows Resource Kits
2009-02-12 00:19 62,922,752 a------- c:\windows\sectest.db
2009-02-11 12:59 <DIR> --d----- c:\program files\QUAD Utilities
2009-02-11 07:23 <DIR> --d----- c:\windows\system32\scripting
2009-02-11 07:23 <DIR> --d----- c:\windows\system32\en
2009-02-11 07:23 <DIR> --d----- c:\windows\l2schemas
2009-02-11 07:23 <DIR> --d----- c:\windows\system32\bits
2009-02-11 07:20 <DIR> --d----- c:\windows\ServicePackFiles
2009-02-11 07:17 <DIR> --d----- c:\windows\network diagnostic
2009-02-09 01:31 <DIR> --d----- c:\docume~1\natali~1\applic~1\ZoneTick
2009-02-09 01:31 <DIR> --d----- c:\program files\ZoneTick
2009-02-09 01:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Anuko
2009-02-09 01:23 <DIR> --d----- c:\program files\Alarm Clock
2009-02-04 18:14 1,024,268 a------- c:\windows\system32\commonpriv.log.1
2009-02-04 18:14 0 a------- c:\windows\system32\commonpriv.log.lock
2009-02-04 17:18 <DIR> --d----- c:\program files\Sophos
2009-02-04 01:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-04 01:20 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-04 01:20 <DIR> --d----- c:\docume~1\natali~1\applic~1\SUPERAntiSpyware.com
2009-02-04 01:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-04 00:44 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-04 00:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-04 00:36 <DIR> --d----- c:\documents and settings\natalie roberts\SmitfraudFix
2009-02-03 22:40 <DIR> --d----- c:\program files\Avira
2009-02-03 22:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-02-03 22:22 388,608 a------- c:\windows\system32\cmd.execf
2009-02-03 22:20 <DIR> --d----- C:\ComboFix
2009-02-03 22:20 406,016 a------- c:\windows\system32\CF12393.exe
2009-02-03 22:10 106 a------- C:\delete.bat
2009-02-03 22:01 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-03 22:01 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-02-03 22:01 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-03 22:01 324,872 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-03 22:00 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-02 22:20 <DIR> --d----- c:\program files\Smileycons

==================== Find3M ====================

2009-02-12 01:10 89,247 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-04-25 09:19 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-08-23 21:01 2,644 ac------ c:\docume~1\natali~1\applic~1\wklnhst.dat

============= FINISH: 1:19:08.86 ===============

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 18 February 2009 - 07:00 AM

Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.




NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




Please post these logs in your next reply... Post each log in separate post

1. SDFix
2. ComboFix
3. A fresh HijackThis log

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 nats4584

nats4584
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 22 February 2009 - 08:41 PM

was unable to do sdfix for some reason, so just did combofix and hijackthis

CombFix

ComboFix 09-02-21.01 - Natalie Roberts 2009-02-22 17:17:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.513 [GMT -8:00]
Running from: c:\documents and settings\Natalie Roberts\Desktop\ComboFix123.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Outdated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\Natalie Roberts\reader_s.exe
c:\program files\QUAD Utilities
c:\windows\IE4 Error Log.txt
c:\windows\services.exe
c:\windows\system32\6.tmp
c:\windows\system32\7.tmp
c:\windows\system32\9.tmp
c:\windows\system32\A.tmp
c:\windows\system32\B.tmp
c:\windows\system32\codeblocks.exe
c:\windows\system32\config\systemprofile\Desktop\Rapid Antivirus.lnk
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\config\systemprofile\reader_s.exe
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\drivers\protect.sys
c:\windows\system32\p2
c:\windows\system32\reader_s.exe
c:\windows\system32\drivers\str.sys . . . . failed to delete

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CCEVTSVC
-------\Legacy_IPSECPOOLER
-------\Legacy_PROTECT
-------\Legacy_TNIDRIVER
-------\Service_protect
-------\Service_restore
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-22 17:29 . 2009-02-22 17:29 47,616 --a------ c:\documents and settings\Natalie Roberts\reader_s.exe
2009-02-22 17:29 . 2009-02-22 17:29 0 --a------ c:\windows\system32\6.tmp
2009-02-22 16:48 . 2009-02-22 16:48 168 --a------ c:\windows\system32\8.tmp
2009-02-22 16:28 . 2009-02-22 16:28 168 --a------ c:\windows\system32\5.tmp
2009-02-22 15:47 . 2009-02-22 15:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-22 15:42 . 2009-02-22 15:42 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-22 15:25 . 2009-02-22 15:25 67,585 --a------ c:\windows\system32\6E.tmp
2009-02-22 15:25 . 2009-02-22 15:25 15,614 --a------ c:\windows\system32\77.tmp
2009-02-22 15:25 . 2009-02-22 15:25 168 --a------ c:\windows\system32\6A.tmp
2009-02-22 15:17 . 2009-02-22 15:17 67,585 --a------ c:\windows\system32\7E.tmp
2009-02-22 15:17 . 2009-02-22 15:17 37,888 --a------ c:\windows\system32\80.tmp
2009-02-22 15:17 . 2009-02-22 15:17 168 --a------ c:\windows\system32\7B.tmp
2009-02-22 12:00 . 2009-02-22 12:01 37,888 --a------ c:\windows\system32\74.tmp
2009-02-22 12:00 . 2009-02-22 12:00 168 --a------ c:\windows\system32\66.tmp
2009-02-21 16:39 . 2009-02-21 16:39 0 --a------ c:\windows\system32\76.tmp
2009-02-21 16:06 . 2009-02-21 16:06 67,585 --a------ c:\windows\system32\72.tmp
2009-02-21 16:06 . 2009-02-21 16:06 38,913 --a------ c:\windows\system32\71.tmp
2009-02-21 16:06 . 2009-02-21 16:06 30,208 --a------ c:\windows\system32\73.tmp
2009-02-21 16:06 . 2009-02-21 16:06 168 --a------ c:\windows\system32\70.tmp
2009-02-21 15:31 . 2009-02-21 15:31 67,585 --a------ c:\windows\system32\69.tmp
2009-02-21 15:31 . 2009-02-21 15:32 37,888 --a------ c:\windows\system32\6B.tmp
2009-02-21 15:31 . 2009-02-21 15:31 168 --a------ c:\windows\system32\64.tmp
2009-02-21 13:51 . 2009-02-21 13:51 67,585 --a------ c:\windows\system32\7A.tmp
2009-02-21 13:51 . 2009-02-21 13:51 37,888 --a------ c:\windows\system32\7C.tmp
2009-02-21 13:50 . 2009-02-21 13:50 24,577 --a------ c:\windows\system32\79.tmp
2009-02-21 13:50 . 2009-02-21 13:50 168 --a------ c:\windows\system32\78.tmp
2009-02-21 12:40 . 2009-02-21 12:40 67,585 --a------ c:\windows\system32\6F.tmp
2009-02-21 12:39 . 2009-02-21 12:40 168 --a------ c:\windows\system32\6D.tmp
2009-02-19 20:14 . 2009-02-19 20:14 164,804 --a------ c:\windows\system32\68.tmp
2009-02-19 20:14 . 2009-02-19 20:14 88,065 --a------ c:\windows\system32\65.tmp
2009-02-19 20:14 . 2009-02-19 20:14 9,216 --a------ c:\windows\system32\67.tmp
2009-02-19 20:14 . 2009-02-19 20:14 208 --a------ c:\windows\system32\61.tmp
2009-02-19 20:08 . 2009-02-19 20:11 164,804 --a------ c:\windows\system32\63.tmp
2009-02-19 20:08 . 2009-02-19 20:08 88,065 --a------ c:\windows\system32\60.tmp
2009-02-19 20:08 . 2009-02-19 20:08 25,601 --a------ c:\windows\system32\5D.tmp
2009-02-19 20:08 . 2009-02-19 20:08 9,216 --a------ c:\windows\system32\62.tmp
2009-02-19 20:08 . 2009-02-19 20:08 208 --a------ c:\windows\system32\5B.tmp
2009-02-19 19:58 . 2009-02-19 20:01 162,724 --a------ c:\windows\system32\5F.tmp
2009-02-19 19:58 . 2009-02-19 19:58 88,065 --a------ c:\windows\system32\5C.tmp
2009-02-19 19:58 . 2009-02-19 19:58 9,216 --a------ c:\windows\system32\5E.tmp
2009-02-19 19:58 . 2009-02-19 19:58 208 --a------ c:\windows\system32\58.tmp
2009-02-19 08:31 . 2009-02-19 08:34 163,748 --a------ c:\windows\system32\5A.tmp
2009-02-19 08:31 . 2009-02-19 08:31 9,216 --a------ c:\windows\system32\59.tmp
2009-02-19 08:30 . 2009-02-19 08:30 88,065 --a------ c:\windows\system32\57.tmp
2009-02-19 08:30 . 2009-02-19 08:30 81,408 --a------ c:\windows\WCSMON.EXE
2009-02-19 08:29 . 2009-02-19 08:30 61,440 --a------ c:\windows\system32\55.tmp
2009-02-19 08:29 . 2009-02-19 08:29 208 --a------ c:\windows\system32\52.tmp
2009-02-19 00:27 . 2009-02-19 00:29 163,748 --a------ c:\windows\system32\56.tmp
2009-02-19 00:26 . 2009-02-19 00:26 7,680 --a------ c:\windows\system32\53.tmp
2009-02-19 00:26 . 2009-02-19 00:26 168 --a------ c:\windows\system32\4B.tmp
2009-02-19 00:19 . 2009-02-19 00:22 163,748 --a------ c:\windows\system32\54.tmp
2009-02-19 00:19 . 2009-02-19 00:19 7,680 --a------ c:\windows\system32\51.tmp
2009-02-19 00:19 . 2009-02-19 00:19 168 --a------ c:\windows\system32\41.tmp
2009-02-18 18:52 . 2009-02-18 18:55 123,613 --a------ c:\windows\system32\50.tmp
2009-02-18 18:51 . 2009-02-22 17:29 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-18 18:51 . 2009-02-18 18:51 7,168 --a------ c:\windows\system32\4A.tmp
2009-02-18 18:51 . 2009-02-18 18:51 1,409 --a------ c:\windows\QTFont.for
2009-02-18 18:51 . 2009-02-18 18:51 168 --a------ c:\windows\system32\3A.tmp
2009-02-18 18:21 . 2009-02-18 18:24 162,564 --a------ c:\windows\system32\4F.tmp
2009-02-18 18:21 . 2009-02-18 18:21 7,168 --a------ c:\windows\system32\49.tmp
2009-02-18 18:21 . 2009-02-18 18:21 168 --a------ c:\windows\system32\38.tmp
2009-02-18 17:50 . 2009-02-18 17:52 163,300 --a------ c:\windows\system32\48.tmp
2009-02-18 17:49 . 2009-02-18 17:49 7,168 --a------ c:\windows\system32\39.tmp
2009-02-18 17:49 . 2009-02-18 17:49 168 --a------ c:\windows\system32\33.tmp
2009-02-18 17:37 . 2009-02-18 17:41 163,300 --a------ c:\windows\system32\37.tmp
2009-02-18 17:37 . 2009-02-18 17:37 25,601 --a------ c:\windows\system32\30.tmp
2009-02-18 17:37 . 2009-02-18 17:37 7,168 --a------ c:\windows\system32\31.tmp
2009-02-18 17:37 . 2009-02-18 17:37 168 --a------ c:\windows\system32\2F.tmp
2009-02-18 17:17 . 2009-02-18 17:20 163,300 --a------ c:\windows\system32\32.tmp
2009-02-18 17:17 . 2009-02-18 17:17 25,601 --a------ c:\windows\system32\2A.tmp
2009-02-18 17:17 . 2009-02-18 17:17 7,168 --a------ c:\windows\system32\2D.tmp
2009-02-18 17:17 . 2009-02-18 17:17 168 --a------ c:\windows\system32\24.tmp
2009-02-18 17:14 . 2009-02-18 17:14 7,168 --a------ c:\windows\system32\25.tmp
2009-02-18 17:14 . 2009-02-18 17:14 168 --a------ c:\windows\system32\22.tmp
2009-02-18 17:14 . 2009-02-18 17:55 6 --a------ c:\windows\_id.dat
2009-02-18 17:14 . 2009-02-18 17:14 0 --a------ c:\windows\system32\2C.tmp
2009-02-18 17:11 . 2009-02-18 17:11 25,601 --a------ c:\windows\system32\1F.tmp
2009-02-18 17:11 . 2009-02-18 17:11 7,168 --a------ c:\windows\system32\20.tmp
2009-02-18 17:11 . 2009-02-18 17:11 168 --a------ c:\windows\system32\1C.tmp
2009-02-18 17:11 . 2009-02-22 16:28 128 --a------ c:\windows\adobe.bat
2009-02-18 17:11 . 2009-02-18 17:11 0 --a------ c:\windows\system32\23.tmp
2009-02-18 12:55 . 2009-02-18 12:55 2,048 --a------ c:\windows\system32\1E.tmp
2009-02-18 12:55 . 2009-02-18 12:55 0 --a------ c:\windows\system32\21.tmp
2009-02-18 12:53 . 2009-02-18 12:53 168 --a------ c:\windows\system32\16.tmp
2009-02-18 12:37 . 2009-02-18 12:37 163,268 --a------ c:\windows\system32\1D.tmp
2009-02-18 12:36 . 2009-02-18 12:37 2,048 --a------ c:\windows\system32\17.tmp
2009-02-18 12:36 . 2009-02-18 12:36 168 --a------ c:\windows\system32\14.tmp
2009-02-18 12:33 . 2009-02-18 12:33 <DIR> d-------- c:\windows\ERUNT
2009-02-18 12:15 . 2009-02-19 20:11 138,432 --a------ c:\windows\system32\drivers\ethkovto.sys
2009-02-18 12:12 . 2009-02-18 12:15 163,268 --a------ c:\windows\system32\1B.tmp
2009-02-18 12:12 . 2009-02-18 12:12 2,048 --a------ c:\windows\system32\15.tmp
2009-02-18 12:12 . 2009-02-18 12:12 168 --a------ c:\windows\system32\13.tmp
2009-02-18 12:10 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-02-18 12:10 . 2009-02-18 12:10 137,408 --a------ c:\windows\system32\drivers\rimusb.sys
2009-02-18 12:08 . 2009-02-18 12:08 182,656 --a--c--- c:\windows\system32\dllcache\ndis.sys
2009-02-18 12:08 . 2009-02-18 12:10 163,268 --a------ c:\windows\system32\2E.tmp
2009-02-18 12:08 . 2009-02-18 12:08 2,048 --a------ c:\windows\system32\2B.tmp
2009-02-18 12:08 . 2009-02-18 12:08 168 --a------ c:\windows\system32\29.tmp
2009-02-17 17:03 . 2009-02-17 17:03 81,931 --a------ c:\windows\system32\12.tmp
2009-02-17 17:03 . 2009-02-17 17:03 48 --a------ c:\windows\system32\11.tmp
2009-02-17 09:52 . 2009-02-17 09:52 <DIR> d-------- c:\documents and settings\Natalie Roberts\Application Data\Uniblue
2009-02-17 09:10 . 2009-02-17 09:10 81,931 --a------ c:\windows\system32\10.tmp
2009-02-17 01:14 . 2009-02-17 01:14 81,931 --a------ c:\windows\system32\4E.tmp
2009-02-17 01:14 . 2009-02-17 01:14 88 --a------ c:\windows\system32\4C.tmp
2009-02-17 01:14 . 2009-02-17 01:14 1 --a------ c:\windows\system32\4D.tmp
2009-02-17 01:10 . 2009-02-17 01:10 81,931 --a------ c:\windows\system32\47.tmp
2009-02-17 01:10 . 2009-02-17 01:10 88 --a------ c:\windows\system32\45.tmp
2009-02-17 01:10 . 2009-02-17 01:10 1 --a------ c:\windows\system32\46.tmp
2009-02-17 01:06 . 2009-02-17 01:06 81,931 --a------ c:\windows\system32\40.tmp
2009-02-17 01:06 . 2009-02-17 01:06 88 --a------ c:\windows\system32\3E.tmp
2009-02-17 01:06 . 2009-02-17 01:06 1 --a------ c:\windows\system32\3F.tmp
2009-02-17 00:39 . 2009-02-17 00:38 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-17 00:39 . 2009-02-17 00:38 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-16 23:58 . 2009-02-16 23:58 81,931 --a------ c:\windows\system32\44.tmp
2009-02-16 23:58 . 2009-02-16 23:58 88 --a------ c:\windows\system32\42.tmp
2009-02-16 23:58 . 2009-02-16 23:58 1 --a------ c:\windows\system32\43.tmp
2009-02-16 23:54 . 2009-02-16 23:54 81,931 --a------ c:\windows\system32\3D.tmp
2009-02-16 23:54 . 2009-02-16 23:54 88 --a------ c:\windows\system32\3B.tmp
2009-02-16 23:54 . 2009-02-16 23:54 1 --a------ c:\windows\system32\3C.tmp
2009-02-16 23:19 . 2009-02-16 23:19 81,931 --a------ c:\windows\system32\36.tmp
2009-02-16 23:19 . 2009-02-16 23:19 88 --a------ c:\windows\system32\34.tmp
2009-02-16 23:19 . 2009-02-16 23:19 1 --a------ c:\windows\system32\35.tmp
2009-02-16 23:03 . 2009-02-16 23:03 81,931 --a------ c:\windows\system32\28.tmp
2009-02-16 23:03 . 2009-02-16 23:03 88 --a------ c:\windows\system32\26.tmp
2009-02-16 23:03 . 2009-02-16 23:03 1 --a------ c:\windows\system32\27.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 01:29 18,944 ---ha-w c:\windows\system32\drivers\protect.sys
2009-02-23 01:06 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-23 01:03 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-23 01:03 --------- d-----w c:\documents and settings\Natalie Roberts\Application Data\Move Networks
2009-02-23 01:01 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-02-23 01:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-18 20:08 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-02-17 08:38 --------- d-----w c:\program files\Java
2009-02-16 04:56 --------- d-----w c:\program files\Blubster
2009-02-16 04:24 --------- d-----w c:\program files\Toshiba Games
2009-02-16 04:24 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2009-02-16 03:38 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-11 11:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-10 02:02 --------- d-----w c:\documents and settings\Natalie Roberts\Application Data\LimeWire
2009-01-28 07:18 --------- d-----w c:\program files\LimeWire
2009-01-07 08:10 --------- d-----w c:\program files\Skype
2009-01-07 08:10 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-01-07 08:09 --------- d-----w c:\program files\MySpace
2009-01-07 07:00 --------- d-----w c:\program files\Free Window Registry Repair
2009-01-07 06:54 --------- d-----w c:\program files\RegistryFix7
2009-01-06 07:38 --------- d-----w c:\documents and settings\Natalie Roberts\Application Data\skypePM
2009-01-05 08:16 --------- d-----w c:\program files\AVG
2009-01-03 01:39 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM1ODM3NDJ8_
2008-04-25 17:19 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-08-24 05:01 2,644 -c--a-w c:\documents and settings\Natalie Roberts\Application Data\wklnhst.dat
.

------- Sigcheck -------

2004-08-10 04:00 31232 a3724f4e18276a849d93d952a43579d5 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 16:12 31232 f41050526a1ed5fa7f9a6f4b8ae4f807 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 16:12 31232 5761d2c73f126c3262a332bbc842372a c:\windows\system32\svchost.exe

2004-08-10 04:00 182912 1df7f42665c94b825322fae71721130d c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 11:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 11:20 182656 1df7f42665c94b825322fae71721130d c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
2009-02-18 12:08 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2009-02-18 12:08 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2008-04-13 16:12 1051136 288d3cca931be6239aa90d501364aad2 c:\windows\explorer.exe
2007-06-13 03:26 1050112 bcef2536f084fc770da11205293742d2 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 02:23 1050112 5ad8bc837c11fc75acb40bc819455e6f c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-10 04:00 1049088 4676ce781088c616a33d3a5f9b523e2d c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 16:12 1050624 3cb029ad5ba348b61f6354bcadf1aad1 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-10 04:00 32768 8af7cd0c4593413a747978aa21be2340 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 16:12 32256 25a9b93f33f8efe6f9a97c5bd41fc642 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 16:12 32768 a060a2f63f24dcc22313ff77df983bb1 c:\windows\system32\ctfmon.exe

2005-06-10 16:17 75264 16d93baba3bf3539c0f2bd8ba067d512 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 15:53 74752 041a4b4b87f2a0739e10246d6913cce6 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-10 04:00 74752 3d033efb1b542b8f8e9fbb9060f70bc7 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 16:12 74752 946c81b1b6962ab86ef93881f22ceefe c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 16:12 75264 d4e509285ccf8e8ebd8179964f322438 c:\windows\system32\spoolsv.exe

2004-08-10 04:00 41984 84c82a157b521bd0277b44867c4b27ab c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 16:12 43008 928bb407a12eb42f2697282e64f34761 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 16:12 43520 951cfebd30d8673e30b416e815a2bad5 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32768]
"reader_s"="c:\documents and settings\Natalie Roberts\reader_s.exe" [2009-02-22 47616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-28 270648]
"reader_s"="c:\windows\System32\reader_s.exe" [2009-02-22 47104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"reader_s"="c:\documents and settings\Natalie Roberts\reader_s.exe" [2009-02-22 47616]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\TEMP\init.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wesvwp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\temp\\init.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-02-03 12552]
R0 protect;protect;c:\windows\system32\drivers\protect.sys [2009-02-22 18944]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-03 324872]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-03 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-03 298264]
S0 jvuj;jvuj;c:\windows\system32\drivers\bhkdg.sys --> c:\windows\system32\drivers\bhkdg.sys [?]
S1 ethkovto;ethkovto;c:\windows\system32\drivers\ethkovto.sys [2009-02-18 138432]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PROTECT
.
Contents of the 'Scheduled Tasks' folder

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42]

2009-02-23 c:\windows\Tasks\qkhperpa.job
- c:\windows\system32\byXRkHXn.dll []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-services - c:\windows\services.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)


.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 17:28:51
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

c:\windows\temp\init.exe [10204] 0x85BC8B28

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\jfqdk.sys 30848 bytes executable
c:\windows\system32\drivers\str.sys 0 bytes
c:\windows\system32\reader_s.exe 47104 bytes executable
c:\windows\system32\6.tmp 168 bytes
c:\windows\system32\7.tmp 25601 bytes executable
c:\windows\system32\9.tmp 67585 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\yrgto]
"ImagePath"="\??\c:\windows\system32\drivers\jfqdk.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\temp\BN3.tmp
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-22 17:32:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-23 01:32:49

Pre-Run: 68,925,612,032 bytes free
Post-Run: 69,024,641,024 bytes free

352 --- E O F --- 2009-02-11 15:33:07

#4 nats4584

nats4584
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 22 February 2009 - 08:42 PM

hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:38:30, on 2/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TEMP\init.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Natalie Roberts\reader_s.exe
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Natalie Roberts\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Natalie Roberts\reader_s.exe (User 'Default user')
O20 - AppInit_DLLs: wesvwp.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 4267 bytes

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 23 February 2009 - 10:15 AM

This is important step.. Tell me whether you successfully upload the file or not.. Please zip it first before sending it to the upload channel..

Please show hidden files and folders

Please visit this site and upload below file.. At the comment section, just say "fenzodahl512 asked to upload the file"

c:\documents and settings\Natalie Roberts\reader_s.exe



After that, delete that file from your computer and empty your recycle bin.. Then download this tool and save it to your Desktop..

Dr.Web CureIt


Disconnect the computer physically from the internet (pull out the network cable from the computer)


IMPORTANT!! Please read quote below.. It's important!!

Delete your version of ComboFix from your computer.. I suspect that you have Virut virus in the computer..


Some info about Virut.. It infects ALL executable files, in each and every partition the computer has, including any files inside the thumbdrive and external hard disk that been used with that computer...



Ok.. Looking at ComboFix log, I would advised you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installer and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files... We are looking for possible Virut or Sality infection, and if it is.. Then you might have to wipe the machine clean..

Make sure you back-up everything ONLY via CD or DVD (non-rewritable)



But lets do this first.. (after you backup all important stuff)...


Dr. Web CureIt step..

Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit, and post DrWeb.csv in your next reply (Open it as Notepad)
After that, run ComboFix once again.. Post these logs in your next reply..

1. Dr.Web CureIt
2. ComboFix..

Edited by fenzodahl512, 23 February 2009 - 10:16 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 nats4584

nats4584
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 25 February 2009 - 09:08 PM

I can't seem to copy my backup to a cd. However, did the back up, deleted that file and combofix. What shall I do??

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 25 February 2009 - 09:17 PM

First of all, do you know how to create a bootable UBCD cd? or Bart PE cd?

Please refer below if you don't...

http://www.winhelponline.com/blog/create-b...ing-pe-builder/

http://www.ubcd4win.com/howto.htm


Tell me if you have successfully create a BartPE or UBCD boot cd.. :thumbup2:

Edited by fenzodahl512, 25 February 2009 - 09:20 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 nats4584

nats4584
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 26 February 2009 - 06:14 PM

I have the bart pe cd, however, I don't know how to do just imp docs/files?

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 26 February 2009 - 06:31 PM

however, I don't know how to do just imp docs/files?


Err.. Please tell me what do you mean by that?. Sorry but English is not my native language, I can only speak simple English :thumbup2: :)


Ok.. do this ONLY after you backup all the files.. Its important that you backup all documents/data/pictures/movies/songs before doing below steps....


Delete all versions of ComboFix and also Dr.Web CureIt if you have them.. Then please disable System Restore on the computer.. Visit below if you do not know how..

http://www.pchell.com/virus/systemrestore.shtml


Please download Dr.Web CureIt to the Desktop.. Don't do anything with it yet...


Please download ComboFix by sUBs and save it on your Desktop, don't do anything with it yet...


Now reboot your computer via BartPE CD.. This step is important...


After rebooting via Bart PE CD, do the following...


Step 1, Dr.Web CureIt

Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit, and post DrWeb.csv in your next reply (Open it as Notepad)

Step 2. ComboFix

Go to Start >> Run >> copy/paste below >> Enter

"%userprofile%\desktop\combofix.exe" /killall

It will run ComboFix via special mode.. Let it run and don't do anything with your computer..

When finished, it shall produce a log for you. Post that log in your next reply.


Reboot your computer into Normal Mode

In Normal Mode, run Dr.Web CureIt and ComboFix once again as you did in the BartPE Mode.. Save their logs..


Attach these logs in your next reply..

1. Dr.Web CureIt (In BartPE Mode)
2. ComboFix (In BartPE Mode)
3. Dr,Web CureIt (In Normal Mode)
4. ComboFix (In Normal Mode)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 nats4584

nats4584
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 01 March 2009 - 12:53 AM

when I booted it with the bootcd, a blue screen came up with a fatal system error 0xc0000005 and stop:c000021a fatal system error. uh oh!! please help!!!

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 01 March 2009 - 02:12 AM

skip the bootcd step and run Dr.Web CureIt and ComboFix normally, and post the logs here :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 nats4584

nats4584
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 03 March 2009 - 04:08 PM

so is did the both scans but cannot get on the internet or copy cds to cd, so I can download to another computer, so I can give you the logs....what shall I do?

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 03 March 2009 - 04:34 PM

Just tell me, does Dr.Web detect something that called Win32.Virut or Win32.Sality?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 nats4584

nats4584
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 04 March 2009 - 03:48 PM

win32.virut.... and a lot of them, at that. Nothing loads, windows doesn't load upon startup, no internet connections are detected, it's all bad. Please help! What to do, what to do.....

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 04 March 2009 - 04:45 PM

When it comes to Win32.Virut, the only way to go is to do full-reformat to your computer.. There's nothing we can do about it.. Please read as per excerpt from malware experts below..


A quote from an expert (sUBs)

Virut is not disinfectable. Your only option is to perform a full reformat. Do NOT attempt a repair install. It shall be a waste of time. If you do so, the infected executables remain on the machine & you shall likely trigger another bout of Virut.

If you do not know how to perform a fresh install, use this website > http://www.windowsreinstall.com/

Note: If you have to backup files, do so only for MS Office documents & any non executable file. Burn them to CD/DVD. Do NOT copy files from the infected machine to your pendrive OR another machine. You risk infecting the other machine.


full reformat means, format on ALL partitions..



from tetonbob

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

See miekiemoes' blog for similar comments here:

http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html



Have you done the backup as per I suggested in my Post #5 and per Post #9.. ?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users