Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antispyware 2010 ad popup, bleep.exe, Figaro


  • This topic is locked This topic is locked
31 replies to this topic

#1 BlackNBlue

BlackNBlue

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 03 September 2009 - 03:56 PM

Symantec Realtime Protection popup out of the blue and warned me about "figaro" infection, shortly after that red shield with a cross appeared on the taskbar and warned me about my PC being infected, I had this problem in the past but was resolved.
A dialog box appeared later and started to count down to install antispyware 2010 periodically, managed to close it a few times.

Cleaned it with SpyBot, but came back every time I log out and back in.


In a re-scan with spybot, the PC was really slow and I didn't stop the dialogbox when the countdown happens as I wasn't infront of the PC when scanning happened, malware proceeded to instal antispyware 2010, and shortly after, bleep.exe was reported by Symantec Realtime Protection. Windows also started reporting missing crucial files and asked for windows installation disc to be in the drive to restore crucial files. Did that, carried on to finish the scan and problem still exist after re-login.

Decide to post on forum, but browser keep crashing , tried both firefox and later installed sea monkey with the same result, seamonkey reported certificate out of date with dreamspark.com, when I accept the certificate temporarily, it crashed again. Don't think it is the reason for crashing but thought I would mention.


Can't seem to upload any files! Had to transport log files to my laptop to write this thread.

Thanks guys for the time in looking into this.


QUICK EDIT: The executable that kept reappearing is braviax.exe and the second virus was beep not bleep :(

-----------------------------------------


DDS (Ver_09-07-30.01) - NTFSx86
Run by W S Mak at 20:38:39.06 on 03/09/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.534 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\sys32_nov.exe
C:\WINDOWS\system32\sys32_nov.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\W S Mak\sys32_nov.exe
C:\Documents and Settings\W S Mak\sys32_nov.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\QTRAYIME.EXE
svchost
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\W S Mak\Desktop\dds.scr
C:\WINDOWS\system32\rundll32.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.register.epson-europe.com/
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [sys32_nov] c:\documents and settings\w s mak\sys32_nov.exe
uRun: [braviax]
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [EPSON Stylus DX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"
mRun: [LiveMonitor] c:\program files\msi\live update 3\LMonitor.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [nForce Tray Options] sstray.exe /r
mRun: [BigDog303] c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
mRun: [Antivirus Pro 2009] "c:\program files\antiviruspro2009\AntivirusPro2009.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sys32_nov] c:\windows\system32\sys32_nov.exe
mRun: [braviax]
mRun: [Regedit32] c:\windows\system32\regedit.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\w s mak\start menu\programs\startup\ikowin32.exe
StartupFolder: c:\docume~1\wsmak~1\startm~1\programs\startup\q9tray~1.lnk - c:\windows\system32\QTRAYIME.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pcaler~1.lnk - c:\program files\msi\pc alert 4\PCAlert4.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ontiser.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wsmak~1\applic~1\mozilla\firefox\profiles\boudapq9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: XUL Cache: {12796D36-B951-4E3B-912C-06F64C41E2D1} - c:\documents and settings\w s mak\local settings\application data\{12796d36-b951-4e3b-912c-06f64c41e2d1}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-8-11 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2004-2-12 655482]
R3 DaCap;DaCap Audio Device Driver;c:\windows\system32\drivers\DaCap.sys [2006-4-2 32124]
R3 DvCap;DvCap Video Device Driver;c:\windows\system32\drivers\DvCap.sys [2006-4-2 65428]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-8-11 224768]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090902.005\NAVENG.sys [2009-9-3 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090902.005\NAVEX15.sys [2009-9-3 1323568]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2009-09-03 20:27 191,357 a------- c:\windows\system32\wisdstr.exe
2009-09-03 20:26 11,264 a------- c:\windows\system32\braviax.exe
2009-09-03 19:15 4,224 ac------ c:\windows\system32\dllcache\beep.sys
2009-09-03 19:15 4,224 a------- c:\windows\system32\drivers\beep.sys
2009-09-03 18:56 19,046 a------- c:\program files\common files\zybu.sys
2009-09-03 18:56 18,351 a------- c:\program files\common files\diwed.bat
2009-09-03 18:56 17,898 a------- c:\windows\raqov.dl
2009-09-03 18:56 16,376 a------- c:\windows\system32\ivep.dat
2009-09-03 18:56 13,326 a------- c:\windows\system32\opiqyl.scr
2009-09-03 18:56 12,414 a------- c:\windows\solaro.dat
2009-09-03 18:56 10,936 a------- c:\program files\common files\nadoxewa.bin
2009-09-03 07:31 144 a------- c:\documents and settings\w s mak\delself.bat
2009-09-03 06:58 16,455 a------- c:\windows\pyvim.sys
2009-09-03 06:58 16,745 a------- c:\windows\system32\uzynugoq.bin
2009-09-03 06:58 16,156 a------- c:\windows\dylujunydi.lib
2009-09-03 06:58 15,233 a------- c:\program files\common files\asijy.bat
2009-09-03 06:58 10,405 a------- c:\docume~1\alluse~1\applic~1\epetof.reg
2009-09-03 06:58 15,258 a------- c:\program files\common files\equme.pif
2009-09-03 06:58 12,448 a------- c:\windows\system32\pebezik.db
2009-09-03 06:58 11,035 a------- c:\windows\isydacib.sys
2009-09-03 06:58 349,965 a------- c:\windows\system32\_scui.cpl
2009-09-02 23:09 874 a------- c:\windows\wininit.ini
2009-09-02 22:45 120 a------- c:\windows\Xsahusex.dat
2009-09-02 22:40 94,272 ac------ c:\windows\system32\dllcache\agp440.sys
2009-09-02 22:40 29,216 a------- c:\documents and settings\w s mak\sys32_nov.exe
2009-09-02 22:40 29,216 a------- c:\windows\system32\sys32_nov.exe

==================== Find3M ====================

2009-09-03 20:27 94,272 a------- c:\windows\system32\drivers\agp440.sys
2009-09-03 18:56 17,960 a------- c:\program files\common files\epesekyjy._sy
2009-09-03 18:56 15,069 a------- c:\program files\common files\xazonysys.dl
2009-09-03 18:56 13,036 a------- c:\program files\common files\ogosoliw.db
2009-09-03 06:58 18,207 a------- c:\program files\common files\oxodemaz.inf
2009-05-04 19:04 30,016 a------- c:\docume~1\wsmak~1\applic~1\GDIPFONTCACHEV1.DAT
2008-11-12 20:53 18,794 a------- c:\program files\common files\efeqowex.scr
2008-11-12 20:53 14,008 a------- c:\program files\common files\ytahaxomo.dat
2007-12-22 18:09 24,192 a------- c:\documents and settings\w s mak\usbsermptxp.sys
2007-12-22 18:09 22,768 a------- c:\documents and settings\w s mak\usbsermpt.sys

============= FINISH: 20:39:20.50 ===============

Attached Files


Edited by BlackNBlue, 03 September 2009 - 04:19 PM.


BC AdBot (Login to Remove)

 


#2 BlackNBlue

BlackNBlue
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 04 September 2009 - 07:21 PM

Thought I should warn everyone, do not leave your PC connected to the internet if you are seeing similar problem as I, I've just got a call from my ISP telling me of abuse (SPAM etc.) from my connection :(

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:00 PM

Posted 06 September 2009 - 08:45 AM

Hi BlackNBlue,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Important note: In case you have not made changes to the system please proceed with the following step otherwise update me about the current condition of your computer and post a new Rootrepeal log.

This time we want to run ComboFix. This is a major step. Please be precise and make sure rename and save it on your desktop and let it download install the Recovery Console.
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Rename it to blue.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double-click blue.exe to run it.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:00 PM

Posted 09 September 2009 - 12:00 PM

Are you still there?

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:00 PM

Posted 12 September 2009 - 06:21 PM

This thread will now be closed due to lack of activity.

If you should have the same or a new issue, please start a new topic.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:00 PM

Posted 15 September 2009 - 04:50 AM

Topic reopened due to special circumstances.

#7 BlackNBlue

BlackNBlue
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 15 September 2009 - 03:27 PM

Hi Farbar,

Please find below the requested log


-----------------------------
ComboFix 09-09-14.02 - W S Mak 15/09/2009 21:04.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.684 [GMT 1:00]
Running from: c:\documents and settings\W S Mak\Desktop\blue.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\abyxu.lib
c:\documents and settings\All Users\Application Data\epetof.reg
c:\documents and settings\All Users\Documents\ateg.ban
c:\documents and settings\All Users\Documents\kyfajetus.sys
c:\documents and settings\All Users\Documents\nizalabeli.pif
c:\documents and settings\All Users\Documents\ukafyxahon.sys
c:\documents and settings\All Users\Documents\vyfeha.reg
c:\documents and settings\Ana De Casa\Application Data\akede.scr
c:\documents and settings\Ana De Casa\Application Data\dogixiduh.exe
c:\documents and settings\Ana De Casa\Application Data\dotyx.bat
c:\documents and settings\Ana De Casa\Application Data\jaricudij.inf
c:\documents and settings\Ana De Casa\Application Data\lolicut.scr
c:\documents and settings\Ana De Casa\Application Data\olema.ban
c:\documents and settings\Ana De Casa\Cookies\elekasaqup.db
c:\documents and settings\Ana De Casa\Cookies\hureligur.sys
c:\documents and settings\Ana De Casa\Cookies\kapevakar.ban
c:\documents and settings\Ana De Casa\Cookies\paro.sys
c:\documents and settings\Ana De Casa\Cookies\rugi.ban
c:\documents and settings\Ana De Casa\Cookies\ybavy.vbs
c:\documents and settings\Ana De Casa\delself.bat
c:\documents and settings\Ana De Casa\Local Settings\Application Data\iguqesebyg.pif
c:\documents and settings\Ana De Casa\Local Settings\Application Data\inenazyba.sys
c:\documents and settings\Ana De Casa\Local Settings\Application Data\memyme.exe
c:\documents and settings\Ana De Casa\Local Settings\Application Data\nulezuxy.vbs
c:\documents and settings\Ana De Casa\Local Settings\Application Data\otysoqu.com
c:\documents and settings\Ana De Casa\Local Settings\Application Data\wimulofoxa.com
c:\documents and settings\Ana De Casa\Local Settings\Application Data\ymofezohah.exe
c:\documents and settings\Ana De Casa\Local Settings\Temporary Internet Files\amecux.bat
c:\documents and settings\Ana De Casa\Local Settings\Temporary Internet Files\anal.sys
c:\documents and settings\Ana De Casa\Local Settings\Temporary Internet Files\efyl._sy
c:\documents and settings\Ana De Casa\Local Settings\Temporary Internet Files\mifypewi.dat
c:\documents and settings\Ana De Casa\Local Settings\Temporary Internet Files\nyco.scr
c:\documents and settings\Ana De Casa\Local Settings\Temporary Internet Files\ohabusehux.sys
c:\documents and settings\Ana De Casa\Local Settings\Temporary Internet Files\rejufyfim.inf
c:\documents and settings\Ana De Casa\Local Settings\Temporary Internet Files\usolyc.dll
c:\documents and settings\Ana De Casa\Local Settings\Temporary Internet Files\yvyhafuv.lib
c:\documents and settings\Ana De Casa\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\LocalService\Application Data\wsnpoem
c:\documents and settings\LocalService\Application Data\wsnpoem\audio.dll
c:\documents and settings\NetworkService\Application Data\wsnpoem
c:\documents and settings\NetworkService\Application Data\wsnpoem\audio.dll
c:\documents and settings\W S Mak\Application Data\wiaserva.log
c:\documents and settings\W S Mak\delself.bat
c:\documents and settings\W S Mak\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\W S Mak\Start Menu\Programs\Startup\ikowin32.exe
c:\documents and settings\W S Mak\sys32_nov.exe
c:\program files\AntivirusPro2009
c:\program files\Common Files\asijy.bat
c:\program files\Common Files\diwed.bat
c:\program files\Common Files\equme.pif
c:\program files\Common Files\nadoxewa.bin
c:\program files\Common Files\oxodemaz.inf
c:\program files\Common Files\xazonysys.dl
c:\program files\Common Files\zybu.sys
c:\program files\Dot1XCfg
c:\windows\awap.dll
c:\windows\BM4fc89cdf.txt
c:\windows\cupizedem.bat
c:\windows\howa.exe
c:\windows\isydacib.sys
c:\windows\ontiser.dll
c:\windows\pyvim.sys
c:\windows\raqov.dl
c:\windows\system32\_scui.cpl
c:\windows\system32\bexahisy.vbs
c:\windows\system32\opiqyl.scr
c:\windows\system32\sstray.exe
c:\windows\system32\sys32_nov.exe
c:\windows\system32\tmp.reg
c:\windows\system32\uzynugoq.bin

Infected copy of c:\windows\system32\drivers\AGP440.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\agp440.sys

.
((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.

2009-09-03 20:03 . 2009-09-03 20:06 118784 ----a-w- c:\windows\SeaMonkeyUninstall.exe
2009-09-03 20:03 . 2009-09-03 20:05 118784 ----a-w- c:\windows\GREUninstall.exe
2009-09-03 20:02 . 2009-09-03 20:02 -------- d-----w- c:\program files\mozilla.org
2009-09-03 18:15 . 2001-08-23 15:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-03 18:15 . 2001-08-23 15:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-03 17:56 . 2009-09-03 17:56 16376 ----a-w- c:\windows\system32\ivep.dat
2009-09-03 17:56 . 2009-09-03 17:56 12414 ----a-w- c:\windows\solaro.dat
2009-09-02 21:45 . 2009-09-02 21:45 120 ----a-w- c:\windows\Xsahusex.dat
2009-09-02 21:43 . 2009-09-02 21:43 -------- d-----w- c:\documents and settings\W S Mak\Local Settings\Application Data\{12796D36-B951-4E3B-912C-06F64C41E2D1}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 20:57 . 2008-02-17 23:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-03 20:06 . 2006-04-02 19:30 11785 ----a-w- c:\windows\mozver.dat
2009-09-03 20:03 . 2006-04-02 19:31 335 ----a-w- c:\windows\nsreg.dat
2009-09-03 17:56 . 2009-09-03 17:56 17960 ----a-w- c:\program files\Common Files\epesekyjy._sy
2009-09-03 17:56 . 2009-09-03 17:56 13036 ----a-w- c:\program files\Common Files\ogosoliw.db
2009-09-02 21:47 . 2006-07-01 11:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-27 22:03 . 2008-01-31 23:22 -------- d-----w- c:\documents and settings\W S Mak\Application Data\dvdcss
2009-07-27 21:20 . 2007-08-19 11:37 -------- d-----w- c:\documents and settings\Ana De Casa\Application Data\Skype
2009-07-27 15:03 . 2009-03-02 20:56 -------- d-----w- c:\documents and settings\Ana De Casa\Application Data\skypePM
2009-07-26 22:01 . 2009-07-26 22:01 -------- d-----w- c:\program files\Free Ape Player
2009-07-26 14:34 . 2009-07-26 14:27 -------- d-----w- c:\program files\Burrrn
2009-07-23 19:54 . 2007-06-19 21:28 -------- d-----w- c:\documents and settings\W S Mak\Application Data\Skype
2008-11-12 19:53 . 2008-11-12 19:53 18794 ----a-w- c:\program files\Common Files\efeqowex.scr
2008-11-12 19:53 . 2008-11-12 19:53 14008 ----a-w- c:\program files\Common Files\ytahaxomo.dat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"EPSON Stylus DX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE" [2005-02-08 98304]
"LiveMonitor"="c:\program files\MSI\Live Update 3\LMonitor.exe" [2005-07-11 482816]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2004-02-12 90224]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-10-25 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\W S Mak\Start Menu\Programs\Startup\
Q9 Tray.lnk - c:\windows\system32\QTRAYIME.EXE [2006-4-3 26112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-4-15 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-6-17 102400]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
PC Alert 4.lnk - c:\program files\MSI\PC Alert 4\PCAlert4.exe [2006-4-23 540672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:Emule TCP
"4672:UDP"= 4672:UDP:Emule UDP
"20992:TCP"= 20992:TCP:BitComet 20992 TCP
"20992:UDP"= 20992:UDP:BitComet 20992 UDP

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 14:53 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 13:39 32256]
R3 DaCap;DaCap Audio Device Driver;c:\windows\system32\drivers\DaCap.sys [02/04/2006 19:52 32124]
R3 DvCap;DvCap Video Device Driver;c:\windows\system32\drivers\DvCap.sys [02/04/2006 18:37 65428]
R3 PCAlertDriver;PCAlertDriver;c:\program files\MSI\PC Alert 4\NTGLM7X.SYS [23/04/2006 12:09 21760]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 18:51 4096]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PCALERTDRIVER
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.register.epson-europe.com/
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\W S Mak\Application Data\Mozilla\Firefox\Profiles\boudapq9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: XUL Cache: {12796D36-B951-4E3B-912C-06F64C41E2D1} - c:\documents and settings\W S Mak\Local Settings\Application Data\{12796D36-B951-4E3B-912C-06F64C41E2D1}\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Antivirus Pro 2009 - c:\program files\AntivirusPro2009\AntivirusPro2009.exe
HKLM-Run-nForce Tray Options - sstray.exe
AddRemove-Dungeon Keeper II - c:\windows\IsUninst.exe -fe:\games\Bullfrog\Dungeon Keeper 2\Uninst.isu
AddRemove-HaaliMkx - c:\program files\Matroska Pack\haali\uninstall.exe
AddRemove-PC_Antispyware2010 - c:\program files\PC_Antispyware2010\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 21:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1752)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-15 21:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 20:19
ComboFix2.txt 2008-02-03 20:39

Pre-Run: 17,310,584,832 bytes free
Post-Run: 17,851,736,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

251

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:00 PM

Posted 15 September 2009 - 03:57 PM

Well done. :(

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.


  • Open notepad and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/254927/antispyware-2010-ad-popup-bleepexe-figaro/
    
    Collect::
    c:\windows\system32\ivep.dat
    c:\windows\solaro.dat
    c:\windows\Xsahusex.dat
    c:\program files\Common Files\epesekyjy._sy
    c:\program files\Common Files\ogosoliw.db
    c:\program files\Common Files\efeqowex.scr
    c:\program files\Common Files\ytahaxomo.dat
    Folder::
    c:\documents and settings\W S Mak\Local Settings\Application Data\{12796D36-B951-4E3B-912C-06F64C41E2D1}
    Firefox::
    FF - HiddenExtension: XUL Cache: {12796D36-B951-4E3B-912C-06F64C41E2D1} - c:\documents and settings\W S Mak\Local Settings\Application Data\{12796D36-B951-4E3B-912C-06F64C41E2D1}\
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
    "ShellNext"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
    "ShellNext"="http://windowsupdate.microsoft.com/"
    "Completed"=hex:01,00

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.


#9 BlackNBlue

BlackNBlue
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 16 September 2009 - 03:13 PM

Thanks, done!! I'm not sure if my P2P software was the cause as I wasn't running any P2P software when it happened, but will keep that in mind.

Here's the log.

_______________________________________________

ComboFix 09-09-14.02 - W S Mak 16/09/2009 20:59.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.631 [GMT 1:00]
Running from: c:\documents and settings\W S Mak\Desktop\blue.exe
Command switches used :: c:\documents and settings\W S Mak\Desktop\CFScript.txt

file zipped: c:\program files\Common Files\efeqowex.scr
file zipped: c:\program files\Common Files\epesekyjy._sy
file zipped: c:\program files\Common Files\ogosoliw.db
file zipped: c:\program files\Common Files\ytahaxomo.dat
file zipped: c:\windows\solaro.dat
file zipped: c:\windows\system32\ivep.dat
file zipped: c:\windows\Xsahusex.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\W S Mak\Local Settings\Application Data\{12796D36-B951-4E3B-912C-06F64C41E2D1}
c:\documents and settings\W S Mak\Local Settings\Application Data\{12796D36-B951-4E3B-912C-06F64C41E2D1}\\chrome.manifest
c:\documents and settings\W S Mak\Local Settings\Application Data\{12796D36-B951-4E3B-912C-06F64C41E2D1}\\chrome\content\_cfg.js
c:\documents and settings\W S Mak\Local Settings\Application Data\{12796D36-B951-4E3B-912C-06F64C41E2D1}\\chrome\content\overlay.xul
c:\documents and settings\W S Mak\Local Settings\Application Data\{12796D36-B951-4E3B-912C-06F64C41E2D1}\\install.rdf
c:\documents and settings\W S Mak\Local Settings\Application Data\{12796D36-B951-4E3B-912C-06F64C41E2D1}\chrome.manifest
c:\documents and settings\W S Mak\Local Settings\Application Data\{12796D36-B951-4E3B-912C-06F64C41E2D1}\chrome\content\_cfg.js
c:\documents and settings\W S Mak\Local Settings\Application Data\{12796D36-B951-4E3B-912C-06F64C41E2D1}\chrome\content\overlay.xul
c:\documents and settings\W S Mak\Local Settings\Application Data\{12796D36-B951-4E3B-912C-06F64C41E2D1}\install.rdf
c:\program files\Common Files\efeqowex.scr
c:\program files\Common Files\epesekyjy._sy
c:\program files\Common Files\ogosoliw.db
c:\program files\Common Files\ytahaxomo.dat
c:\windows\solaro.dat
c:\windows\system32\ivep.dat
c:\windows\Xsahusex.dat
J:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.

2009-09-03 20:03 . 2009-09-03 20:06 118784 ----a-w- c:\windows\SeaMonkeyUninstall.exe
2009-09-03 20:03 . 2009-09-03 20:05 118784 ----a-w- c:\windows\GREUninstall.exe
2009-09-03 20:02 . 2009-09-03 20:02 -------- d-----w- c:\program files\mozilla.org
2009-09-03 18:15 . 2001-08-23 15:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-03 18:15 . 2001-08-23 15:00 4224 ------w- c:\windows\system32\drivers\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 20:57 . 2008-02-17 23:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-03 20:06 . 2006-04-02 19:30 11785 ----a-w- c:\windows\mozver.dat
2009-09-03 20:03 . 2006-04-02 19:31 335 ----a-w- c:\windows\nsreg.dat
2009-09-02 21:47 . 2006-07-01 11:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-27 22:03 . 2008-01-31 23:22 -------- d-----w- c:\documents and settings\W S Mak\Application Data\dvdcss
2009-07-27 21:20 . 2007-08-19 11:37 -------- d-----w- c:\documents and settings\Ana De Casa\Application Data\Skype
2009-07-27 15:03 . 2009-03-02 20:56 -------- d-----w- c:\documents and settings\Ana De Casa\Application Data\skypePM
2009-07-26 22:01 . 2009-07-26 22:01 -------- d-----w- c:\program files\Free Ape Player
2009-07-26 14:34 . 2009-07-26 14:27 -------- d-----w- c:\program files\Burrrn
2009-07-23 19:54 . 2007-06-19 21:28 -------- d-----w- c:\documents and settings\W S Mak\Application Data\Skype
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"EPSON Stylus DX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE" [2005-02-08 98304]
"LiveMonitor"="c:\program files\MSI\Live Update 3\LMonitor.exe" [2005-07-11 482816]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2004-02-12 90224]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-10-25 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\W S Mak\Start Menu\Programs\Startup\
Q9 Tray.lnk - c:\windows\system32\QTRAYIME.EXE [2006-4-3 26112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-4-15 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-6-17 102400]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
PC Alert 4.lnk - c:\program files\MSI\PC Alert 4\PCAlert4.exe [2006-4-23 540672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:Emule TCP
"4672:UDP"= 4672:UDP:Emule UDP
"20992:TCP"= 20992:TCP:BitComet 20992 TCP
"20992:UDP"= 20992:UDP:BitComet 20992 UDP

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 14:53 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 13:39 32256]
R3 DaCap;DaCap Audio Device Driver;c:\windows\system32\drivers\DaCap.sys [02/04/2006 19:52 32124]
R3 DvCap;DvCap Video Device Driver;c:\windows\system32\drivers\DvCap.sys [02/04/2006 18:37 65428]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 18:51 4096]
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\W S Mak\Application Data\Mozilla\Firefox\Profiles\boudapq9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 21:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(488)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-09-16 21:06
ComboFix-quarantined-files.txt 2009-09-16 20:06
ComboFix2.txt 2009-09-15 20:19
ComboFix3.txt 2008-02-03 20:39

Pre-Run: 17,846,841,344 bytes free
Post-Run: 17,818,898,432 bytes free

161
Upload was successful

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:00 PM

Posted 16 September 2009 - 04:18 PM

Please download Malwarebytes' Anti-Malware from one of these locations:
malwarebytes.org
majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#11 BlackNBlue

BlackNBlue
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 17 September 2009 - 05:22 PM

Hi Farbar,

Got an error after installation "error 703 (0,7)" and the software then started without any problem afterwards.

Please find below the requested log

Thanks

-----------------------------


Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

17/09/2009 23:19:59
mbam-log-2009-09-17 (23-19-59).txt

Scan type: Quick Scan
Objects scanned: 110480
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\MSINET.oca (Malware.Trace) -> Quarantined and deleted successfully.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:00 PM

Posted 18 September 2009 - 01:58 AM

Hi BlackNBlue,

Got an error after installation "error 703 (0,7)" and the software then started without any problem afterwards.

The error occurs when you can't update Malwarebytes' Anti-Malware. The current Database Version version is 2818 and yours is way behind.
What type of connection do you have? (ADSL/Cable/Broadband or Dial-up).

We try once more to update MBAM
  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


#13 BlackNBlue

BlackNBlue
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 18 September 2009 - 03:52 AM

Hi Farbar,

I use an ADSL connection. I will try to update the DB again and also JRT. Unfortunately, I won't be in the country from today till Sunday so I will post a reply as soon as I am back.

Thanks

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:00 PM

Posted 18 September 2009 - 04:24 AM

Take your time and post the log when ready. Thanks for letting me know.

#15 BlackNBlue

BlackNBlue
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 20 September 2009 - 04:33 PM

Hi Farbar,

Thanks for the reply, I have carried out the steps, I think I may have got the wrong error code last time from MBAM, the error code is 732 (0,0) and I can't seem to update the DB, I have searched around for a solution but nothing seem to work :(

I have already removed old JREs and replaced with the latest.

Thanks

BNB




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users