Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake antivirus scan and Blue "warning" desktop screen


  • This topic is locked This topic is locked
18 replies to this topic

#1 xcal123

xcal123

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 04 August 2009 - 06:53 PM

DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Owner at 16:34:31.45 on Tue 08/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.288 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
{3b038d76-450a-42ba-bfbe-3f4ca9334a4d}
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: [<NO NAME>]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [12334064] c:\documents and settings\all users\application data\12334064\12334064.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\motoro~1.lnk - c:\program files\motorola wireless\wu830g usb adapter\Startup.EXE
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} - hxxp://asp.mathxl.com/books/_Players/EconPlayer.cab
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: tuvuspn - tuvuspn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssttt.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\z6otmb1o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\system32\drivers\wind502u.sys [2005-6-16 336256]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-23 11608]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-23 108289]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-23 185089]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-23 55640]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-5-23 179856]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-13 24652]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\h:\belkin\belkin~1.11g\dnindis5.sys --> h:\belkin\belkin~1.11g\DNINDIS5.SYS [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-5-23 15504]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-5-16 280344]

=============== Created Last 30 ================

2009-08-04 16:22 <DIR> --d----- c:\program files\Trend Micro
2009-08-04 15:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\12334064
2009-07-08 18:20 1,878,888 a------- c:\program files\install_flash_player.exe

==================== Find3M ====================

2009-06-29 09:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2008-03-11 14:40 6,029,648 a------- c:\program files\Firefox Setup 2.0.0.12.exe
2008-02-25 12:59 20,449,400 a------- c:\program files\VeohSetup-3.8.2.1104.exe
2007-12-05 00:17 12,132,024 a------- c:\program files\Install_AIM.exe
2007-08-30 03:04 22,888 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2007-08-19 22:53 28,868,320 a------- c:\program files\FileFormatConverters.exe
2007-05-16 21:25 10,394 a------- c:\program files\winscp400.ini
2007-05-16 21:10 1,942,355 a------- c:\program files\winscp400setup.exe
2007-05-16 21:01 12,038,352 a------- c:\program files\mozilla-win32-1.7.13-installer.exe
2007-05-16 20:58 1,451,520 a------- c:\program files\winscp400.exe
2007-05-16 20:35 8,637,078 a------- c:\program files\vpnclient-win-2kx-xp.exe
2007-04-03 23:41 4,322,304 a------- c:\program files\aawsepersonal.exe
2007-04-02 11:14 1,094,365 a------- c:\program files\defs.ref
2007-03-16 19:20 7,101,440 a------- c:\program files\PocketDivXEncoder_0.3.60.exe
2007-02-08 22:56 9,453,630 a------- c:\program files\vlc-0.8.6a-win32.exe
2007-11-20 18:07 436,276 a--sh--- c:\windows\system32\tttss.ini2
2009-04-18 12:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009041820090419\index.dat

============= FINISH: 16:37:18.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:56 AM

Posted 07 August 2009 - 09:03 PM

Hello xcal123,

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint

*************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Please download Java Version 6 Update 15
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0 Update 6
    Java 6 Update 3
    Java 6 Update 5

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.


    *************
Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 07 August 2009 - 09:19 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 xcal123

xcal123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 08 August 2009 - 02:11 AM

Hi,

I did the full scan after I made the first post w/o realizing it wasn't up to date. It found something known as "Rogue.Multiple.H"? I remove the selected and everything seemed to be running smoothly. I was no longer getting a slow internet connection, google redirects, and my desktop screen went back to normal. I thought all was well until my computer is now doing random shutdowns and I get a message saying that "A serious error has just occured" when I turn the computer on again. I did another scan with an updated version of MBAM after I read your directions to do so and it found "trojan.Agent"? I don't know if that had anything to do with the random shutdowns, but it seems as though something is still wrong. I tried to remove it using MBAM but it said it couldn't and to restart my computer.

Thank you so much for you time and effort to help me! It is very much appreciated! Here are my 2 logs (1 before update of MBAM and one after). I'm so sorry for including 2 logs. I wasn't sure which one to post up as they both found different infections. Once again thank you!


MBAM LOG 1:

Malwarebytes' Anti-Malware 1.36
Database version: 2173
Windows 5.1.2600 Service Pack 3

8/4/2009 6:23:40 PM
mbam-log-2009-08-04 (18-23-40).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 153989
Time elapsed: 1 hour(s), 6 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12334064 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\12334064 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\12334064\12334064 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\12334064\12334064.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.



MBAM LOG 2:

Malwarebytes' Anti-Malware 1.40
Database version: 2577
Windows 5.1.2600 Service Pack 3

8/7/2009 11:41:23 PM
mbam-log-2009-08-07 (23-41-23).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 161991
Time elapsed: 27 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:56 AM

Posted 08 August 2009 - 09:49 AM

Hi xcal123,

I dont think the random shutdowns are caused by malware.

Your MBAM LOG 2 is incomplete. It is missing the last line few lines. Please post it again.



We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira AntiVir Antivirus a before running ComboFix, as it will prevent it from running.

To disable Avira Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 xcal123

xcal123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 09 August 2009 - 02:57 AM

Hi,

Sorry, I didn't realize I forgot 2 lines from the log. Here is the full MBAM LOG 2. The combofix log is also posted below. Before combofix ran its scan it said to write these down on a piece of paper in case you may need it. Here is what it told me to record:

c:\WINDOWS\system32\drivers\SKYNETkwoojqpm.sys
c:\WINDOWS\system32\SKYNETwrbmlngt.dll
c:\WINDOWS\system32\SKYNETevlejefa.dat
c:\WINDOWS\system32\SKYNETvhmbfyir.dll
c:\WINDOWS\system32\SKYNETnwakqbpl.dat


MBAM LOG 2:
Malwarebytes' Anti-Malware 1.40
Database version: 2577
Windows 5.1.2600 Service Pack 3

8/7/2009 11:41:23 PM
mbam-log-2009-08-07 (23-41-23).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 161991
Time elapsed: 27 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\SKYNETlog.dat (Trojan.Agent) -> Delete on reboot.




Combofix Log:

ComboFix 09-08-08.04 - Owner 08/09/2009 0:31.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.283 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Live Safety Center.lnk
c:\documents and settings\Owner\Favorites\Online Security Guide.lnk
c:\recycler\NPROTECT
c:\temp\abW9
c:\windows\system32\drivers\SKYNETkwoojqpm.sys
c:\windows\system32\kywvmdrq.ini
c:\windows\system32\rMa02yy
c:\windows\system32\SKYNETevlejefa.dat
c:\windows\system32\SKYNETlog.dat
c:\windows\system32\SKYNETnwakqbpl.dat
c:\windows\system32\SKYNETvhmbfyir.dll
c:\windows\system32\SKYNETwrbmlngt.dll
c:\windows\system32\tttss.ini
c:\windows\system32\tttss.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETipguujsv
-------\Legacy_SKYNETipguujsv


((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 )))))))))))))))))))))))))))))))
.

2009-08-08 05:42 . 2009-08-08 05:42 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-08 05:40 . 2009-08-08 05:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-08 05:38 . 2009-08-08 05:38 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-04 23:22 . 2009-08-04 23:22 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-08 05:45 . 2009-05-24 05:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 05:39 . 2005-06-18 03:30 -------- d-----w- c:\program files\Java
2009-08-08 05:28 . 2007-01-11 18:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Viewpoint
2009-08-08 05:28 . 2006-10-02 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-08 05:25 . 2009-05-24 04:53 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 20:36 . 2009-05-24 05:18 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-05-24 05:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-30 19:54 . 2007-01-24 01:31 -------- d--h--w- c:\documents and settings\Owner\Application Data\Move Networks
2009-07-09 01:20 . 2009-07-09 01:20 1878888 ----a-w- c:\program files\install_flash_player.exe
2009-06-29 16:12 . 2005-02-18 23:19 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-26 08:41 . 2007-12-05 07:19 -------- d-----w- c:\program files\AIM6
2008-03-11 21:40 . 2008-03-11 21:40 6029648 ----a-w- c:\program files\Firefox Setup 2.0.0.12.exe
2008-02-25 19:59 . 2008-02-25 19:59 20449400 ----a-w- c:\program files\VeohSetup-3.8.2.1104.exe
2007-12-05 07:17 . 2007-12-05 06:10 12132024 ----a-w- c:\program files\Install_AIM.exe
2007-08-20 05:53 . 2007-08-20 05:53 28868320 ----a-w- c:\program files\FileFormatConverters.exe
2007-05-17 04:25 . 2007-05-17 04:01 10394 ----a-w- c:\program files\winscp400.ini
2007-05-17 04:10 . 2007-05-17 04:10 1942355 ----a-w- c:\program files\winscp400setup.exe
2007-05-17 04:01 . 2007-05-17 04:01 12038352 ----a-w- c:\program files\mozilla-win32-1.7.13-installer.exe
2007-05-17 03:58 . 2007-05-17 03:58 1451520 ----a-w- c:\program files\winscp400.exe
2007-05-17 03:35 . 2007-05-17 03:35 8637078 ----a-w- c:\program files\vpnclient-win-2kx-xp.exe
2007-04-04 06:41 . 2007-04-04 06:41 4322304 ----a-w- c:\program files\aawsepersonal.exe
2007-04-02 18:14 . 2007-04-04 06:45 1094365 ----a-w- c:\program files\defs.ref
2007-03-17 02:20 . 2007-03-17 02:20 7101440 ----a-w- c:\program files\PocketDivXEncoder_0.3.60.exe
2007-02-09 05:56 . 2007-02-09 05:56 9453630 ----a-w- c:\program files\vlc-0.8.6a-win32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-14 3660848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-21 278528]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-24 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-08 149280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-5-16 1528880]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2006-3-23 1491023]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Motorola Wireless USB Adapter.lnk - c:\program files\Motorola Wireless\WU830G USB Adapter\Startup.EXE [2005-6-16 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/23/2009 9:53 PM 108289]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/23/2009 10:19 PM 19096]
R3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\system32\drivers\wind502u.sys [6/16/2005 11:56 PM 336256]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/23/2009 10:19 PM 232720]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\h:\belkin\BELKIN~1.11G\DNINDIS5.SYS --> h:\belkin\BELKIN~1.11G\DNINDIS5.SYS [?]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3B038D76-450A-42BA-BFBE-3F4CA9334A4D} - (no file)
Notify-tuvuspn - tuvuspn.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\z6otmb1o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-09 00:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3412)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Motorola Wireless\WU830G USB Adapter\OdHost.exe
c:\program files\Motorola Wireless\WU830G USB Adapter\WLUSBCfg.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-08-09 0:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-09 07:44

Pre-Run: 3,326,361,600 bytes free
Post-Run: 4,861,108,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

180 --- E O F --- 2009-07-29 10:01

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:56 AM

Posted 09 August 2009 - 08:38 AM

Hi xcal123,

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the each of the following file paths into the "Suspicious files to scan"box on the top of the page:
    • c:\documents and settings\all users\application data\12334064\12334064.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • If Copy to Clipbard does not work, then just copy and paste the output in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

Also post a fresh DDS log.

Edited by SifuMike, 09 August 2009 - 08:39 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 xcal123

xcal123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 10 August 2009 - 02:45 AM

Hi SifuMike,

I was only able to get as far as the "show hidden files and folders" step from your directions. I wasn't able to copy/paste the file path listed in the "suspicious file to scan box". Every time I clicked on the box to paste it, a file upload screen pops up. I tried cltr+v but that doesn't work. I then tried to just find the file path manually by browsing for it, but it said no such file path exists. As a result, I wasn't able to upload anything to scan. What do you recommend I do?

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:56 AM

Posted 10 August 2009 - 11:06 AM

Hi xcal123,

Thats OK. Looks like that file has been deleted and that is why you could not find it. :thumbup2:

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 xcal123

xcal123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 10 August 2009 - 05:33 PM

Hi SifuMike,

Sorry about my previous post, just found the file today when I ran a "search" from the start menu. Not sure if it's the same file you wanted me to scan since the file path differed a bit, but thought I'd post it anyways just in case it may be informative.
Also, I wasn't able to run the Kapersky Online Scanner. I accepted the terms and while it was updating/downloading, I eventually got this message: "Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7.0 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7.0. [ERROR: Key is expired]" I've tried multiple times to run it (ie, firefox), but the same message pops up.


Virscan.org scan:
File information
File Name : 12334064.EXE-0CC88D54.pf
File Size : 49800 byte
File Type : data
MD5 : 25d6441ea7db3c8c1ff014cd998a9901
SHA1 : 0847b5b5cb96cc66bb9a8cde34af99bfa5ad4031

Scanner results
Scanner results : All Scanners reported not find malware!
Time : 2009/08/10 14:59:14 (PDT)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.3 20090811000225 2009-08-11
-
0.342
AhnLab V3 2009.08.10.07 2009.08.10 2009-08-10
-
0.772
AntiVir 8.2.0.248 7.1.5.93 2009-08-10
-
0.520
Antiy 2.0.18 20090810.2695746 2009-08-10
-
0.119
Arcavir 2009 200908101724 2009-08-10
-
0.017
Authentium 5.1.1 200908101914 2009-08-10
-
1.172
AVAST! 4.7.4 090810-0 2009-08-10
-
0.005
AVG 8.5.288 270.13.49/2295 2009-08-11
-
0.308
BitDefender 7.81008.3835512 7.27098 2009-08-11
-
3.411
CA (VET) 9.0.0.143 31.6.6667 2009-08-10
-
7.291
ClamAV 0.95.2 9670 2009-08-10
-
0.007
Comodo 3.10 1936 2009-08-10
-
0.693
CP Secure 1.1.0.715 2009.08.10 2009-08-10
-
11.860
Dr.Web 4.44.0.9170 2009.08.10 2009-08-10
-
5.038
F-Prot 4.4.4.56 20090810 2009-08-10
-
1.159
F-Secure 7.02.73807 2009.08.10.10 2009-08-10
-
0.048
Fortinet 2.81-3.120 10.691 2009-08-07
-
0.188
GData 19.7014/19.435 20090810 2009-08-10
-
4.744
Ikarus T3.1.01.64 2009.08.10.73215 2009-08-10
-
3.481
JiangMin 11.0.800 2009.08.10 2009-08-10
-
3.808
Kaspersky 5.5.10 2009.08.10 2009-08-10
-
0.023
KingSoft 2009.2.5.15 2009.8.10.14 2009-08-10
-
0.455
McAfee 5.3.00 5705 2009-08-10
-
3.027
Microsoft 1.4903 2009.08.10 2009-08-10
-
5.099
Norman 6.01.09 6.01.00 2009-08-10
-
4.007
nProtect 20090809.01 4982391 2009-08-09
-
6.308
Panda 9.05.01 2009.08.10 2009-08-10
-
1.670
Quick Heal 10.00 2009.08.10 2009-08-10
-
1.098
Rising 20.0 21.42.04.00 2009-08-10
-
0.257
Sophos 2.89.1 4.44 2009-08-11
-
2.872
Sunbelt 5322 5322 2009-08-10
-
1.249
Symantec 1.3.0.24 20090810.003 2009-08-10
-
0.046
The Hacker 6.3.4.3 v00379 2009-08-10
-
0.630
Trend Micro 8.700-1004 6.354.06 2009-08-10
-
0.024
VBA32 3.12.10.9 20090810.1232 2009-08-10
-
1.822
ViRobot 20090810 2009.08.10 2009-08-10
-
0.439
VirusBuster 4.5.11.10 10.112.1/1844782 2009-08-10
-
2.239
Note: this file has been scanned before. Therefore, this file's scan result will not be stored in the database

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:56 AM

Posted 10 August 2009 - 06:15 PM

Hi xcal123,

Sometimes Kaspersky has trouble running, but we have alternate Virus scanners.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 xcal123

xcal123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 12 August 2009 - 12:22 AM

Hi SifuMike,

Just wanted to let you know that I won't have access to my computer until Friday. Please don't close this topic. I'll resume with the scanning/directions as soon as I get back. Thanks!

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:56 AM

Posted 12 August 2009 - 12:34 AM

OK. :thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 xcal123

xcal123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 15 August 2009 - 01:44 AM

Hi SifuMike,

Here is what the ESET scan reported:

C:\Qoobox\Quarantine\C\WINDOWS\system32\kywvmdrq.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\tttss.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\tttss.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:56 AM

Posted 15 August 2009 - 09:49 AM

Hi xcal123,

I think we have you clean. :thumbup2:

How is your computer running?

We still have to do the program clean up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 xcal123

xcal123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 15 August 2009 - 08:00 PM

Hi SifuMike,

Really?! Thanks! :thumbup2: Everything seems to be running fine now. No more random shutdowns, google redirects, fake scans, or blue warning desktop screen. The internet connection is no longer slow either! What do I do for the program clean up?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users