Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am depressed due to a virus


  • This topic is locked This topic is locked
3 replies to this topic

#1 iang1975

iang1975

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 25 March 2010 - 12:29 PM

Dear sirs,

I hope you can help with this probably common problem. I recently opened a ms dos icon that i shouldn't have which immediately started to not produce what it should have and I manually shut the PC down asap. but it was too late . On the next boot up i got various pop ups from near the clock with hijacked alerts etc and also it wanted me to purchase antivirus soft. I managed to get this off with malware removal and with this i went straight to PC world and bought Norton 2010 which i installed as i had been running my PC without and antivirus software other than system care 3. As soon as i installed Norton just like last time everything went painfully slow. i had run a full scan and deleted the infections it had found. I also during this period installed ie8 and uninstalled it after things got worse with pages popping up on their own showing other stuff. Basically Ive been installing, uninstalling, deleting various programs etc until I came across a tread relating to the same problem i have now. That is ie7 closes as soon as i boot it up, in the control panel the internet options icon is there but no wording and will not open althougth i have been able to open this via run and some type of command i found on another thread! lastly i have noticed that ms paint has buggered and it will not open and the program icon has gone. So i have run combofix of which it found some problems and deleted them but the pc is still not willing to co operate.

I have the following result from combofix:

ComboFix 10-03-24.03 - Administrator 25/03/2010 16:53:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.999.660 [GMT 0:00]
Running from: F:ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:documents and settingsAdministratorLocal SettingsApplication Data{7EAE0692-9EF9-4AE4-AE60-2F3B4281463A}
c:documents and settingsAdministratorLocal SettingsApplication Data{7EAE0692-9EF9-4AE4-AE60-2F3B4281463A}chromecontent_cfg.js
c:documents and settingsAdministratorLocal SettingsApplication Data{7EAE0692-9EF9-4AE4-AE60-2F3B4281463A}chromecontentoverlay.xul
c:documents and settingsAdministratorLocal SettingsApplication Data{7EAE0692-9EF9-4AE4-AE60-2F3B4281463A}install.rdf
c:documents and settingsAdministratorLocal SettingsApplication DataWindows Server
c:documents and settingsAdministratorpoobeaf.exe
c:documents and settingsAll Users.documentssettings
c:documents and settingsAll UsersFavorites_favdata.dat
c:program filesSearch Settings
c:program filesSearch Settingskb127SearchSettings.dll
c:program filesSearch Settingskb127SearchSettingsRes409.dll
c:program filesSearch SettingsSearchSettings.exe
c:recyclerS-1-5-21-3407336184-2738722142-4166168377-500
c:windowsavefagelewizuter.dll
c:windowsuyejoful.dll
D:AUTORUN.INF

Infected copy of c:windowssystem32DRIVERSatapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-25 16:17 . 2010-03-25 17:00 118784 ----a-w- c:windowssystem32chg.exe
2010-03-25 14:12 . 2010-03-25 14:12 -------- d-----w- c:documents and settingsAdministratorApplication DataUniblue
2010-03-25 13:52 . 2010-03-25 13:52 -------- d-----w- c:program filesCCleaner
2010-03-25 13:35 . 2010-03-25 13:35 -------- d-----w- c:program filesRecuva
2010-03-25 12:25 . 2008-04-14 01:12 116224 ----a-w- c:windowssystem32dllcachexrxwiadr.dll
2010-03-25 12:25 . 2001-08-17 22:36 23040 ----a-w- c:windowssystem32dllcachexrxwbtmp.dll
2010-03-25 12:25 . 2008-04-14 01:12 18944 ----a-w- c:windowssystem32dllcachexrxscnui.dll
2010-03-25 12:25 . 2001-08-17 22:37 27648 ----a-w- c:windowssystem32dllcachexrxftplt.exe
2010-03-25 12:25 . 2001-08-17 22:37 4608 ----a-w- c:windowssystem32dllcachexrxflnch.exe
2010-03-25 12:25 . 2001-08-17 22:37 99865 ----a-w- c:windowssystem32dllcachexlog.exe
2010-03-25 12:25 . 2001-08-17 12:11 16970 ----a-w- c:windowssystem32dllcachexem336n5.sys
2010-03-25 12:25 . 2008-04-13 19:46 19200 ----a-w- c:windowssystem32dllcachewstcodec.sys
2010-03-25 12:23 . 2001-08-17 12:10 35871 ----a-w- c:windowssystem32dllcachewbfirdma.sys
2010-03-25 12:22 . 2001-08-17 13:28 794399 ----a-w- c:windowssystem32dllcacheusr1806v.sys
2010-03-25 12:21 . 2001-08-17 12:51 166784 ----a-w- c:windowssystem32dllcachetridxpm.sys
2010-03-25 12:20 . 2008-04-13 19:40 149376 ----a-w- c:windowssystem32dllcachetffsport.sys
2010-03-25 12:19 . 2001-08-17 12:18 285760 ----a-w- c:windowssystem32dllcachestlnata.sys
2010-03-25 12:18 . 2001-08-17 12:12 25034 ----a-w- c:windowssystem32dllcachesmcpwr2n.sys
2010-03-25 12:17 . 2001-07-21 14:29 161568 ----a-w- c:windowssystem32dllcachesgsmusb.sys
2010-03-25 12:16 . 2001-08-17 12:50 61504 ----a-w- c:windowssystem32dllcaches3sav3dm.sys
2010-03-25 12:15 . 2001-08-17 13:28 714762 ----a-w- c:windowssystem32dllcacher2mdmkxx.sys
2010-03-25 12:14 . 2001-08-17 22:36 121344 ----a-w- c:windowssystem32dllcachephvfwext.dll
2010-03-25 12:13 . 2001-08-17 14:05 351616 ----a-w- c:windowssystem32dllcacheovcodek2.sys
2010-03-25 12:12 . 2001-08-17 12:20 126080 ----a-w- c:windowssystem32dllcachenm5a2wdm.sys
2010-03-25 12:11 . 2008-04-13 19:46 49024 ----a-w- c:windowssystem32dllcachemstape.sys
2010-03-25 12:11 . 2008-04-13 19:39 5504 ----a-w- c:windowssystem32dllcachemstee.sys
2010-03-25 12:11 . 2001-08-17 13:48 12416 ----a-w- c:windowssystem32dllcachemsriffwv.sys
2010-03-25 12:11 . 2001-08-17 14:00 2944 ----a-w- c:windowssystem32dllcachemsmpu401.sys
2010-03-25 12:11 . 2008-04-13 19:54 22016 ----a-w- c:windowssystem32dllcachemsircomm.sys
2010-03-25 12:11 . 2006-02-28 07:00 98304 ----a-w- c:windowssystem32dllcachemsir3jp.dll
2010-03-25 12:11 . 2006-02-28 07:00 126976 ----a-w- c:windowssystem32dllcachemshearts.exe
2010-03-25 12:11 . 2001-08-17 14:02 35200 ----a-w- c:windowssystem32dllcachemsgame.sys
2010-03-25 12:11 . 2001-08-17 13:48 6016 ----a-w- c:windowssystem32dllcachemsfsio.sys
2010-03-25 12:11 . 2008-04-13 19:46 51200 ----a-w- c:windowssystem32dllcachemsdv.sys
2010-03-25 12:11 . 2001-08-17 13:52 17280 ----a-w- c:windowssystem32dllcachemraid35x.sys
2010-03-25 12:09 . 2006-02-28 07:00 22016 ----a-w- c:windowssystem32dllcachelogscrpt.dll
2010-03-25 12:08 . 2008-04-14 01:11 28160 ----a-w- c:windowssystem32dllcacheirmon.dll
2010-03-25 12:07 . 2001-08-17 14:06 100992 ----a-w- c:windowssystem32dllcacheicam5usb.sys
2010-03-25 12:06 . 2001-08-17 13:28 199711 ----a-w- c:windowssystem32dllcachehsf_faxx.sys
2010-03-25 12:05 . 2001-08-17 12:49 322432 ----a-w- c:windowssystem32dllcacheg400m.sys
2010-03-25 12:04 . 2001-08-17 13:28 347550 ----a-w- c:windowssystem32dllcachees56tpi.sys
2010-03-25 12:03 . 2001-08-17 13:47 23808 ----a-w- c:windowssystem32dllcachedot4usb.sys
2010-03-25 12:02 . 2001-08-17 12:19 111872 ----a-w- c:windowssystem32dllcachecwcspud.sys
2010-03-25 12:01 . 2001-08-17 13:51 13824 ----a-w- c:windowssystem32dllcachebulltlp3.sys
2010-03-25 12:00 . 2001-08-17 22:36 5632 ----a-w- c:windowssystem32dllcacheEXCH_adsiisex.dll
2010-03-25 11:59 . 2006-02-28 07:00 7680 ----a-w- c:windowssystem32dllcacheinetmgr.exe
2010-03-25 11:59 . 2006-02-28 07:00 19968 ----a-w- c:windowssystem32dllcacheinetsloc.dll
2010-03-25 11:59 . 2006-02-28 07:00 5632 ----a-w- c:windowssystem32dllcacheiisrstap.dll
2010-03-25 11:59 . 2006-02-28 07:00 169984 ----a-w- c:windowssystem32dllcacheiisui.dll
2010-03-25 11:59 . 2006-02-28 07:00 14336 ----a-w- c:windowssystem32dllcacheiisreset.exe
2010-03-25 11:59 . 2006-02-28 07:00 6144 ----a-w- c:windowssystem32dllcacheftpsapi2.dll
2010-03-25 11:44 . 2010-03-25 11:44 -------- d-----w- c:documents and settingsAll UsersApplication DataNorton Installer
2010-03-25 11:24 . 2010-03-25 11:24 -------- d-----w- c:documents and settingsAdministratorApplication DataTific
2010-03-25 09:59 . 2010-03-25 09:59 1956656 ----a-w- c:documents and settingsAll UsersApplication DataNOSAdobe_Downloadsinstall_flash_player_ax.exe
2010-03-25 09:59 . 2010-03-25 09:59 1975408 ----a-w- c:documents and settingsAll UsersApplication DataNOSAdobe_DownloadsGoogleToolbarInstaller_en32_signed.exe
2010-03-25 09:59 . 2010-03-25 10:25 -------- d-----w- c:documents and settingsAll UsersApplication DataNOS
2010-03-24 16:12 . 2010-03-25 16:17 -------- d-----w- c:documents and settingsAll UsersApplication DataNorton
2010-03-24 16:12 . 2010-03-24 16:12 -------- d-----w- c:program filesWindows Sidebar
2010-03-24 16:08 . 2010-03-24 16:12 -------- d-----w- c:documents and settingsAll UsersApplication DataNortonInstaller
2010-03-24 11:39 . 2010-03-24 11:39 -------- d-----w- c:documents and settingsAdministratorApplication DataMalwarebytes
2010-03-24 11:39 . 2010-03-24 11:39 -------- d-----w- c:documents and settingsAll UsersApplication DataMalwarebytes
2010-03-24 04:11 . 2010-03-24 17:07 -------- d-----w- c:documents and settingsNetworkServiceLocal SettingsApplication Datactsphc
2010-03-24 04:09 . 2010-03-24 04:09 552 ----a-w- c:windowssystem32d3d8caps.dat
2010-03-24 04:09 . 2010-03-24 04:09 664 ----a-w- c:windowssystem32d3d9caps.dat
2010-03-23 16:48 . 2010-03-23 16:48 -------- d-----w- c:documents and settingsAdministratorLocal SettingsApplication DataOpera
2010-03-23 14:07 . 2010-01-05 10:00 78336 ----a-w- c:windowssystem32ieencode.dll
2010-03-23 14:07 . 2010-01-05 10:00 78336 ----a-w- c:windowssystem32dllcacheieencode.dll
2010-03-23 14:04 . 2009-12-21 19:14 12800 ------w- c:windowssystem32dllcachexpshims.dll
2010-03-23 14:04 . 2009-12-21 19:14 246272 ------w- c:windowssystem32dllcacheieproxy.dll
2010-03-23 13:23 . 2010-03-23 13:23 95024 ----a-w- c:windowssystem32driversSBREDrv.sys
2010-03-23 13:20 . 2010-03-24 13:36 -------- d-----w- c:documents and settingsAll UsersApplication DataLavasoft
2010-03-23 12:39 . 2010-03-23 12:39 -------- d-----w- c:windowssystem32wbemRepository
2010-03-23 11:56 . 2010-03-23 11:59 -------- d-----w- c:windowssystem32NtmsData
2010-03-22 14:57 . 2010-03-22 14:57 -------- d-----w- c:documents and settingsAdministratorApplication DataTrusteer
2010-03-22 14:57 . 2010-03-22 14:57 -------- d-----w- c:program filesTrusteer
2010-03-22 14:56 . 2010-03-22 14:56 -------- d-----w- c:documents and settingsAll UsersApplication DataTrusteer
2010-03-21 09:52 . 2010-03-21 09:52 -------- d-sh--w- c:windowssystem32configsystemprofileIETldCache
2010-03-21 09:45 . 2010-03-25 09:26 -------- d-----w- c:windowsie8updates
2010-03-20 12:35 . 2010-03-20 12:35 -------- d-----w- c:documents and settingsLocalServiceIETldCache
2010-03-19 17:30 . 2010-03-19 17:30 -------- d-----w- c:documents and settingsAdministratorIECompatCache
2010-03-19 17:29 . 2010-03-19 17:29 -------- d-sh--w- c:documents and settingsAdministratorPrivacIE
2010-03-19 17:28 . 2010-03-19 17:28 -------- d-sh--w- c:documents and settingsNetworkServiceIETldCache
2010-03-19 17:28 . 2010-03-19 17:28 -------- d-sh--w- c:documents and settingsAdministratorIETldCache
2010-03-19 17:22 . 2010-03-23 12:39 -------- d-----w- c:documents and settingsNetworkServiceLocal SettingsApplication DataAdobe
2010-03-19 17:13 . 2010-03-23 09:24 120 ----a-w- c:windowsHtaxiyitej.dat
2010-03-19 17:13 . 2010-03-23 09:24 0 ----a-w- c:windowsGlejuf.bin
2010-03-19 16:27 . 2010-03-19 16:27 225792 ----a-w- c:documents and settingsAdministratortYBJhP.exe
2010-03-19 16:03 . 2010-03-19 16:03 -------- d--h--w- c:windowsPIF
2010-03-18 15:47 . 2010-03-18 15:47 -------- d-----w- c:program filesQuickTime
2010-03-18 15:47 . 2010-03-18 15:47 -------- d-----w- c:documents and settingsAll UsersApplication DataApple Computer
2010-03-18 15:46 . 2010-03-18 15:46 -------- d-----w- c:documents and settingsAdministratorLocal SettingsApplication DataApple
2010-03-18 15:46 . 2010-03-18 15:46 -------- d-----w- c:program filesApple Software Update
2010-03-18 15:46 . 2010-03-18 15:46 -------- d-----w- c:documents and settingsAll UsersApplication DataApple
2010-03-18 15:46 . 2010-03-18 15:46 -------- d-----w- c:documents and settingsAdministratorLocal SettingsApplication DataApple Computer
2010-03-18 09:02 . 2010-02-12 10:03 293376 ------w- c:windowssystem32browserchoice.exe
2010-03-18 08:33 . 2010-03-18 08:33 -------- d-----w- c:documents and settingsAll UsersApplication DataIObit
2010-03-11 16:07 . 2010-03-11 16:07 -------- d-----w- c:documents and settingsAdministratorLocal SettingsApplication DataWinZip
2010-02-25 09:19 . 2010-02-25 09:19 -------- d-----w- c:documents and settingsNetworkServiceLocal SettingsApplication DataTemp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 16:13 . 2008-02-15 16:12 -------- d-----w- c:program filesCommon FilesSymantec Shared
2010-03-25 16:11 . 2009-07-20 08:25 -------- d---a-w- c:documents and settingsAll UsersApplication DataTEMP
2010-03-25 10:11 . 2004-08-04 00:59 96512 ----a-w- c:windowssystem32driversatapi.sys
2010-03-25 09:59 . 2008-03-03 10:12 -------- d-----w- c:program filesGoogle
2010-03-24 15:49 . 2008-05-22 11:44 91936 ----a-w- c:windowssystem32GDIPFONTCACHEV1.DAT
2010-03-23 11:01 . 2008-09-25 10:23 -------- d-----w- c:program filesWindows Media Connect 2
2010-03-22 11:32 . 2009-04-06 21:12 -------- d-----w- c:documents and settingsAdministratorApplication DataIObit
2010-03-19 16:26 . 2009-10-12 18:02 -------- d-----w- c:documents and settingsAdministratorApplication DataBitTorrent
2010-03-11 16:07 . 2009-02-17 13:14 -------- d-----w- c:documents and settingsAll UsersApplication DataWinZip
2010-03-10 17:38 . 2008-02-15 16:08 -------- d-----w- c:documents and settingsAll UsersApplication DataMicrosoft Help
2010-02-03 09:17 . 2010-02-03 09:16 -------- d-----w- c:documents and settingsAdministratorApplication DataHpUpdate
2010-02-03 09:16 . 2008-02-20 09:33 -------- d-----w- c:program filesHP
2010-01-05 10:00 . 2006-02-28 02:00 832512 ----a-w- c:windowssystem32wininet.dll
2010-01-05 10:00 . 2006-02-28 02:00 17408 ----a-w- c:windowssystem32corpol.dll
2009-12-31 16:50 . 2006-02-28 02:00 353792 ----a-w- c:windowssystem32driverssrv.sys
2009-08-25 19:50 . 2009-08-25 19:50 8192 -csha-w- c:windowso2cLicStore.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"swg"="c:program filesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe" [2010-03-25 39408]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"IgfxTray"="c:windowssystem32igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:windowssystem32hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:windowssystem32igfxpers.exe" [2006-07-21 81920]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-04 16250880]
"PTHOSTTR"="c:program filesHewlett-PackardHP ProtectTools Security ManagerPTHOSTTR.EXE" [2006-06-08 131072]
"SDMSSplash"="c:program filesHP_SDMSSDMSSplashlauncher.exe" [2006-03-10 86016]
"SetRefresh"="c:program filesCompaqSetRefreshSetRefresh.exe" [2003-11-20 525824]
"CognizanceTS"="c:progra~1HPQIAMBinAsTsVcc.dll" [2003-12-22 17920]
"Recguard"="c:windowsSminstRecguard.exe" [2006-05-12 1138688]
"Scheduler"="c:windowsSMINSTScheduler.exe" [2006-07-10 872448]
"HP Software Update"="c:program filesHPHP Software UpdateHPWuSchd2.exe" [2007-05-08 54840]
"ISUSScheduler"="c:program filesCommon FilesInstallShieldUpdateServiceissch.exe" [2006-09-11 86960]
"Acrobat Assistant 8.0"="c:program filesAdobeAcrobat 8.0AcrobatAcrotray.exe" [2008-10-14 623992]
"Adobe Acrobat Speed Launcher"="c:program filesAdobeAcrobat 8.0AcrobatAcrobat_sl.exe" [2008-10-15 45936]
"RoxWatchTray"="c:program filesCommon FilesRoxio Shared9.0SharedCOMRoxWatchTray9.exe" [2008-03-06 236016]
"QuickTime Task"="c:program filesQuickTimeQTTask.exe" [2009-05-26 413696]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"CTFMON.EXE"="c:windowssystem32CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyIfxWlxEN]
2006-04-07 04:00 434176 ----a-w- c:windowssystem32IfxWlxEN.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyOneCard]
2006-06-07 19:26 40448 ----a-w- c:program filesHPQIAMBinAsWlnPkg.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwindows]
"AppInit_DLLs"=c:windowssystem32acaptuser32.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSpeechExec Startup]
2007-04-26 10:20 16384 ----a-w- c:program filesCommon FilesPhilips Speech SharedComponentsPSP.SpeechExec.StartupApp.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"=

R1 PersonalSecureDrive;PersonalSecureDrive;c:windowssystem32driverspsd.sys [07/04/2006 04:46 31104]
R2 ASChannel;Local Communication Channel;c:windowsSystem32svchost.exe -k Cognizance [28/02/2006 02:00 14336]
R3 BELKIN;Belkin Wireless G USB Network Adapter;c:windowssystem32driversBLKWGU.sys [27/11/2009 12:55 238848]
R3 IFXTPM;IFXTPM;c:windowssystem32driversifxtpm.sys [14/12/2007 17:51 36608]
S0 gtspsp;gtspsp; [x]
S2 BTWSp50;BTWSp50 NDIS Protocol Driver;c:windowssystem32DriversBTWSp50.sys --> c:windowssystem32DriversBTWSp50.sys [?]
S2 gupdate1c98ac521dfe422;Google Update Service (gupdate1c98ac521dfe422);c:program filesGoogleUpdateGoogleUpdate.exe [09/02/2009 14:45 133104]
S3 VirtDisk;XSS Virtual Disk Driver;c:windowsSMINSTvirtdisk.sys [14/12/2007 18:06 57344]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
Cognizance REG_MULTI_SZ ASChannel
.
Contents of the 'Scheduled Tasks' folder

2010-03-25 c:windowsTasksGoogleUpdateTaskMachineCore.job
- c:program filesGoogleUpdateGoogleUpdate.exe [2009-02-09 14:45]

2010-03-25 c:windowsTasksGoogleUpdateTaskMachineUA.job
- c:program filesGoogleUpdateGoogleUpdate.exe [2009-02-09 14:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:program filesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:program filesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:program filesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:program filesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:program filesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:program filesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:program filesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:program filesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:progra~1MICROS~2Office12EXCEL.EXE/3000
IE: Google Sidewiki... - c:program filesGoogleGoogle ToolbarComponentGoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:program filesWIDCOMMBluetooth Softwarebtsendto_ie_ctx.htm
IE: Send To Bluetooth - c:program filesWIDCOMMBluetooth Softwarebtsendto_ie.htm
DPF: {644F656A-013E-4198-BE03-1D7A4F6AB550} - hxxps://www.promapserver.co.uk/controls/latest/promap.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SearchSettings - c:program filesSearch SettingsSearchSettings.exe
AddRemove-HijackThis - f:hijackHijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 17:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERSS-1-5-21-2112968162-2825430093-3996299352-500SoftwareMicrosoftInternet ExplorerUser Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f3,74,88,3a,18,61,7a,48,8a,3c,80,
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f3,74,88,3a,18,61,7a,48,8a,3c,80,

[HKEY_USERSS-1-5-21-2112968162-2825430093-3996299352-500SoftwareMicrosoftSystemCertificatesAddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:program filesHPQIAMBinAsWlnPkg.dll
c:windowssystem32IfxWlxEN.dll
c:program filesHPQIAMBinASChnl.dll
c:windowssystem32WININET.dll
c:program filesHPQIAMBinItMsg.dll

- - - - - - - > 'explorer.exe'(4040)
c:windowssystem32WININET.dll
c:program filesHPQIAMBinSFSShell.dll
c:program filesHPQIAMbinItMsg.dll
c:windowssystem32ieframe.dll
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32btncopy.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:program filesWIDCOMMBluetooth Softwarebinbtwdins.exe
c:windowssystem32DllHost.exe
c:windowssystem32IFXSPMGT.exe
c:windowssystem32IFXTCS.exe
c:program filesCommon FilesInterVideoRegMgriviRegMgr.exe
c:program filesJavajre6binjqs.exe
c:program filesMicrosoft SQL ServerMSSQLBinnsqlservr.exe
c:program filesProtectToolsEmbedded Security SoftwarePSDsrvc.EXE
c:windowssystem32HPZipm12.exe
c:program filesHPQIAMbinasghost.exe
c:program filesProtectToolsEmbedded Security SoftwarePSDrt.exe
c:windowsRTHDCPL.EXE
c:program filesHewlett-PackardSharedhpqwmiex.exe
c:program filesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-03-25 17:04:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-25 17:04

Pre-Run: 114,177,363,968 bytes free
Post-Run: 114,231,435,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 022A5D314A71A120F1F782B19A42FC52



Please please please can someone help?

Kind regards
Ian

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Hi, it would seem that as usual i have done this arse about face. I am now making a back up of my files and i do apologies for posting a combo fix without being told to! I think i have deleted a lot of the internet explorer files which could be the problem as i have had no other problems with the pc other that ie and paint.

I have no idea what kind of virus i had / have or what is called.

Edited by boopme, 25 March 2010 - 01:51 PM.
Merged posts for 0 reply effect~~boopme


BC AdBot (Login to Remove)

 


#2 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:06:45 PM

Posted 29 March 2010 - 09:02 PM

Hey iang1975,

Welcome to Bleepingcomputer! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. smile.gif
  • To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  • If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  • Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  • Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. ;)
  • Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Bleepingcomputer and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.

I'm looking at your log now and will be back with a fix soon. Thanks for your patience and understanding. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#3 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:06:45 PM

Posted 30 March 2010 - 08:46 AM

Hey iang1975,

Please do not run ComboFix without expert's supervision, it is a very advanced tool. Let's run some preliminary scanning tools to dig out all the baddies. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

1) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post

2) Run RootRepeal

Download RootRepeal from one of the following locations and save it to your desktop:
  • Double click to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
    Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post

Next reply (please include in your post):

OTS.txt (attached)
RootRepeal.txt (attached)

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#4 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:06:45 PM

Posted 04 April 2010 - 05:55 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact me. This applies only to the original topic starter. Everyone else please begin a New Topic.

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users