Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Desperate To Remove Months-Old Mystery XP Virus

  • This topic is locked This topic is locked
9 replies to this topic

#1 Doot Doot

Doot Doot

  • Members
  • 15 posts
  • Local time:12:51 AM

Posted 20 May 2009 - 04:29 PM

Hello all, I am in the process of attempting to get rid of a stubborn virus that has been infecting my XP Pro partition for months now. This is probably the next to last step I take in attempting to get rid of it (my last resort would be to reformat the partition and start over, but that's too much work in my opinion when there should be a way to get rid of whatever virus this may be).

Brief History: My PC is setup to dual boot Vista and XP using one hard drive and two respective partitions. I'd originally work in XP the most until I acquired this virus that I believe to have originated from a malicious website found during a Google search. To begin with, the virus made work in XP so difficult that I had to switch over to the Vista partition in order to eliminate what I could of the virus. Earlier symptoms included hijacked homepage in Firefox and IE, loads of popups to the point that I could not access anything via a browser, Vista partition hidden from XP and XP partition not accessible from Vista, and malware randomly installing itself and creating lots of fake system files. Fortunately after a couple of months, the worst of these symptoms were fixed; and I assumed it would be safe to return to XP now, but there is still part of the virus present.

Current Symptoms: Now I am getting popups in random intervals that come up every time I have a browser open, be it IE or Firefox. The popups are nearly full-screen ads likely related to malware and the only thing I click is the X to close them. I also suspect that the virus has a keylogger on my computer, since I've searched for keywords such as "Ebay" and shortly after an Ebay-related popup would emerge; there have been instances of this happening with other search keywords. I also suspect that some files from the popups might be on my PC since some of them contain audio that I hear about 30 seconds before the popup appears. I also notice a bit of a lag when I try to open either browser, where if I try to open a browser on Vista it will come up immediately. One major thing that worries me which I believe to be possibly related to the virus is the loud whine of the CPU and case fans constantly coming from my PC tower; I know it can't possibly be a hardware issue (though will provide specs if necessary) because it starts only when I begin to boot into XP and continues on as long as I'm using XP, when I'm using Vista on its partition my PC makes little to no sounds at all. The other symptom I notice is while looking around in system32 for anything that doesn't seem like a real system file, there are various garbled name files (that never turn up on a Google search) and seem to update themselves often (the modified date changes); these files are not signed by Microsoft or any company for that matter and I've also noticed that if I open one of the INI files in Notepad, it cannot be modified like a normal INI file as it is in all garbled symbols. All the suspicious files have Hidden and/or System attributes, and in the screenshot attached I've marked what some of them look like.

Removal Attempts:
Antivirus - I keep a constantly updated antivirus software (and its firewall), Trend Micro Internet Security, running at all times. This software seems to have found more parts of the virus than other major name antivirus I have tried (including Norton, AVG, Avast, Panda, and Kaspersky); however, the current symptoms remain, even though I have scanned several times normally and once in safe mode.
Other Methods/Manual Removal - I have tried several times to manually delete the suspicious system files, but they always reappear. Additionally, I see nothing suspicious running in Task Manager and researched anything I thought to be suspicious which turned out to be files I was using or were important to my system. As a precaution, I also ran sfc /scannow to replace the system files with their originals but there was no change. I also ran CCleaner and deleted suspicious registry keys and temp files, along with the disk cleanup utility to make sure. I even cleaned up startup items and installed software, and I defragmented the partition to see if that would at least change the sounds my PC tower is making, but no change.

That's all the information that I can think of to provide at the moment; if any additional details are needed, feel free to ask. I ran DDS as instructed, so here are my results of DDS.txt (and if anyone doesn't know the exact steps on what I can do to rid myself of the virus, if possible I would like the name of this virus so that I can research it myself). *On a side note: Any references related to "MGX" in this log are part of a completely safe chat plugin for IE that I have been using for years; I thought I'd add that in because not many people know about it*

DDS (Ver_09-05-14.01) - NTFSx86
Run by Doot Doot at 16:02:45.40 on Wed 05/20/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3454.2778 [GMT -4:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

I:\WINDOWS\system32\svchost -k DcomLaunch
I:\WINDOWS\System32\svchost.exe -k netsvcs
I:\Program Files\Cepstral\bin\CepstralLicSrv.exe
I:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
I:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
I:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
I:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
I:\WINDOWS\system32\svchost.exe -k imgsvc
I:\Program Files\Trend Micro\BM\TMBMSRV.exe
I:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
I:\WINDOWS\System32\svchost.exe -k HTTPFilter
I:\Program Files\Trend Micro\Internet Security\TmProxy.exe
I:\Program Files\Unlocker\UnlockerAssistant.exe
I:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
I:\Program Files\Pidgin\pidgin.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\DAEMON Tools Lite\daemon.exe
I:\Documents and Settings\Doot Doot\Desktop\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: {129D532E-E2EC-4527-B4BA-4626830EFE18} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - i:\program files\common

BHO: {b54b9ad1-019b-417a-b8d4-c88986f1d3e2}: {2e3d1f68-988c-4d8b-a714-b9101da9b45b} - i:\windows\system32\xkpjtm.dll
BHO: {376EFD74-7AA4-44A4-9E39-E374ED3139A9} - No File
BHO: {52ebc65e-da38-4bcd-8b03-0dcb65f8f4f4} - i:\windows\system32\wvUonoNh.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - i:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - i:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {ADECBED6-0366-4377-A739-E69DFBA04663} - No File
TB: {BAB8F6DC-41B1-440F-A066-AAC224906880} - No File
uRun: [ctfmon.exe] i:\windows\system32\ctfmon.exe
mRun: [UnlockerAssistant] "i:\program files\unlocker\UnlockerAssistant.exe"
mRun: [MSConfig] i:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [NvCplDaemon] RUNDLL32.EXE i:\windows\system32\NvCpl.dll,NvStartup
mRun: [UfSeAgnt.exe] "i:\program files\trend micro\internet security\UfSeAgnt.exe"
mExplorerRun: [RMJwA03IbA] i:\documents and settings\all users\application data\kdctmbkv\ixkdabsr.exe
StartupFolder: i:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - i:\program files\common

files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - i:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - i:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - i:\program files\java\jre1.6.0_07

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - i:\progra~1\micros~3\office12

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - i:\progra~1\micros~3\office12

DPF: {4DD988A3-8A9A-4CC1-A763-F822C09E4315} - hxxp://www.va-sa-ra.co.jp/mgx/win/MGXPlugin.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} -

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - i:\progra~1\micros~3\office12\GR99D3~1.DLL
Notify: avldr - avldr.dll
Notify: opnkhihG - opnkhihG.dll
Notify: WBSrv - i:\program files\stardock\object desktop\windowblinds\wbsrv.dll
AppInit_DLLs: wbsys.dll
SSODL: onfwbsak - {84EE7125-82B3-4FF4-9545-E07E29D0C01C} - No File
SEH: {376EFD74-7AA4-44A4-9E39-E374ED3139A9} - No File
SEH: {7b239acb-ca7c-9c9a-1234-fe822befe14e}: {e41efeb2-28ef-4321-a9c9-c7acbca932b7} - i:\windows\system32\xkpjtm.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 i:\windows\system32\wvUonoNh

================= FIREFOX ===================

FF - ProfilePath - i:\docume~1\dootdo~1\applic~1\mozilla\firefox\profiles\r6vm4psx.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: i:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R2 Cepstral License Server;Cepstral License Server;i:\program files\cepstral\bin\CepstralLicSrv.exe [2007-3-15 57344]
R2 NwSapAgent;SAP Agent;i:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 tmevtmgr;tmevtmgr;i:\windows\system32\drivers\tmevtmgr.sys [2009-5-19 52624]
R2 tmpreflt;tmpreflt;i:\windows\system32\drivers\tmpreflt.sys [2007-9-18 36368]
R3 tmcfw;Trend Micro Common Firewall Service;i:\windows\system32\drivers\TM_CFW.sys [2007-9-18 333328]
R3 TmPfw;Trend Micro Personal Firewall;i:\progra~1\trendm~1\intern~1\TmPfw.exe [2009-5-19 488768]
R3 tmproxy;Trend Micro Proxy Service;i:\program files\trend micro\internet security\TmProxy.exe [2009-5-19 648456]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-05-20 15:48 116,224 ac------ i:\windows\system32\dllcache\xrxwiadr.dll
2009-05-20 15:46 701,386 ac------ i:\windows\system32\dllcache\wdhaalba.sys
2009-05-20 15:45 113,762 ac------ i:\windows\system32\dllcache\usrpda.sys
2009-05-20 15:44 36,736 ac------ i:\windows\system32\dllcache\ultra.sys
2009-05-20 15:43 185,344 ac------ i:\windows\system32\dllcache\OLD73B.tmp
2009-05-20 15:42 10,240 ac------ i:\windows\system32\dllcache\swpdflt2.dll
2009-05-20 15:41 20,752 ac------ i:\windows\system32\dllcache\sonync.sys
2009-05-20 15:40 94,698 ac------ i:\windows\system32\dllcache\sk98xwin.sys
2009-05-20 15:39 6,912 ac------ i:\windows\system32\dllcache\seaddsmc.sys
2009-05-20 15:38 82,432 ac------ i:\windows\system32\dllcache\rwia450.dll
2009-05-20 15:37 49,024 ac------ i:\windows\system32\dllcache\ql1280.sys
2009-05-20 15:36 16,384 ac------ i:\windows\system32\dllcache\philcam1.dll
2009-05-20 15:35 31,872 ac------ i:\windows\system32\dllcache\ovce.sys
2009-05-20 15:34 132,695 ac------ i:\windows\system32\dllcache\netwlan5.sys
2009-05-20 15:33 49,024 ac------ i:\windows\system32\dllcache\mstape.sys
2009-05-20 15:32 7,424 ac------ i:\windows\system32\dllcache\mammoth.sys
2009-05-20 15:31 6,144 ac------ i:\windows\system32\dllcache\OLD496.tmp
2009-05-20 15:30 154,496 ac------ i:\windows\system32\dllcache\icam4usb.sys
2009-05-20 15:29 289,887 ac------ i:\windows\system32\dllcache\hsf_fall.sys
2009-05-20 15:28 10,624 ac------ i:\windows\system32\dllcache\gameenum.sys
2009-05-20 15:27 57,856 ac------ i:\windows\system32\dllcache\OLD33F.tmp
2009-05-20 15:26 514,587 ac------ i:\windows\system32\dllcache\OLD2EA.tmp
2009-05-20 15:25 86,016 ac------ i:\windows\system32\dllcache\dc240usd.dll
2009-05-20 15:24 714,698 ac------ i:\windows\system32\dllcache\cbmdmkxx.sys
2009-05-20 15:23 104,832 ac------ i:\windows\system32\dllcache\atiraged.dll
2009-05-20 15:22 747,392 ac------ i:\windows\system32\dllcache\adm8830.sys
2009-05-20 14:44 6,680 a------- i:\windows\system32\oierqpdu.dll
2009-05-20 02:44 6,680 a------- i:\windows\system32\fkifnybv.dll
2009-05-20 01:58 221,184 a------- i:\windows\system32\wmpns.dll
2009-05-20 01:53 <DIR> --d----- i:\program files\Messenger
2009-05-20 01:52 701,440 ac------ i:\windows\system32\dllcache\ati2mtag.sys
2009-05-19 22:06 <DIR> --d----- i:\program files\CCleaner
2009-05-19 15:06 <DIR> --d----- i:\windows\system32\NtmsData
2009-05-19 14:45 6,680 -------- i:\windows\system32\vnmrlstm.dll
2009-05-19 02:52 <DIR> --d----- i:\windows\system32\Logfiles
2009-05-19 02:52 <DIR> --d----- I:\Inetpub
2009-05-19 02:47 11,529 a--sh--- i:\windows\system32\hNonoUvw.ini2
2009-05-19 02:44 6,680 -------- i:\windows\system32\yycjmwck.dll
2009-05-19 02:21 <DIR> --d----- i:\windows\system32\log
2009-05-19 02:10 142,864 -------- i:\windows\system32\drivers\tmcomm.sys
2009-05-19 02:10 52,752 -------- i:\windows\system32\drivers\tmactmon.sys
2009-05-19 02:10 52,624 -------- i:\windows\system32\drivers\tmevtmgr.sys
2009-05-19 02:09 <DIR> --d----- i:\docume~1\alluse~1\applic~1\Trend Micro
2009-05-19 02:09 <DIR> --d----- i:\program files\Trend Micro
2009-05-17 16:28 117,760 -------- i:\windows\system32\xkpjtm.dll
2009-05-17 16:28 117,760 -------- i:\windows\system32\kjabieoe.dll

==================== Find3M ====================

2009-05-20 01:54 86,327 a------- i:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-17 06:16 1,682 ---sh--- i:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2008-08-13 01:51 88 ---shr-- i:\docume~1\alluse~1\applic~1\ECF241E301.sys
2008-09-28 19:42 16,384 ---sh--- i:\windows\temp\cookies\index.dat
2008-09-28 19:42 16,384 ---sh--- i:\windows\temp\history\history.ie5\index.dat
2008-09-28 19:42 32,768 ---sh--- i:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:03:06.76 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:51 AM

Posted 20 May 2009 - 04:47 PM

Hi Doot Doot,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  • Please run DDS and attach both the logs to your reply.

#3 Doot Doot

Doot Doot
  • Topic Starter

  • Members
  • 15 posts
  • Local time:12:51 AM

Posted 20 May 2009 - 05:55 PM

Thanks, farbar, I just followed your instructions including rebooting when prompted and at least my virus has a name now; here are the logs:
*(Also on a side note my computer's still making noises and some suspicious system files remain but no more popups thus far)*

Malwarebytes' Anti-Malware 1.36
Database version: 2160
Windows 5.1.2600 Service Pack 3

5/20/2009 6:37:32 PM
mbam-log-2009-05-20 (18-37-32).txt

Scan type: Quick Scan
Objects scanned: 83041
Time elapsed: 3 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 25
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
I:\WINDOWS\system32\wvUonoNh.dll (Trojan.Vundo.H) -> Delete on reboot.
I:\WINDOWS\system32\xkpjtm.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2e3d1f68-988c-4d8b-a714-b9101da9b45b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2e3d1f68-988c-4d8b-a714-b9101da9b45b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52ebc65e-da38-4bcd-8b03-0dcb65f8f4f4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{52ebc65e-da38-4bcd-8b03-0dcb65f8f4f4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2e3d1f68-988c-4d8b-a714-b9101da9b45b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e41efeb2-28ef-4321-a9c9-c7acbca932b7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{52ebc65e-da38-4bcd-8b03-0dcb65f8f4f4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\peltodgx.bqxp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\peltodgx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{376efd74-7aa4-44a4-9e39-e374ed3139a9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bab8f6dc-41b1-440f-a066-aac224906880} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{129d532e-e2ec-4527-b4ba-4626830efe18} (Rogue.MicroAV) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{376efd74-7aa4-44a4-9e39-e374ed3139a9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{129d532e-e2ec-4527-b4ba-4626830efe18} (Rogue.MicroAV) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Somefox (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{e41efeb2-28ef-4321-a9c9-c7acbca932b7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e41efeb2-28ef-4321-a9c9-c7acbca932b7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{bab8f6dc-41b1-440f-a066-aac224906880} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{376efd74-7aa4-44a4-9e39-e374ed3139a9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\onfwbsak (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: i:\windows\system32\wvuononh -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: i:\windows\system32\wvuononh -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\ (HomePage.Hijack.H) -> Bad: ("C:\Program Files\Internet Explorer\iexplore.exe" http://www.sinacc.com/?ie) Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
I:\WINDOWS\system32\xkpjtm.dll (Trojan.Vundo.H) -> Delete on reboot.
I:\WINDOWS\system32\wvUonoNh.dll (Trojan.Vundo.H) -> Delete on reboot.
I:\WINDOWS\system32\hNonoUvw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\hNonoUvw.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\kjabieoe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
I:\Documents and Settings\Doot Doot\Application Data\TmpRecentIcons\Micro Antivirus 2009.lnk (Rogue.Link) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.

Attached Files

  • Attached File  DDS.zip   6.27KB   21 downloads

#4 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:51 AM

Posted 20 May 2009 - 06:03 PM

Well done. :thumbup2:

Please don't zip the files as they pose no threat, it just makes opening them more difficult.

Please run MBAM once more and post the log.

#5 Doot Doot

Doot Doot
  • Topic Starter

  • Members
  • 15 posts
  • Local time:12:51 AM

Posted 20 May 2009 - 06:27 PM

Ok I just ran the program again, it got everything it could find from what I see but I still think there's something there (because of the remaining system32 files and hardware noises); here's the new log:

Malwarebytes' Anti-Malware 1.36
Database version: 2160
Windows 5.1.2600 Service Pack 3

5/20/2009 7:24:11 PM
mbam-log-2009-05-20 (19-24-11).txt

Scan type: Quick Scan
Objects scanned: 81971
Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:51 AM

Posted 20 May 2009 - 06:36 PM

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#7 Doot Doot

Doot Doot
  • Topic Starter

  • Members
  • 15 posts
  • Local time:12:51 AM

Posted 20 May 2009 - 07:18 PM

Thank you! After following through with your last instructions, the other symptoms seem to be gone (no lag when opening a browser, no obvious fake system files). I'm not entirely sure if its gone though, but this could be something else; the whole issue with the whining noises coming from my PC tower. Although it has gotten significantly better than before; now its generally quiet with a few small noises at random times, where before it was a constant loud noise that bothered me (Not sure if this is a dumb question, but is it possible for a virus to mess up hardware?). Either way, does this look ok now? Here's the results of the log from ComboFix.txt:

ComboFix 09-05-20.09 - Doot Doot 05/20/2009 19:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3454.2928 [GMT -4:00]
Running from: i:\documents and settings\Doot Doot\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))

2009-05-20 22:30 . 2009-05-20 22:30 -------- d-----w i:\program files\Malwarebytes' Anti-Malware
2009-05-20 19:48 . 2008-04-14 09:42 116224 -c--a-w i:\windows\system32\dllcache\xrxwiadr.dll
2009-05-20 19:46 . 2001-08-17 17:28 701386 -c--a-w i:\windows\system32\dllcache\wdhaalba.sys
2009-05-20 19:45 . 2001-08-17 17:28 113762 -c--a-w i:\windows\system32\dllcache\usrpda.sys
2009-05-20 19:44 . 2001-08-17 17:52 36736 -c--a-w i:\windows\system32\dllcache\ultra.sys
2009-05-20 19:43 . 2001-08-17 16:51 138528 -c--a-w i:\windows\system32\dllcache\tgiulnt5.sys
2009-05-20 19:42 . 2001-08-18 02:36 10240 -c--a-w i:\windows\system32\dllcache\swpdflt2.dll
2009-05-20 19:41 . 2001-08-17 16:51 20752 -c--a-w i:\windows\system32\dllcache\sonync.sys
2009-05-20 19:40 . 2001-08-17 16:12 94698 -c--a-w i:\windows\system32\dllcache\sk98xwin.sys
2009-05-20 19:39 . 2001-08-17 17:53 6912 -c--a-w i:\windows\system32\dllcache\seaddsmc.sys
2009-05-20 19:38 . 2001-08-18 02:36 82432 -c--a-w i:\windows\system32\dllcache\rwia450.dll
2009-05-20 19:37 . 2001-08-17 17:52 49024 -c--a-w i:\windows\system32\dllcache\ql1280.sys
2009-05-20 19:36 . 2001-08-18 02:36 16384 -c--a-w i:\windows\system32\dllcache\philcam1.dll
2009-05-20 19:35 . 2001-08-17 18:05 31872 -c--a-w i:\windows\system32\dllcache\ovce.sys
2009-05-20 19:34 . 2008-04-14 02:05 132695 -c--a-w i:\windows\system32\dllcache\netwlan5.sys
2009-05-20 19:33 . 2008-04-14 04:16 49024 -c--a-w i:\windows\system32\dllcache\mstape.sys
2009-05-20 19:32 . 2001-08-17 17:52 7424 -c--a-w i:\windows\system32\dllcache\mammoth.sys
2009-05-20 19:31 . 2008-04-14 04:09 14592 -c--a-w i:\windows\system32\dllcache\kbdhid.sys
2009-05-20 19:30 . 2001-08-17 18:06 154496 -c--a-w i:\windows\system32\dllcache\icam4usb.sys
2009-05-20 19:29 . 2001-08-17 17:28 289887 -c--a-w i:\windows\system32\dllcache\hsf_fall.sys
2009-05-20 19:28 . 2008-04-14 04:15 10624 -c--a-w i:\windows\system32\dllcache\gameenum.sys
2009-05-20 19:27 . 2001-08-18 02:36 45568 -c--a-w i:\windows\system32\dllcache\esuni.dll
2009-05-20 19:26 . 2001-08-17 16:12 19594 -c--a-w i:\windows\system32\dllcache\e100isa4.sys
2009-05-20 19:25 . 2001-08-18 02:36 86016 -c--a-w i:\windows\system32\dllcache\dc240usd.dll
2009-05-20 19:24 . 2001-08-17 17:28 714698 -c--a-w i:\windows\system32\dllcache\cbmdmkxx.sys
2009-05-20 19:23 . 2001-08-17 16:48 70528 -c--a-w i:\windows\system32\dllcache\atiragem.sys
2009-05-20 19:22 . 2001-08-17 16:19 747392 -c--a-w i:\windows\system32\dllcache\adm8830.sys
2009-05-20 05:58 . 2008-04-14 09:42 221184 ----a-w i:\windows\system32\wmpns.dll
2009-05-20 05:52 . 2008-04-14 09:41 4255 -c--a-w i:\windows\system32\dllcache\adv01nt5.dll
2009-05-20 02:06 . 2009-05-20 02:06 -------- d-----w i:\program files\CCleaner
2009-05-19 19:06 . 2009-05-19 19:08 -------- d-----w i:\windows\system32\NtmsData
2009-05-19 06:55 . 2009-05-19 06:55 -------- d-----w i:\documents and settings\All Users\Application Data\nView_Profiles
2009-05-19 06:52 . 2009-05-19 06:52 -------- d-----w I:\Inetpub
2009-05-19 06:52 . 2009-05-19 06:52 -------- d-----w i:\windows\system32\Logfiles
2009-05-19 06:21 . 2009-05-19 06:21 -------- d-----w i:\windows\system32\log
2009-05-19 06:10 . 2009-04-02 20:00 52624 ------w i:\windows\system32\drivers\tmevtmgr.sys
2009-05-19 06:10 . 2009-04-02 20:00 52752 ------w i:\windows\system32\drivers\tmactmon.sys
2009-05-19 06:10 . 2009-04-02 20:00 142864 ------w i:\windows\system32\drivers\tmcomm.sys
2009-05-19 06:09 . 2009-05-19 06:09 -------- d-----w i:\documents and settings\All Users\Application Data\Trend Micro
2009-05-19 06:09 . 2009-05-20 02:42 -------- d-----w i:\program files\Trend Micro
2009-05-19 05:40 . 2009-05-19 05:40 -------- d-----w i:\program files\microsoft frontpage

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-05-20 23:45 . 2008-08-12 08:57 237528 ----a-w i:\documents and settings\Doot Doot\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-20 05:54 . 2008-08-12 03:19 86327 ----a-w i:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-19 21:42 . 2008-08-13 06:38 -------- d-----w i:\program files\Winamp
2009-05-19 09:44 . 2008-08-13 06:36 -------- d-----w i:\program files\VirtualDub
2009-05-19 09:35 . 2008-08-13 05:03 -------- d-----w i:\program files\Acoustica Mixcraft 4
2009-05-19 06:01 . 2008-08-12 18:52 -------- d--h--w i:\program files\InstallShield Installation Information
2009-05-19 06:00 . 2008-08-13 08:00 -------- d-----w i:\program files\Logitech
2009-05-19 05:58 . 2008-09-24 20:26 -------- d-----w i:\program files\Windows Live
2009-04-06 19:32 . 2008-09-10 10:36 38496 ----a-w i:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-09-10 10:36 15504 ----a-w i:\windows\system32\drivers\mbam.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"UnlockerAssistant"="i:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"MSConfig"="i:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"NvCplDaemon"="i:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"UfSeAgnt.exe"="i:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - i:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-13 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

[HKLM\~\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=i:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=i:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\I:^Documents and Settings^Doot Doot^Start Menu^Programs^Startup^BHODemon 2.0.lnk]
path=i:\documents and settings\Doot Doot\Start Menu\Programs\Startup\BHODemon 2.0.lnk
backup=i:\windows\pss\BHODemon 2.0.lnkStartup

[HKLM\~\startupfolder\I:^Documents and Settings^Doot Doot^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=i:\documents and settings\Doot Doot\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=i:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"EnableFirewall"= 0 (0x0)

"i:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"i:\\Program Files\\uTorrent\\uTorrent.exe"=
"i:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"i:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"i:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"i:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files (x86)\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"AllowInboundEchoRequest"= 1 (0x1)

R2 Cepstral License Server;Cepstral License Server;i:\program files\Cepstral\bin\CepstralLicSrv.exe [3/15/2007 1:54 PM 57344]
R2 NwSapAgent;SAP Agent;i:\windows\system32\svchost.exe -k netsvcs [8/4/2004 8:00 AM 14336]
R2 tmevtmgr;tmevtmgr;i:\windows\system32\drivers\tmevtmgr.sys [5/19/2009 2:10 AM 52624]
R2 tmpreflt;tmpreflt;i:\windows\system32\drivers\tmpreflt.sys [9/18/2007 12:29 AM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;i:\windows\system32\drivers\TM_CFW.sys [9/18/2007 12:29 AM 333328]
R3 TmPfw;Trend Micro Personal Firewall;i:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [5/19/2009 2:10 AM 488768]
R3 tmproxy;Trend Micro Proxy Service;i:\program files\Trend Micro\Internet Security\TmProxy.exe [5/19/2009 2:10 AM 648456]
Contents of the 'Scheduled Tasks' folder
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-RMJwA03IbA - i:\documents and settings\All Users\Application Data\kdctmbkv\ixkdabsr.exe
Notify-WBSrv - i:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
Notify-avldr - avldr.dll
Notify-opnkhihG - opnkhihG.dll

------- Supplementary Scan -------
uStart Page = about:blank
IE: E&xport to Microsoft Excel - i:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {4DD988A3-8A9A-4CC1-A763-F822C09E4315} - hxxp://www.va-sa-ra.co.jp/mgx/win/MGXPlugin.cab
FF - ProfilePath - i:\documents and settings\Doot Doot\Application Data\Mozilla\Firefox\Profiles\r6vm4psx.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: i:\program files\Mozilla Firefox\plugins\npbittorrent.dll


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 19:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-308236825-725345543-1003\Software\SecuROM\License information*]
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2584)
------------------------ Other Running Processes ------------------------
i:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
i:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
i:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
i:\program files\Trend Micro\Internet Security\SfCtlCom.exe
i:\program files\Trend Micro\BM\TMBMSRV.exe
i:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
Completion time: 2009-05-20 20:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 00:00

Pre-Run: 27,634,888,704 bytes free
Post-Run: 30,233,841,664 bytes free

[boot loader]
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


#8 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:51 AM

Posted 20 May 2009 - 07:42 PM

To answer your question a virus can indirectly effect hardware. It can overload the system causing overheating, but I am not aware of any virus directly effecting hardware.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

Removal Instructions
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Go to start > run and copy and paste or type next command in the field then hit enter:

    ComboFix /u

    Note: There's a space between Combofix and /

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore.

    The first reboot might be a little slow, the next one will be faster.
Optional Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  • Install Javacoolsİ SpywareBlaster
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. What you need is updating it once in 2-3 weeks and enabling the restriction. You can find more information and a download link.

  • The rule of thumb: One AntiVirus with real-time protection, one firewall (other than Windows firewall) and one antispyware with real-time protection. Any additional anti-malware shouldn't be running. You might have two or three antispyware but they should not be running at the same time and should be set not to start with Windows.

Please let me know Combofix uninstalled properly.

Happy Surfing!

#9 Doot Doot

Doot Doot
  • Topic Starter

  • Members
  • 15 posts
  • Local time:12:51 AM

Posted 20 May 2009 - 08:53 PM

Thanks for your response and overall help; I installed the new version of Java and also had no problem with the Combofix uninstall. I'm aware that the virus is gone now, but I'm still curious about the aftereffects it has possibly left on my PC, as you mentioned overheating and of course the fans are still making the occasional whining sound (louder at some times than others). I'd think there would be many causes as to why this would continue happening, but I suppose I can deal with it as long as it's not going to cause potential long term damage to my PC.

#10 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:51 AM

Posted 21 May 2009 - 09:49 AM

You are very welcome.

The only thing I didn't saw on your list of action is this one which is a very important check for the volume errors and bad blocks:

To check the volume for errors:
  • Click start and then My Computer.
  • Right click the drive C and select Properties.
  • Under Tools tab press Check Now...
  • Put a check mark in both items and press start.
  • If you get a message click Yes to schedule the disk check and click OK and then restart your computer to start the disk check. Please be patient and let the system run. In some cases it might take a couple of hours and you don't have to sit there the whole time.
This thread will now be closed.

If you need this topic reopened, please send me a PM and I will reopen it for you. Include the address of this thread in your request.

If you should have a new issue, please start a new topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users