Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TR/Dldr.Tracur.B.63 [trojan] and can't run GMER


  • This topic is locked This topic is locked
17 replies to this topic

#1 Ianjames

Ianjames

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 23 February 2010 - 05:20 PM

Hi,

I'd appreciate any help at all you can give with the following:

I foolishly decided I would download WinMX a couple of weeks ago - its gone now, along with everything I chose to download from it. I've used Revo Uninstaller so there shouldn't be any of it hanging around. Unfortunately, I got an unwanted gift along with it.
I'm 99% certain this came as a result of WinMX as I started getting warnings from Avira as soon as I had installed it. They were initially messages like the two below:

Virus or unwanted program 'EXP/ASF.GetCodec.Gen [exploit]'
detected in file 'C:\Windows\System32\SysWoW32\mi659558835v4.

Virus or unwanted program 'EXP/ASF.GetCodec.Gen [exploit]'
detected in file 'C:\Windows\System32\SysWoW32\mi659558835v7.

and then:

Virus or unwanted program 'TR/Dldr.Tracur.B.63 [trojan]'
detected in file 'C:\Windows\System32\dnsapi32.dll.

I tried running Avira both in "normal" and "safe" mode, and Avira did detect a virus, and removed it, but obviously didn't get rid of it. At one point, whatever this was kept turning Avira off. I installed Spybot Search and destroy and that appeared to stop that, but still didn't get rid of the virus.
I've since noticed my browser being hijacked - this is happening particularly when I search on Google - if I click on the link I get taken to another site (scout.com is one example or oneclick.com) with apparent links to the site I was actually looking for.

Norton's online scan told me this:

C:\Windows\System32\dot3cfg32.dll is infected with Trojan Horse

but didn't tell me what to do about it. Spyware Terminator did pretty much the same.

I've run dds and downloaded GMER. I've now tried GMER twice, and each time it takes several hours, is extremely slow, and whilst it is happening something tries to put my computer into sleep mode (its set not to do this at all). My friend who doesn't have an infected computer found GMER ran in 10 minutes.

Here is the DDS log:

Thank you for any help you can give. I feel very foolish for downloading WinMX in the first place.

Ian


DDS (Ver_09-12-01.01) - NTFSx86
Run by Ian at 11:55:43.11 on 21/02/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.503.85 [GMT 0:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Ian\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=laptop
BHO: {0161e51c-46ba-4bbe-ac6b-891dfa358723} - c:\windows\system32\dot3cfg32.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [RTHDBPL] c:\users\ian\appdata\roaming\systemproc\lsass.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [c:\windows\system32\v0350ext.ax] c:\windows\system32\regsvr32.exe /s c:\windows\system32\V0350Ext.ax
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\dnsapi32.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\ian\appdata\roaming\mozilla\firefox\profiles\f32ho2jf.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Firefox security: No Registry Reference - c:\program files\mozilla firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-3 11608]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-3 56816]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2008-1-20 227328]
S3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\drivers\V0350Afx.sys [2008-8-11 142656]
S3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\drivers\V0350Vfx.sys [2008-8-11 7424]
S3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\drivers\V0350Vid.sys [2008-8-11 170368]
S3 ZY202_VS;ZyXEL 802.11g XG202 1211 Vista Driver;c:\windows\system32\drivers\WlanUZG.sys [2008-2-3 449536]

=============== Created Last 30 ================

2010-02-21 11:52:03 0 ----a-w- c:\users\ian\defogger_reenable
2010-02-20 08:51:38 0 dc----w- c:\program files\Cobian Backup 10
2010-02-14 23:46:42 370212196 ----a-w- c:\windows\MEMORY.DMP
2010-02-09 23:07:57 1906 ----a-w- c:\windows\GnuHashes.ini
2010-02-09 23:00:02 1262 --sha-w- c:\windows\system32\760880057
2010-02-09 22:58:57 0 d-sh--w- c:\windows\system32\SysWoW32
2010-02-09 22:58:36 0 d-sh--w- c:\users\ian\appdata\roaming\SystemProc
2010-02-09 22:58:34 203776 --sh--w- c:\windows\system32\unrar.exe
2010-02-09 22:58:34 0 d-----w- c:\windows\system32\1329081486
2010-02-09 22:58:14 198144 ----a-w- c:\windows\system32\dot3cfg32.dll
2010-02-09 22:13:12 0 d-----w- c:\users\ian\Incomplete
2010-02-09 22:11:59 0 d-----w- c:\programdata\WinMX Music
2010-02-09 22:11:52 0 d-----w- c:\users\ian\appdata\roaming\WinMX Music
2010-02-09 21:02:20 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-09 21:02:19 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-09 21:02:13 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-09 21:02:13 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-09 21:01:58 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-09 21:01:55 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-09 21:00:48 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-09 21:00:47 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-09 21:00:47 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-09 21:00:47 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-09 21:00:47 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-09 21:00:46 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-09 21:00:46 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-09 21:00:45 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-09 21:00:45 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-09 21:00:37 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-09 21:00:35 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-01-28 20:59:04 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-28 20:59:04 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-28 20:58:50 834048 ----a-w- c:\windows\system32\wininet.dll
2010-01-28 20:58:35 78336 ----a-w- c:\windows\system32\ieencode.dll

==================== Find3M ====================

2010-01-14 11:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-03 19:26:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-21 03:05:51 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-21 03:05:51 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-21 03:05:50 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-21 03:05:50 143360 ----a-w- c:\windows\inf\infstor.dat
2009-11-01 21:56:40 174 --sha-w- c:\program files\desktop.ini
2007-04-23 22:21:16 269824 ----a-w- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 22:19:24 227328 ----a-w- c:\windows\inf\wg111v3\WG111v3.sys
2007-04-23 22:19:24 227328 ----a-w- c:\windows\inf\wg111v3\vista\wg111v3.sys
2006-12-15 19:30:36 98304 ----a-w- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 19:30:36 315392 ----a-w- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 19:30:36 28672 ----a-w- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 19:30:36 212992 ----a-w- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 19:30:36 20480 ----a-w- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 19:30:36 19968 ----a-w- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-01-09 07:55:44 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-01-09 07:55:44 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-01-09 07:55:44 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-11-01 17:23:24 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009110120091102\index.dat

============= FINISH: 11:58:44.68 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:08 AM

Posted 25 February 2010 - 04:13 PM


Hello Ianjames smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



I would like for you to try to run GMER once again. Before doing so disable both TeaTimer and Windows Defender. If it still won't run uncheck the following along with the ones in the initial instructions and try again:


  • Registry
  • Files










Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Ianjames

Ianjames
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 26 February 2010 - 06:58 AM

Hi, and thanks very much for responding.

I'm away for the weekend, but will have access to my computer on monday night, and will try doing this again with those programs disabled, and try and post the results here straight away.

Thanks

Ian

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:08 AM

Posted 26 February 2010 - 12:57 PM

Ok, thanks for letting me know.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Ianjames

Ianjames
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 03 March 2010 - 04:07 AM

Hi - Sorry for the delayed response. I finally got this to work last night, so will post the results later today.

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:08 AM

Posted 03 March 2010 - 12:29 PM

That's fine, thanks for letting me know.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Ianjames

Ianjames
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 03 March 2010 - 12:58 PM

Here's the GMER result. In the end I had to disable Avira and take the computer offline to get this to run. Hope its still okay.



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-03 07:11:51
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Ian\AppData\Local\Temp\uwldrpow.sys


---- System - GMER 1.0.15 ----

SSDT A651649C

ZwCreateThread
SSDT A6516488

ZwOpenProcess
SSDT A651648D

ZwOpenThread
SSDT A6516497

ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0

Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016411f4ab6
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016411f4ab6 (not active ControlSet)

---- EOF - GMER 1.0.15 ----




#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:08 AM

Posted 03 March 2010 - 01:45 PM

That didn't tell us a whole lot but thanks for running it anyway. When you run ComboFix be sure to disable both Windows Defender and TeaTimer along with your AntiVirus. There is a link to help you in the instructions below.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.


When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 Ianjames

Ianjames
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 03 March 2010 - 04:34 PM

Thanks again... here's the combofix log:

ComboFix 10-03-03.03 - Ian 03/03/2010 21:05:42.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.503.165 [GMT 0:00]
Running from: c:\users\Ian\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Spyware Terminator *disabled* (Updated) {55EE49A8-16BE-4601-BBE6-607B7F7317DE}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2365545147-1999384947-2466353664-500
c:\$recycle.bin\S-1-5-21-3004094700-1292148700-1120296016-500
c:\$recycle.bin\S-1-5-21-4104075854-417722434-1675085535-500
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\users\Ian\AppData\Roaming\020000005aec9f18772C.manifest
c:\users\Ian\AppData\Roaming\020000005aec9f18772O.manifest
c:\users\Ian\AppData\Roaming\020000005aec9f18772P.manifest
c:\users\Ian\AppData\Roaming\020000005aec9f18772S.manifest
c:\users\Ian\AppData\Roaming\Mozilla\Firefox\Profiles\u29ch6zl.Ian\extensions\{c5f0f90d-6a8e-4fcb-8791-f4e1e67f30ac}
c:\users\Ian\AppData\Roaming\Mozilla\Firefox\Profiles\u29ch6zl.Ian\extensions\{c5f0f90d-6a8e-4fcb-8791-f4e1e67f30ac}\chrome.manifest
c:\users\Ian\AppData\Roaming\Mozilla\Firefox\Profiles\u29ch6zl.Ian\extensions\{c5f0f90d-6a8e-4fcb-8791-f4e1e67f30ac}\chrome\xulcache.jar
c:\users\Ian\AppData\Roaming\Mozilla\Firefox\Profiles\u29ch6zl.Ian\extensions\{c5f0f90d-6a8e-4fcb-8791-f4e1e67f30ac}\defaults\preferences\xulcache.js
c:\users\Ian\AppData\Roaming\Mozilla\Firefox\Profiles\u29ch6zl.Ian\extensions\{c5f0f90d-6a8e-4fcb-8791-f4e1e67f30ac}\install.rdf
c:\users\Ian\AppData\Roaming\SystemProc
c:\users\Ian\AppData\Roaming\SystemProc\lsass.exe
c:\windows\GnuHashes.ini
c:\windows\system32\1329081486
c:\windows\system32\SysWoW32
c:\windows\system32\SysWoW32\_u659558835v5
c:\windows\system32\SysWoW32\mi659558835v4.kwd
c:\windows\system32\SysWoW32\mi659558835v6.kwd
c:\windows\system32\SysWoW32\mi659558835v7.kwd
c:\windows\system32\SysWoW32\mu659558835v5
c:\windows\system32\SysWoW32\mu659558835v5.kwd
c:\windows\system32\SysWoW32\wu659558835v0
c:\windows\system32\SysWoW32\wu659558835v0.kwd
c:\windows\system32\SysWoW32\wu659558835v1
c:\windows\system32\SysWoW32\wu659558835v1.kwd
c:\windows\system32\SysWoW32\wu659558835v2
c:\windows\system32\SysWoW32\wu659558835v2.kwd
c:\windows\system32\SysWoW32\wu659558835v3
c:\windows\system32\SysWoW32\wu659558835v3.kwd
c:\windows\system32\unrar.exe
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-03-03 21:17 . 2010-03-03 21:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-25 19:49 . 2010-02-25 19:54 -------- d-----w- c:\users\Ian\AppData\Roaming\dvdcss
2010-02-23 19:25 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 19:23 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-23 19:23 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-23 19:23 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-23 19:23 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-23 19:23 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-23 19:23 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-23 19:23 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-23 19:23 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-23 19:23 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-23 19:23 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-23 19:23 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-23 19:23 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-23 19:08 . 2010-02-23 19:08 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-02-23 19:08 . 2010-03-03 20:57 -------- d-----w- c:\users\Ian\AppData\Roaming\Spyware Terminator
2010-02-23 19:07 . 2010-03-03 18:47 -------- d-----w- c:\programdata\Spyware Terminator
2010-02-23 19:07 . 2010-02-23 21:04 -------- d-----w- c:\program files\Spyware Terminator
2010-02-20 08:51 . 2010-02-20 08:51 -------- d-----w- c:\users\Ian\AppData\Local\Safe mirror
2010-02-20 08:51 . 2010-02-20 08:51 -------- d-----w- c:\program files\Cobian Backup 10
2010-02-15 20:23 . 2010-02-15 20:23 -------- d-----w- c:\windows\Sun
2010-02-09 22:13 . 2010-02-09 23:25 -------- d-----w- c:\users\Ian\Incomplete
2010-02-09 22:11 . 2010-02-20 10:53 -------- d-----w- c:\programdata\WinMX Music
2010-02-09 22:11 . 2010-02-20 10:53 -------- d-----w- c:\users\Ian\AppData\Roaming\WinMX Music
2010-02-09 21:02 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-09 21:02 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-09 21:02 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-09 21:02 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-09 21:01 . 2009-12-08 20:01 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-09 21:01 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-09 21:00 . 2009-12-04 18:29 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-09 21:00 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-09 21:00 . 2009-12-04 18:28 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-09 21:00 . 2009-12-04 18:28 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-09 21:00 . 2009-12-04 18:28 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-09 21:00 . 2009-12-04 18:28 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-09 21:00 . 2009-12-04 18:28 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-09 21:00 . 2009-12-04 18:28 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-09 21:00 . 2009-12-04 18:27 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-09 21:00 . 2009-12-04 15:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-09 21:00 . 2009-12-04 15:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 23:46 . 2006-11-09 21:16 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-25 08:30 . 2007-12-17 18:54 105504 ----a-w- c:\users\Ian\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 09:16 . 2009-10-11 16:43 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 19:08 . 2010-02-23 19:08 6144 ----a-w- c:\programdata\Spyware Terminator\sp_rsdel.exe
2010-02-23 19:08 . 2010-02-23 19:08 5632 ----a-w- c:\programdata\Spyware Terminator\fileobjinfo.sys
2010-02-21 20:39 . 2010-01-03 21:14 -------- d-----w- c:\program files\SpywareBlaster
2010-02-18 20:31 . 2010-01-03 21:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-18 20:25 . 2010-01-03 21:00 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-14 21:50 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-14 21:50 . 2008-11-29 12:44 -------- d-----w- c:\program files\uTorrent
2010-02-09 23:33 . 2008-11-29 12:44 -------- d-----w- c:\users\Ian\AppData\Roaming\uTorrent
2010-02-09 22:58 . 2010-02-09 22:58 738304 --sha-w- c:\users\Ian\AppData\Roaming\C40C.tmp
2010-02-06 16:24 . 2008-02-04 20:09 -------- d-----w- c:\program files\Last.fm
2010-01-06 15:38 . 2010-02-23 19:23 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-23 19:23 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 15:38 . 2010-02-23 19:23 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-23 19:23 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-03 22:21 . 2010-01-03 22:21 -------- d-----w- c:\program files\VS Revo Group
2010-01-03 21:59 . 2010-01-03 21:59 -------- d-----w- c:\users\Ian\AppData\Roaming\Auslogics
2010-01-03 21:59 . 2010-01-03 21:59 -------- d-----w- c:\program files\Auslogics
2010-01-03 20:58 . 2010-01-03 20:58 -------- d-----w- c:\program files\Real Alternative
2010-01-03 20:56 . 2010-01-03 20:56 -------- d-----w- c:\program files\QuickTime Alternative
2010-01-03 20:56 . 2008-04-08 15:27 -------- d-----w- c:\programdata\Apple Computer
2010-01-03 20:54 . 2010-01-03 20:54 -------- d-----w- c:\users\Ian\AppData\Roaming\Foxit
2010-01-03 20:54 . 2010-01-03 20:54 -------- d-----w- c:\program files\Foxit Software
2010-01-03 20:51 . 2009-01-02 01:21 -------- d-----w- c:\program files\Uniblue
2010-01-03 20:51 . 2009-01-02 01:47 -------- d-----w- c:\programdata\DriverScanner
2010-01-03 20:51 . 2009-01-02 01:22 -------- d-----w- c:\users\Ian\AppData\Roaming\uniblue
2010-01-03 20:50 . 2008-02-24 16:48 -------- d-----w- c:\program files\Common Files\Real
2010-01-03 20:50 . 2008-02-24 16:46 -------- d-----w- c:\program files\Real
2010-01-03 20:46 . 2008-11-23 20:18 -------- d-----w- c:\program files\Opera
2010-01-03 20:44 . 2009-10-31 11:15 -------- d-----w- c:\program files\Common Files\Nero
2010-01-03 20:43 . 2009-10-31 11:15 -------- d-----w- c:\programdata\Nero
2010-01-03 20:43 . 2009-10-31 11:15 -------- d-----w- c:\program files\Nero
2010-01-03 20:34 . 2009-01-02 10:54 -------- d-----w- c:\programdata\Lavasoft
2010-01-03 20:00 . 2010-01-03 20:00 -------- d-----w- c:\programdata\Avira
2010-01-03 20:00 . 2010-01-03 20:00 -------- d-----w- c:\program files\Avira
2010-01-03 19:26 . 2010-01-03 19:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-03 19:26 . 2007-09-26 20:11 -------- d-----w- c:\program files\Java
2009-12-18 13:01 . 2010-01-28 20:58 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 11:44 . 2010-01-28 20:58 834048 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2010-02-23 3037696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-03 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NETGEAR WG111v3 Smart Wizard.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WG111v3 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v3 Smart Wizard.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-06-05 16:12 71176 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-01-12 13:36 827392 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:ac,6e,bf,24,c0,69,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-587574034-1986902060-3379709226-1006]
"EnableNotificationsRef"=dword:00000003

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\System32\drivers\sp_rsdrv2.sys [23/02/2010 19:08 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [03/01/2010 20:00 108289]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [02/11/2006 10:25 167936]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\System32\drivers\wg111v3.sys [20/01/2008 23:30 227328]
S3 VF0350Afx;VF0350 Audio FX;c:\windows\System32\drivers\V0350Afx.sys [11/08/2008 17:54 142656]
S3 VF0350Vfx;VF0350 Video FX;c:\windows\System32\drivers\V0350Vfx.sys [11/08/2008 17:54 7424]
S3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\System32\drivers\V0350Vid.sys [11/08/2008 17:54 170368]
S3 ZY202_VS;ZyXEL 802.11g XG202 1211 Vista Driver;c:\windows\System32\drivers\WlanUZG.sys [03/02/2008 20:48 449536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Ian\AppData\Roaming\Mozilla\Firefox\Profiles\u29ch6zl.Ian\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{0161E51C-46BA-4BBE-AC6B-891DFA358723} - c:\windows\System32\dot3cfg32.dll
HKCU-Run-RTHDBPL - c:\users\Ian\AppData\Roaming\SystemProc\lsass.exe
MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
MSConfigStartUp-Boots Insert Detect - c:\program files\Picture Suite\InsDetect.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 21:18
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RTHDBPL = c:\users\Ian\AppData\Roaming\SystemProc\lsass.exe???????????????????????????????????#???????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-03-03 21:26:34
ComboFix-quarantined-files.txt 2010-03-03 21:26

Pre-Run: 12,659,343,360 bytes free
Post-Run: 12,641,079,296 bytes free

- - End Of File - - 548259F505D95378AF73A50234482E62


#10 Ianjames

Ianjames
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 03 March 2010 - 04:36 PM

it says windows defender "enabled" there - but it is actually turned off on my computer.
Of course, this may just be me reading things I know nothing about and completely misinterpreting them...not for the first time..

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:08 AM

Posted 03 March 2010 - 05:36 PM

It's OK, those things show up like that at times even when they have been disabled. Looks like it did a good job overall.

I would like for you to run ESET next but uncheck where it says to remove found threats and we'll look at anything it returns before having it delete them.


I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 Ianjames

Ianjames
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 04 March 2010 - 02:30 AM

For a minute, I thought combofix had got rid of everything...oh well....

C:\Qoobox\Quarantine\C\Users\Ian\AppData\Roaming\Mozilla\Firefox\Profiles\u29ch6zl.Ian\extensions\{c5f0f90d-6a8e-4fcb-8791-f4e1e67f30ac}\chrome\xulcache.jar.vir probably a variant of Win32/Agent trojan
C:\Qoobox\Quarantine\C\Users\Ian\AppData\Roaming\SystemProc\lsass.exe.vir Win32/Dursg.B trojan
C:\Users\Ian\AppData\Roaming\Thunderbird\Profiles\yhw881we.default\Mail\Local Folders\Inbox multiple threats
C:\Users\Ian\Downloads\Nero-7.11.10.0_all_update.exe Win32/Toolbar.AskSBar application


#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:08 AM

Posted 04 March 2010 - 09:05 AM

That's not bad at all. Those Qoobox entries are the ComboFix quarantine area and those would be gone anyway once we uninstall ComboFix. Go ahead and run ESET again and let it remove whatever it finds and if there is anything left we will take care of it.




Other than that if everything is still running good we should be able to finish up when we get the results back from ESET again.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 Ianjames

Ianjames
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 04 March 2010 - 04:34 PM

Hi,

Thanks for your help so far - that's good news about combifix getting rid of most of it.
I tried to run Eset and I got the message "can not get update. Is proxy server configured?". Thinking it might be the fact that it was already on my computer, I removed the original file and re-installed it. Still no joy. I've tried all the clever technical tricks I know, including turning the computer off and on again and..

err...

that's it.

Is it something I'm doing wrong?

Cheers

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:08 AM

Posted 04 March 2010 - 04:54 PM

No, I don't think you are doing anything wrong. I haven't run into that before but we won't worry with it let's just try deleting them manually using Windows Explorer.

The first one below is from Thunderbird and I am not familiar with it. The file I have in bold should be what we want to take off but if you don't think that's correct let me know.


C:\Users\Ian\AppData\Roaming\Thunderbird\Profiles\yhw881we.default
C:\Users\Ian\Downloads\Nero-7.11.10.0_all_update.exe
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users