Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC antispyware 2010 has got my computer, and the web told me to post here


  • This topic is locked This topic is locked
26 replies to this topic

#1 didwhatt

didwhatt

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 10 September 2009 - 07:49 PM

Hi
I opened a topic, it got moved now that I have run rootrepeal scans I am back opening a topic.
The topic with the rootrepeal scans is here

http://www.bleepingcomputer.com/forums/ind...p;#entry1420761

I have this very active "PC Antispyware 2010" virus protection that I think is telling me the absolute truth about me being infected!!! :-)
Thank you for any help


DDS (Ver_09-07-30.01) - NTFSx86
Run by donald at 17:37:30.73 on Thu 09/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.373 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\donald\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [braviax] braviax.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://netgil.chevrontexaco.com/ica32/wficat.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} - hxxp://www.gamehouse.com/ghdlctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586-jc.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: df2 - {219A97F3-D661-4766-B658-646A771AE49E} - c:\progra~1\run-time\dffav\df2proto.dll
Handler: df23chat - {219A97F3-D661-4766-B658-646A771AE49E} - c:\progra~1\run-time\dffav\df2proto.dll
Handler: df3 - {219A97F3-D661-4766-B658-646A771AE49E} - c:\progra~1\run-time\dffav\df2proto.dll
Handler: df4 - {219A97F3-D661-4766-B658-646A771AE49E} - c:\progra~1\run-time\dffav\df2proto.dll
Handler: df5 - {219A97F3-D661-4766-B658-646A771AE49E} - c:\progra~1\run-time\dffav\df2proto.dll
Handler: df5demo - {219A97F3-D661-4766-B658-646A771AE49E} - c:\progra~1\run-time\dffav\df2proto.dll
Handler: ofpjoin - {219A97F3-D661-4766-B658-646A771AE49E} - c:\progra~1\run-time\dffav\df2proto.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\donald\applic~1\mozilla\firefox\profiles\default.djf\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMySrch.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2001-12-13 34712]
R2 PackethSvc;Virtual NIC Service;c:\windows\system32\PackethSvc.exe [2001-12-13 64512]
R3 McAfeePF;McAfee Firewall Network Filter Miniport;c:\windows\system32\drivers\fw220.sys [2001-12-12 29696]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys --> c:\windows\system32\drivers\avg7core.sys [?]
S1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys --> c:\windows\system32\drivers\avg7rsw.sys [?]
S1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys --> c:\windows\system32\drivers\avg7rsxp.sys [?]
S1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys --> c:\windows\system32\drivers\avgclean.sys [?]
S1 EACMOS;EACMOS;c:\windows\system32\drivers\eacmos.sys --> c:\windows\system32\drivers\EACMOS.SYS [?]
S2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe --> c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [?]
S2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe --> c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [?]
S2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe --> c:\progra~1\grisoft\avgfre~1\avgemc.exe [?]
S2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys --> c:\windows\system32\drivers\avgtdi.sys [?]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2003-4-5 15104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Gcr432;Gcr432;c:\windows\system32\drivers\Gcr432.sys [2001-9-6 89371]
S3 lredbooo;lredbooo;\??\c:\docume~1\donald\locals~1\temp\lredbooo.sys --> c:\docume~1\donald\locals~1\temp\lredbooo.sys [?]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe --> c:\progra~1\mcafee.com\agent\mcupdmgr.exe [?]
S3 ndcprtns;NDC Network Agent;c:\windows\system32\drivers\ndcprtns.sys [2002-2-3 9328]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-7-4 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-7-4 8320]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2003-3-4 27088]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [2003-3-4 7520]
S4 McAfee Firewall;McAfee Firewall;"c:\program files\mcafee\mcafee firewall\cpd.exe" /service --> c:\program files\mcafee\mcafee firewall\CPD.EXE [?]

=============== Created Last 30 ================

2009-09-03 19:44 17,584 a------- c:\windows\erab.vbs
2009-09-03 19:44 11,366 a------- c:\program files\common files\zuzumojif.com
2009-09-03 19:44 10,418 a------- c:\windows\mozyrowyt.exe
2009-09-03 19:44 10,317 a------- c:\windows\atigaqira.inf
2009-09-03 19:44 15,017 a------- c:\windows\system32\vemahe.com
2009-09-03 19:44 14,542 a------- c:\windows\roqypu.com
2009-09-03 19:44 13,570 a------- c:\windows\axev._sy
2009-09-03 19:44 10,045 a------- c:\windows\itisybuweq._sy
2009-08-28 03:08 19,656 a------- c:\program files\common files\xojor.pif
2009-08-28 03:08 18,941 a------- c:\program files\common files\ifegeto.pif
2009-08-28 03:08 18,268 a------- c:\program files\common files\anohuc.bin
2009-08-28 03:08 18,181 a------- c:\docume~1\alluse~1\applic~1\jumysone.vbs
2009-08-28 03:08 17,709 a------- c:\windows\system32\johekymulu.db
2009-08-28 03:08 17,173 a------- c:\program files\common files\udabo.com
2009-08-28 03:08 16,685 a------- c:\windows\system32\abyvalasi.inf
2009-08-28 03:08 16,408 a------- c:\windows\ozukav.exe
2009-08-28 03:08 15,508 a------- c:\docume~1\alluse~1\applic~1\uzapiv.dll
2009-08-28 03:08 14,135 a------- c:\windows\system32\humyke.sys
2009-08-28 03:08 13,700 a------- c:\docume~1\donald\applic~1\erugila.pif
2009-08-28 03:08 11,752 a------- c:\windows\system32\hanypecuk.com
2009-08-28 03:08 11,601 a------- c:\docume~1\donald\applic~1\pegadyz.dll
2009-08-28 03:00 17,979 a------- c:\windows\system32\sepeto.exe
2009-08-28 03:00 14,200 a------- c:\docume~1\donald\applic~1\akydojedu.vbs
2009-08-28 03:00 11,614 a------- c:\docume~1\alluse~1\applic~1\yrabaxyj.exe
2009-08-28 03:00 10,279 a------- c:\windows\hyhawytub.dl
2009-08-28 03:00 19,694 a------- c:\program files\common files\amivofe.dat
2009-08-28 03:00 18,483 a------- c:\windows\bopoqebip.vbs
2009-08-28 03:00 17,726 a------- c:\windows\system32\yhero.bat
2009-08-28 03:00 17,531 a------- c:\docume~1\alluse~1\applic~1\lifinewy.vbs
2009-08-28 03:00 17,103 a------- c:\windows\mirixeg.sys
2009-08-28 03:00 16,939 a------- c:\windows\ezaralyf.bat
2009-08-28 03:00 14,275 a------- c:\windows\ujugy._sy
2009-08-28 03:00 13,857 a------- c:\windows\diwivybo.com
2009-08-28 03:00 12,975 a------- c:\windows\system32\zuho.ban
2009-08-28 03:00 12,606 a------- c:\program files\common files\ivyke.bin
2009-08-28 03:00 12,035 a------- c:\docume~1\donald\applic~1\mesaz.bat
2009-08-28 03:00 10,078 a------- c:\program files\common files\vocufo.scr
2009-08-28 03:00 12,918 a------- c:\windows\dipatuga.pif
2009-08-28 02:59 348,284 a------- c:\windows\system32\_scui.cpl
2009-08-28 02:59 <DIR> --d----- c:\program files\PC_Antispyware2010
2009-08-28 02:47 6,144 a------- c:\windows\system32\cru629.dat
2009-08-28 02:47 6,144 a------- c:\windows\cru629.dat
2009-08-28 02:47 11,264 a------- c:\windows\braviax.exe
2009-08-28 02:45 190,700 a------- c:\windows\system32\wisdstr.exe
2009-08-28 02:45 11,264 a------- c:\windows\system32\braviax.exe
2009-08-23 18:21 <DIR> --d----- c:\program files\DealMaker
2009-08-23 18:19 <DIR> --d----- c:\program files\CalSupport
2009-08-23 08:29 <DIR> --d----- C:\GDPHOME
2009-08-23 08:29 <DIR> --d----- C:\GDPDATA
2009-08-12 16:51 <DIR> --d----- c:\program files\CCleaner

==================== Find3M ====================

2009-08-28 02:45 29,184 a------- c:\windows\system32\drivers\beep.sys
2009-07-31 08:27 28,624 a------- c:\windows\system32\drivers\secdrv.sys
2009-07-13 05:48 219,648 a------- c:\windows\PEV.exe
2007-09-10 18:33 46,792 a------- c:\docume~1\donald\applic~1\GDIPFONTCACHEV1.DAT
2006-12-05 13:43 611 a------- c:\program files\Uninstall AOL Instant Messenger.lnk
2006-12-02 05:09 928 a------- c:\program files\fsbl-20061202113920.log
2006-12-02 04:38 826,936 a------- c:\program files\blacklight.exe
2006-12-02 03:50 212,849 a------- c:\program files\hijackthis.zip
2006-12-02 01:02 17,515,272 a------- c:\program files\avg75free_430a848.exe
2004-09-22 19:29 775 ac--h--- c:\program files\hpothb07.tif
2004-09-22 19:29 464 ac--h--- c:\program files\hpothb07.dat
2004-05-15 00:47 331 ac--h--- c:\documents and settings\donald\hpothb07.dat
2003-08-01 13:04 116,850 a------- c:\program files\uninstll.exe
2003-08-01 12:31 61,440 a------- c:\program files\aim.exe
2003-08-01 12:30 41,984 a------- c:\program files\AlertUI.ocm
2003-08-01 12:30 10,752 a------- c:\program files\advert.ocm
2003-08-01 12:29 13,312 a------- c:\program files\Admin.ocm
2003-08-01 12:29 54,272 a------- c:\program files\aimapi.dll
2003-08-01 12:28 11,776 a------- c:\program files\NTP.ocm
2003-08-01 12:27 147,456 a------- c:\program files\aimauto.exe
2003-04-01 13:04 12,312 a------- c:\program files\aim95.CNT
2003-01-04 23:20 28,325,976 ac------ c:\program files\dplay82 update.exe
2003-01-04 23:08 577,088 ac------ c:\program files\TweakUiPowertoySetup.exe
2002-12-11 15:49 2,836 a------- c:\program files\aim.odl
2001-09-28 19:00 164,864 a------- c:\program files\unwise32.exe
2001-06-20 17:19 40,960 ac------ c:\program files\ACMonitor_X83.exe
2001-01-30 18:04 1,375 a------- c:\program files\aimalert.gif
2000-02-16 19:39 1,732 a------- c:\program files\unwise32.ini
2007-04-03 17:56 80 ---shr-- c:\windows\system32\B0220DA012.dll
2008-10-10 21:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101020081011\index.dat

============= FINISH: 17:38:13.58 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:57 PM

Posted 25 September 2009 - 06:26 PM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:57 PM

Posted 30 September 2009 - 06:14 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:57 PM

Posted 02 October 2009 - 05:16 PM

Topic reopened at OP request.

unite.jpg


#5 didwhatt

didwhatt
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 02 October 2009 - 05:47 PM

RSIT run

Attached Files

  • Attached File  log.txt   30.55KB   8 downloads
  • Attached File  info.txt   30.8KB   8 downloads


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:57 PM

Posted 02 October 2009 - 07:06 PM

Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case Bitlord & Limewire). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.

I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Next

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back here with the following logs:
  • MBAM log
  • New Rsit log
Thanks

unite.jpg


#7 didwhatt

didwhatt
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 03 October 2009 - 02:33 AM

Well that took a long time.

I removed the files after the quick scan before I ran the full scan hope it didn't hose the procedure.
I loaded AntiVir after the scans were completed and it detected "bad files" so I deleted them an ran the RSIT yet again

So I have many more logs than you requested.
I'll upload them all and let you read what you want

The upd... file is from avira

the log_second is the rsit I ran after running the malware
the log_third is the rsit I ran after running the scan from avira

The mbam from 1800 is after the quick scan

I don't know why I have two more mbam logs one of them is after the full scan

Attached Files



#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:57 PM

Posted 03 October 2009 - 08:02 AM

Hi,

Can you just do the steps I ask and post the logs I ask for in future. I see that you have been running combofix please post the log it produced.

ComboFix should not be run unless requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Post the contents of C:\ComboFix.txt in your next reply.

Edited by syler, 03 October 2009 - 08:02 AM.

unite.jpg


#9 didwhatt

didwhatt
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 03 October 2009 - 12:02 PM

I haven't run combofix since The first day that I had the problem.
It didn't run
my spybot didn't run either

That is why I thought that I had the "Bad" version of this antispyware virus

#10 didwhatt

didwhatt
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 03 October 2009 - 12:04 PM

You asked me to send the log from when I ran it.
Since I haven't run it in over a month do you want me to run it now and send a log or not.

#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:57 PM

Posted 03 October 2009 - 03:52 PM

If you still have the combofix log then I would like to see it, you do not need to run it again, if you haven't got it leave it out.

Download and run the McAfee Consumer Products Removal tool (MCPR.exe).
Running the McAfee Consumer Product Removal tool (MCPR.exe) removes all 2005, 2006, and 2007 and newer versions of McAfee consumer products.
  • McAfee Security Center
  • McAfee VirusScan
  • McAfee Personal Firewall Plus
  • McAfee Privacy Service
  • McAfee SpamKiller
  • McAfee Wireless Network Security
  • McAfee SiteAdvisor
  • McAfee Data Backup
  • McAfee Network Manager
  • McAfee Easy Network
  • McAfee AntiSpyware
  • Click Save and save the file to any folder on the computer.
  • Navigate to the folder where the file is saved.
  • Double-click MCPR.exe.
  • Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed.
    Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.
    After the second window appears, the program will begin the cleanup.
  • Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
    The machine must reboot to complete the un-installation. Reboot now? [y.n]
  • Press Y on the keyboard.
  • Wait for the computer to restart.
All McAfee products are now removed from your computer.
These McAfee removal instructions can be found at http://ts.mcafeehelp.com/faq3.asp?docid=408302

Next

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Next

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alogserv]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Guardian]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mp3search]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^kristy^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "McShield"=-
    "McAfee Firewall"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"=""
    :Files
    C:\WINDOWS\mozyrowyt.exe
    C:\WINDOWS\erab.vbs
    C:\Program Files\Common Files\zuzumojif.com
    C:\WINDOWS\system32\vemahe.com
    C:\WINDOWS\roqypu.com
    C:\WINDOWS\system32\hanypecuk.com
    C:\WINDOWS\ozukav.exe
    C:\Program Files\Common Files\udabo.com
    C:\Documents and Settings\donald\Application Data\pegadyz.dll
    C:\Documents and Settings\All Users\Application Data\uzapiv.dll
    C:\Documents and Settings\All Users\Application Data\jumysone.vbs
    C:\WINDOWS\system32\sepeto.exe
    C:\Documents and Settings\donald\Application Data\akydojedu.vbs
    C:\Documents and Settings\All Users\Application Data\yrabaxyj.exe
    C:\WINDOWS\system32\yhero.bat
    C:\WINDOWS\ezaralyf.bat
    C:\WINDOWS\diwivybo.com
    C:\WINDOWS\bopoqebip.vbs
    C:\Documents and Settings\donald\Application Data\mesaz.bat
    C:\Documents and Settings\All Users\Application Data\lifinewy.vbs
    :Commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Next
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Posted Image
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.
Please post back here with the following logs:
  • OTM results
  • Rootrepeal report
  • New Rsit log
Thanks

Edited by syler, 03 October 2009 - 03:53 PM.

unite.jpg


#12 didwhatt

didwhatt
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 03 October 2009 - 06:34 PM

This is the output from the OTM

All processes killed
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alogserv\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Guardian\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mp3search\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^kristy^Start Menu^Programs^Startup^PowerReg Scheduler.exe\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\McShield deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\McAfee Firewall deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLS"|"" /E : value set successfully!
========== FILES ==========
C:\WINDOWS\mozyrowyt.exe moved successfully.
C:\WINDOWS\erab.vbs moved successfully.
C:\Program Files\Common Files\zuzumojif.com moved successfully.
C:\WINDOWS\system32\vemahe.com moved successfully.
C:\WINDOWS\roqypu.com moved successfully.
C:\WINDOWS\system32\hanypecuk.com moved successfully.
C:\WINDOWS\ozukav.exe moved successfully.
C:\Program Files\Common Files\udabo.com moved successfully.
LoadLibrary failed for C:\Documents and Settings\donald\Application Data\pegadyz.dll
C:\Documents and Settings\donald\Application Data\pegadyz.dll NOT unregistered.
C:\Documents and Settings\donald\Application Data\pegadyz.dll moved successfully.
LoadLibrary failed for C:\Documents and Settings\All Users\Application Data\uzapiv.dll
C:\Documents and Settings\All Users\Application Data\uzapiv.dll NOT unregistered.
C:\Documents and Settings\All Users\Application Data\uzapiv.dll moved successfully.
C:\Documents and Settings\All Users\Application Data\jumysone.vbs moved successfully.
C:\WINDOWS\system32\sepeto.exe moved successfully.
C:\Documents and Settings\donald\Application Data\akydojedu.vbs moved successfully.
C:\Documents and Settings\All Users\Application Data\yrabaxyj.exe moved successfully.
C:\WINDOWS\system32\yhero.bat moved successfully.
C:\WINDOWS\ezaralyf.bat moved successfully.
C:\WINDOWS\diwivybo.com moved successfully.
C:\WINDOWS\bopoqebip.vbs moved successfully.
C:\Documents and Settings\donald\Application Data\mesaz.bat moved successfully.
C:\Documents and Settings\All Users\Application Data\lifinewy.vbs moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Application Data

User: danny
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Java cache emptied: 400787 bytes
->FireFox cache emptied: 94109897 bytes

User: Default User
->Temp folder emptied: 677971 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: donald
->Temp folder emptied: 44915706 bytes
->Temporary Internet Files folder emptied: 3256102 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 63376764 bytes

User: jessica
->Temp folder emptied: 282608 bytes
->Temporary Internet Files folder emptied: 121694694 bytes
->Java cache emptied: 1834862 bytes
->FireFox cache emptied: 65968695 bytes

User: kristy
->Temp folder emptied: 6262612 bytes
->Temporary Internet Files folder emptied: 11652687 bytes
->Java cache emptied: 105414 bytes
->FireFox cache emptied: 62542365 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49554 bytes

User: NetworkService
->Temp folder emptied: 58774 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 485572 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: System

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 384181 bytes
%systemroot%\System32 .tmp files removed: 3971089 bytes
Windows Temp folder emptied: 17352711 bytes
RecycleBin emptied: 52 bytes

Total Files Cleaned = 476.36 mb


OTM by OldTimer - Version 3.0.0.6 log created on 10032009_162343

Files moved on Reboot...

Registry entries deleted on Reboot...

#13 didwhatt

didwhatt
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 03 October 2009 - 06:46 PM

Root repeal came up with "Error Invalid PE image found"

I followed the instructions and the scan is running

#14 didwhatt

didwhatt
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 03 October 2009 - 07:05 PM

Here are the logs from root repeal and rsit

Attached Files



#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:57 PM

Posted 04 October 2009 - 04:03 PM

Hi didwhatt,

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Next

Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Posted Image

Next

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Reamove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Next

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back here with the following logs:
  • Kaspersky report
  • New Rsit log
Thanks

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users