Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with server.exe and many other viruses


  • This topic is locked This topic is locked
12 replies to this topic

#1 Csea

Csea

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 04 April 2010 - 05:49 PM

Hi,

I have spent many hours for the last 2 weeks trying to get rid of the virus and spywares that infected my computer. I have tried malwarebytes, spybotSD and the latest is avast antivirus. I have been using sophos antivirus all this time but it seems to be lacking. Anyway, I hope you guys will be able to assist me in combating these terrible viruses in my computer.

I think the main culprit is the server.exe that keep my computer opens to all kind of threats. This server.exe always install itself when I starts Windows (a window at the top left corner of the screen indicating a Personalized settings dialogue: setup personalized settings at Windows/System32/Install/server.exe).

I am not sure with both sophos and avast running together would cause any kind of problems? If it does, I will have to get rid of one. Which is a better antivirus?




Note: I tried to submit this last night but was not able to. The submission always end with the webpage disable or broken webpage. Could it be the virus blocking it? And everytime I upload the Attach or Ark file, there is a virus detection message by sophos. Another trick by Spyware or Virus? Anyway, I hope it will go thro this time. If not I will have to use another computer to submit.

No luck, I am using my netbook to send. Unfortunately, when I tried to copy the DDS, attach and ark text files using usb flash drive, an audio advert comes on! Straight away I realised that my flash drive is also infected!

Help! How can I get the DDS, attach and ark files to you guys for review?

I used email to send the files over. This is my DDS information:


DDS (Ver_10-03-17.01) - NTFSx86
Run by s-slee42 at 15:57:10.65 on Sun 04/04/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.54 [GMT -5:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\install\server.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\program files\windows live\messenger\msnmsgr .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Documents and Settings\s-slee42\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr .exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [HKCU] c:\windows\system32\install\server.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "d:\my music\thasha's treasures\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HKLM] c:\windows\system32\install\server.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
uExplorerRun: [Policies] c:\windows\system32\install\server.exe
mExplorerRun: [Policies] c:\windows\system32\install\server.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Search - ?p=ZUfox000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: CtxLsp.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107883735766
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: hesesujet - {cf9226cf-e009-4618-a588-f68c1caf4c22} - c:\windows\system32\vogawuza.dll
SSODL: tahowewow - {52606d11-eeff-4635-903b-13d16d085551} - c:\windows\system32\vogawuza.dll
SSODL: nideletew - {26366ea4-8367-4e40-8a5e-acfd6a22ac9c} - c:\windows\system32\vogawuza.dll
STS: mujuzedij: {cf9226cf-e009-4618-a588-f68c1caf4c22} - c:\windows\system32\vogawuza.dll
STS: tokatiluy: {52606d11-eeff-4635-903b-13d16d085551} - c:\windows\system32\vogawuza.dll
STS: gahurihor: {26366ea4-8367-4e40-8a5e-acfd6a22ac9c} - c:\windows\system32\vogawuza.dll
LSA: Notification Packages = scecli mudvd80.dll lutajugi.dll halisuse.dll
mASetup: {1L2546HV-5X23-2256-PD3U-J6FL3KMOUV7R} - c:\windows\system32\install\Crypted.exe
mASetup: {CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} - c:\windows\system32\install\server.exe
IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
IFEO: MSASCui.exe - c:\windows\system32\svchost.exe
IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe
IFEO: msseces.exe - c:\windows\system32\svchost.exe
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\s-slee42\applic~1\mozilla\firefox\profiles\w62t8003.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\documents and settings\s-slee42\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\s-slee42\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\s-slee42\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\s-slee42\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: d:\downloads\reader\browser\nppdf32.dll
FF - plugin: d:\my music\thasha's treasures\mozilla plugins\npitunes.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-21 162640]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-11-20 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-11-20 38528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-21 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-21 40384]
R2 MLPTDR_Q;MLPTDR_Q;c:\windows\system32\MLPTDR_Q.SYS [2003-7-22 18848]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2009-11-12 220128]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-11-1 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-10-1 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-7-1 172032]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-21 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-21 40384]
S2 Ias;MicroSoft Visual Services;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 Iprip;Windows Protected Services;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-10-1 14976]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-04-04 05:44:38 0 ----a-w- c:\documents and settings\s-slee42\defogger_reenable
2010-04-04 05:26:33 0 d-----w- C:\HijackThis
2010-04-04 05:26:24 0 ----a-w- C:\New Shortcut
2010-04-01 04:06:04 510029 ----a-w- C:\update.exe
2010-04-01 00:48:35 0 d-----w- c:\windows\_VOIDxymxnsmirx
2010-04-01 00:39:58 0 d-----w- c:\windows\_VOIDdcdtibivei
2010-04-01 00:35:54 0 d-sh--w- c:\windows\system32\lowsec
2010-04-01 00:12:22 0 d-----w- c:\windows\_VOIDnqqpxusppo
2010-03-29 23:07:28 88678 --sha-r- c:\windows\scchost .exe
2010-03-29 23:07:28 88678 ----a-w- c:\docume~1\s-slee42\applic~1\rssms32.exe
2010-03-29 04:51:05 155648 ----a-w- C:\sc.exe
2010-03-22 23:14:08 405581 ----a-w- C:\uro.exe
2010-03-21 22:01:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-03-21 19:47:21 3247 ----a-w- c:\windows\system32\wbem\Outlook_01cac92f525c68ed.mof
2010-03-16 23:03:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-14 20:20:17 0 d-sh--r- c:\docume~1\s-slee42\applic~1\WindowsUpdate
2010-03-14 15:19:01 6148 ----a-w- c:\windows\wininit.ini
2010-03-14 01:21:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-13 20:38:31 0 d-----w- c:\program files\VS Revo Group
2010-03-13 18:36:23 0 d-----w- c:\docume~1\s-slee42\applic~1\Uniblue
2010-03-13 07:44:25 34325 ----a-w- c:\docume~1\s-slee42\applic~1\SQLite3.dll
2010-03-12 23:09:48 5 ----a-w- c:\windows\system32\YoItzVlad22222.tmp
2010-03-12 22:41:05 0 d-----w- c:\windows\system32\WindowsUpdate
2010-03-12 18:49:06 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-03-12 18:49:06 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-03-12 18:48:52 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-03-12 18:48:52 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-03-12 18:48:49 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-03-12 18:48:49 8192 ----a-w- c:\windows\system32\drivers\Changer.sys
2010-03-11 23:55:03 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-11 01:20:51 9 ----a-w- c:\windows\system32\DROPPEDFILEOK1.tmp

==================== Find3M ====================

2010-03-16 22:47:29 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-20 22:49:23 356352 ----a-w- c:\windows\eSellerateEngine.dll
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2006-01-13 19:45:31 3102 -c--a-w- c:\program files\user.id
1601-01-01 00:03:28 7400 --sha-w- c:\windows\system32\halevilo.exe
2008-08-24 16:19:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat

============= FINISH: 16:00:17.33 ===============


The Attach.txt and Ark.txt files are in the attached zip file.

Thank you in anticipation of your help.

Best regards.

Attached Files


Edited by Csea, 04 April 2010 - 09:01 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 AM

Posted 05 April 2010 - 06:37 PM

Hello.

You seem to be infected with the TDL3 rootkit. More information here: http://rootbiez.blogspot.com/2009/11/rootk...s-lets-put.html

If you wish to continue to remove this follow the instructions below.

QUOTE
I am not sure with both sophos and avast running together would cause any kind of problems? If it does, I will have to get rid of one. Which is a better antivirus?

Yes, please UNINSTALL ONE of them. I prefer Avast over Sophos. There's quite a few things we need to do, but we will start with combofix and continue from there.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Csea

Csea
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 05 April 2010 - 11:03 PM

QUOTE(extremeboy @ Apr 5 2010, 06:37 PM) View Post
Hello.

You seem to be infected with the TDL3 rootkit. More information here: http://rootbiez.blogspot.com/2009/11/rootk...s-lets-put.html

If you wish to continue to remove this follow the instructions below.

QUOTE
I am not sure with both sophos and avast running together would cause any kind of problems? If it does, I will have to get rid of one. Which is a better antivirus?

Yes, please UNINSTALL ONE of them. I prefer Avast over Sophos. There's quite a few things we need to do, but we will start with combofix and continue from there.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.


Dear extremeboy,

Thank you for your reply and suggestions.

I have uninstalled sophos and now left with Avast antivirus and Windows firewall.

I encountered some problems when running ComboFix, the computer restarted twice. The first time before ComboFix start scanning and the second time after the scan finished. Fortunately, the report was generated after the second restart. I hope this restarting of the computer did not affect the ComboFix report.

Below is the ComboFix report:

ComboFix 10-04-05.01 - s-slee42 04/05/2010 22:15:32.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.161 [GMT -5:00]
Running from: c:\documents and settings\s-slee42\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\s-slee42\Application Data\logs.dat
c:\documents and settings\s-slee42\Application Data\Microsoft\download.exe
c:\documents and settings\s-slee42\Application Data\Microsoft\winlog.exe
c:\documents and settings\s-slee42\Application Data\rssms32.exe
c:\documents and settings\s-slee42\Application Data\SQLite3.dll
c:\documents and settings\s-slee42\Local Settings\Application Data\Windows Server
c:\documents and settings\s-slee42\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\s-slee42\Local Settings\Application Data\Windows Server\uses32.dat
c:\program files\Common Files\Uninstall
C:\update.exe
c:\windows\_VOIDdcdtibivei
c:\windows\_VOIDnqqpxusppo
c:\windows\_VOIDxymxnsmirx
c:\windows\ejusoxeb.dll
c:\windows\enazabocukalibi.dll
c:\windows\eSellerateEngine.dll
c:\windows\scchost .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\eventmgr.exe
c:\windows\system32\halevilo.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\mobsync .exe
c:\windows\system32\mstmon_q .exe
c:\windows\system32\nwiz .exe
c:\windows\system32\piwinala.dll.tmp
c:\windows\system32\rundll32 .exe
c:\windows\system32\sdra64.exe
c:\windows\system32\uZQEtNDuIS.dll
c:\windows\system32\vogawuza.dll
c:\windows\system32\YoItzVlad22222.tmp
c:\windows\tsnp2std .exe
c:\windows\vsnp2std .exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_IPRIP
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_6to4
-------\Service_Ias
-------\Service_Iprip
-------\Service_NDISRD


((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-04-04 05:26 . 2010-04-04 05:29 -------- d-----w- C:\HijackThis
2010-03-28 01:40 . 2010-03-28 01:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-03-28 01:40 . 2010-03-28 01:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-03-22 23:14 . 2010-03-22 23:14 405581 ----a-w- C:\uro.exe
2010-03-21 22:02 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-21 22:02 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-21 22:02 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-21 22:02 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-21 22:02 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-21 22:02 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-21 22:02 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-21 22:01 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-21 22:01 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-21 22:01 . 2010-03-21 22:01 -------- d-----w- c:\program files\Alwil Software
2010-03-21 22:01 . 2010-03-21 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-19 03:08 . 2010-03-21 19:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-16 23:03 . 2010-03-16 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-14 20:20 . 2010-03-15 01:50 -------- d-sh--r- c:\documents and settings\s-slee42\Application Data\WindowsUpdate
2010-03-14 01:21 . 2010-03-21 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-13 20:38 . 2010-03-13 20:38 -------- d-----w- c:\program files\VS Revo Group
2010-03-13 18:36 . 2010-03-13 18:36 -------- d-----w- c:\documents and settings\s-slee42\Application Data\Uniblue
2010-03-12 22:41 . 2010-03-15 12:01 -------- d-----w- c:\windows\system32\WindowsUpdate
2010-03-12 20:07 . 2010-03-12 20:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-12 18:49 . 2008-04-13 19:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-03-12 18:49 . 2008-04-13 19:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-03-12 18:48 . 2008-04-13 19:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-03-12 18:48 . 2008-04-13 19:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-03-12 18:48 . 2008-04-13 19:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-03-12 18:48 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\drivers\Changer.sys
2010-03-11 23:55 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 05:15 . 2006-01-13 19:48 -------- d-----w- c:\program files\Java
2010-04-04 05:15 . 2006-01-13 19:48 -------- d-----w- c:\program files\Common Files\Java
2010-04-04 05:11 . 2008-12-03 03:32 -------- d-----w- c:\documents and settings\s-slee42\Application Data\Amazon
2010-04-04 05:11 . 2008-12-03 03:29 -------- d-----w- c:\program files\Amazon
2010-04-02 02:11 . 2008-10-02 01:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-02 00:13 . 2009-11-27 02:45 -------- d-----w- c:\program files\QuickTime
2010-03-26 02:17 . 2008-08-12 23:14 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-25 04:35 . 2010-03-25 04:35 348160 ----a-w- c:\documents and settings\s-slee42\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f6697f4-n\msvcr71.dll
2010-03-25 04:35 . 2010-03-25 04:35 61440 ----a-w- c:\documents and settings\s-slee42\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2221cc8c-n\decora-sse.dll
2010-03-25 04:35 . 2010-03-25 04:35 503808 ----a-w- c:\documents and settings\s-slee42\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f6697f4-n\msvcp71.dll
2010-03-25 04:35 . 2010-03-25 04:35 499712 ----a-w- c:\documents and settings\s-slee42\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f6697f4-n\jmc.dll
2010-03-25 04:35 . 2010-03-25 04:35 12800 ----a-w- c:\documents and settings\s-slee42\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2221cc8c-n\decora-d3d.dll
2010-03-25 04:27 . 2005-10-29 21:16 -------- d-----w- c:\program files\Google
2010-03-16 22:47 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-16 22:47 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2010-03-15 12:01 . 2010-01-24 00:36 -------- d-----w- c:\program files\Unlocker
2010-03-13 19:40 . 2010-02-08 23:52 120 ----a-w- c:\windows\Ekoxahozewujo.dat
2010-03-13 07:35 . 2010-02-08 23:52 0 ----a-w- c:\windows\Oyurikufikavupi.bin
2010-03-11 01:20 . 2010-03-11 01:20 9 ----a-w- c:\windows\system32\DROPPEDFILEOK1.tmp
2010-03-02 01:06 . 2009-10-22 20:47 143976 ----a-w- c:\documents and settings\s-slee42\Application Data\Move Networks\uninstall.exe
2010-03-02 01:05 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\s-slee42\Application Data\Move Networks\plugins\npqmp071701000002.dll
2010-03-02 01:05 . 2008-09-29 02:31 -------- d-----w- c:\documents and settings\s-slee42\Application Data\Move Networks
2010-03-02 01:05 . 2010-03-02 01:04 1794456 ----a-w- c:\documents and settings\s-slee42\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2010-02-25 01:21 . 2010-02-21 00:43 -------- d-----w- c:\program files\QuickMediaConverter
2010-02-25 01:18 . 2008-12-03 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-02-24 23:19 . 2010-02-24 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-02-22 04:45 . 2010-02-22 04:45 -------- d-----w- c:\program files\FLV Player
2010-02-21 00:46 . 2010-02-21 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickMediaConverter
2010-02-21 00:46 . 2010-02-21 00:46 -------- d-----w- c:\documents and settings\s-slee42\Application Data\Actecom
2010-02-20 22:38 . 2008-11-22 01:17 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-02-20 22:38 . 2008-11-22 01:17 -------- d-----w- c:\program files\AVS4YOU
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-05 16:39 . 2010-02-05 16:39 251376 ----a-w- c:\documents and settings\s-slee42\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-30 16:44 . 2006-01-10 18:11 69040 ----a-w- c:\documents and settings\s-slee42\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-12 23:42 . 2010-01-12 23:46 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-12 23:42 . 2008-09-24 19:38 38784 ----a-w- c:\documents and settings\s-slee42\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2006-01-13 19:45 . 2007-09-26 20:20 3102 -c--a-w- c:\program files\user.id
.
CODE

c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Logitech\Z-5 Speakers\z-5 speakers .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\Unlocker\unlockerassistant            .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
c:\windows\system32\install\server .exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\windows live\messenger\msnmsgr .exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"iTunesHelper"="d:\my music\Thasha's TREASURES\iTunesHelper.exe" [N/A]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-10-27 91440]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:12d0ddd5e9

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-492894223-682003330-237639\Scripts\Logon\0\0]
"Script"=\\Bsedom2\Scripts\login.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-492894223-682003330-237639\Scripts\Logon\1\0]
"Script"=\\bsedom2\Scripts\qscale.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-492894223-682003330-237639\Scripts\Logon\2\0]
"Script"=\\bsedom2\Scripts\watershed.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-492894223-682003330-62165\Scripts\Logon\0\0]
"Script"=\\bsedom2\Scripts\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-492894223-682003330-62165\Scripts\Logon\1\0]
"Script"=\\bsedom2\Scripts\qscale.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-492894223-682003330-62165\Scripts\Logon\2\0]
"Script"=\\bsedom2\Scripts\watershed.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-492894223-682003330-62165\Scripts\Logon\3\0]
"Script"=\\bsedom2\Scripts\logon.bat
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HKCU
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HKLM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
d:\downloads\Reader\Reader_sl.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\s-slee42\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
c:\docume~1\s-slee42\LOCALS~1\Temp\wintmpp.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hematayipi]
vezurejo.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KONICA MINOLTA PagePro 1350WStatusDisplay]
c:\windows\system32\MSTMON_Q.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lbemihumenesa]
c:\windows\upekoboxagijo.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN]
c:\windows\scchost.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-12-05 06:41 8523776 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\raidhost]
raidhost.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Servic monitor]
c:\windows\servic.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
c:\windows\vsnp2std.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Startup]
c:\documents and settings\s-slee42\Application Data\Microsoft\svchost.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\towosihij]
c:\windows\system32\kogozeyo.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlogon]
c:\windows\scchost .exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Documents and Settings\\s-slee42\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\s-slee42\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\My Music\\Thasha's TREASURES\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [5/20/2008 9:32 AM 15328]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/21/2010 5:02 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/21/2010 5:02 PM 19024]
R2 MLPTDR_Q;MLPTDR_Q;c:\windows\system32\MLPTDR_Q.SYS [7/22/2003 2:44 AM 18848]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [11/12/2009 2:50 PM 220128]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 6:31 AM 92008]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1L2546HV-5X23-2256-PD3U-J6FL3KMOUV7R}]
2010-04-01 04:06 510029 ------w- c:\windows\system32\install\Crypted.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}]
2006-02-19 19:23 509517 ------w- c:\windows\system32\install\server.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
LSP: CtxLsp.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\s-slee42\Application Data\Mozilla\Firefox\Profiles\w62t8003.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\documents and settings\s-slee42\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\s-slee42\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\s-slee42\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\s-slee42\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: d:\downloads\Reader\browser\nppdf32.dll
FF - plugin: d:\my music\Thasha's TREASURES\Mozilla Plugins\npitunes.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{cf9226cf-e009-4618-a588-f68c1caf4c22} - c:\windows\system32\vogawuza.dll
SharedTaskScheduler-{52606d11-eeff-4635-903b-13d16d085551} - c:\windows\system32\vogawuza.dll
SharedTaskScheduler-{26366ea4-8367-4e40-8a5e-acfd6a22ac9c} - c:\windows\system32\vogawuza.dll
SSODL-hesesujet-{cf9226cf-e009-4618-a588-f68c1caf4c22} - c:\windows\system32\vogawuza.dll
SSODL-tahowewow-{52606d11-eeff-4635-903b-13d16d085551} - c:\windows\system32\vogawuza.dll
SSODL-nideletew-{26366ea4-8367-4e40-8a5e-acfd6a22ac9c} - c:\windows\system32\vogawuza.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 22:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\CtxLsp.dll

- - - - - - - > 'explorer.exe'(4060)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-05 22:48:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-06 03:48

Pre-Run: 7,077,679,104 bytes free
Post-Run: 7,111,942,144 bytes free

- - End Of File - - 6A812CC3E6C1F77A85FB51DC1E83D1F2

I look forward to your reply and further suggestions on what else to do.

Thank you.

Sincerely,

Csea

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 AM

Posted 07 April 2010 - 10:26 PM

Hello.

Sorry for not responding earlier, for some reason I didn't see this topic.

Looks better but some more things needs to be done.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the codebox below into it:
    CODE
    RenV::
    c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
    c:\program files\Common Files\Java\Java Update\jusched .exe
    c:\program files\Logitech\Z-5 Speakers\z-5 speakers .exe
    c:\program files\QuickTime\qttask     .exe
    c:\program files\Unlocker\unlockerassistant            .exe
    c:\program files\Windows Live\Messenger\msnmsgr .exe
    c:\windows\pchealth\helpctr\binaries\msconfig .exe
    c:\windows\system32\install\server .exe
    File::
    c:\windows\Ekoxahozewujo.dat
    c:\windows\Oyurikufikavupi.bin
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\towosihij]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hematayipi]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlogon]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Csea

Csea
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 08 April 2010 - 11:02 PM

Dear Extremeboy,

Attached is the ComboFix.txt generated with CFScript.

This is the detail of the scanned report from MalwareBytes Anti-Malware:


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3970

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/8/2010 8:38:59 PM
mbam-log-2010-04-08 (20-38-59).txt

Scan type: Quick scan
Objects scanned: 115330
Time elapsed: 9 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1l2546hv-5x23-2256-pd3u-j6fl3kmouv7r} (Generic.Bot.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{cg08b0e5jf-4fcb-11cf-aaa5-00401c6xx500} (Backdoor.Bifrose) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1l2546hv-5x23-2256-pd3u-j6fl3kmouv7r} (Backdoor.SpyNet.M) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{cg08b0e5jf-4fcb-11cf-aaa5-00401c6xx500} (Backdoor.Bifrose) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\install\Crypted.exe (Generic.Bot.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\install\server.exe (Backdoor.Bifrose) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Ipripex.dll (Backdoor.Bot) -> Quarantined and deleted successfully.



Thank you once again and look forward to your reply.

Best regards,

Csea

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 AM

Posted 09 April 2010 - 08:10 PM

Hello again,

Download and Run OTM
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"=-
    :commands
    [CREATERESTOREPOINT]
    [resethosts]
    [emptytemp]
  4. Click the large button.
  5. If OTM requires are reboot, please allow it to do so.
  6. Copy/Paste the contents under the line here in your next reply.
Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
    1. C:\uro.exe
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.

Then please run an online scan...

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Csea

Csea
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 11 April 2010 - 10:27 PM

Hi extremeboy,

These are the files/reports that you requested:


1. From OTM


All processes killed
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QuickTime Task deleted successfully.
========== COMMANDS ==========
Restore point Set: OTM Restore Point (64424509440)
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 112094 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Java cache emptied: 55 bytes
->Flash cache emptied: 16897 bytes

User: s-slee42
->Temp folder emptied: 1812 bytes
->Temporary Internet Files folder emptied: 107084715 bytes
->Java cache emptied: 79470661 bytes
->FireFox cache emptied: 48028979 bytes
->Opera cache emptied: 41688911 bytes
->Flash cache emptied: 1929596 bytes

User: s-slee42.UNL-AD
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 348 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 4532250 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 66340 bytes
RecycleBin emptied: 93140229 bytes

Total Files Cleaned = 359.00 mb


OTM by OldTimer - Version 3.1.10.1 log created on 04092010_232117

Files moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...


2. From Online Scanner

File uro.exe received on 2010.04.10 04:35:10 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 9/39 (23.08%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 49 and 70 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.09 Trojan.Win32.Buzus!IK
AhnLab-V3 5.0.0.2 2010.04.09 -
AntiVir 7.10.6.55 2010.04.09 -
Antiy-AVL 2.0.3.7 2010.04.09 Trojan/Win32.Buzus.gen
Authentium 5.2.0.5 2010.04.09 -
Avast 4.8.1351.0 2010.04.09 -
Avast5 5.0.332.0 2010.04.09 -
AVG 9.0.0.787 2010.04.09 Generic17.AMTM
BitDefender 7.2 2010.04.10 -
CAT-QuickHeal 10.00 2010.04.09 -
ClamAV 0.96.0.3-git 2010.04.10 -
Comodo 4552 2010.04.10 -
DrWeb 5.0.2.03300 2010.04.10 -
eSafe 7.0.17.0 2010.04.08 -
eTrust-Vet 35.2.7418 2010.04.09 -
F-Prot 4.5.1.85 2010.04.09 -
F-Secure 9.0.15370.0 2010.04.09 -
Fortinet 4.0.14.0 2010.04.08 -
GData 19 2010.04.10 -
Ikarus T3.1.1.80.0 2010.04.09 Trojan.Win32.Buzus
Jiangmin 13.0.900 2010.04.09 -
Kaspersky 7.0.0.125 2010.04.10 Trojan.Win32.Buzus.dqak
McAfee-GW-Edition 6.8.5 2010.04.09 -
Microsoft 1.5605 2010.04.09 -
NOD32 5014 2010.04.09 probably a variant of Win32/Injector.BDY
Norman 6.04.11 2010.04.09 -
nProtect 2009.1.8.0 2010.04.06 -
Panda 10.0.2.2 2010.04.09 -
PCTools 7.0.3.5 2010.04.10 -
Prevx 3.0 2010.04.10 High Risk Cloaked Malware
Rising 22.42.04.03 2010.04.09 -
Sophos 4.52.0 2010.04.10 -
Sunbelt 6159 2010.04.10 -
Symantec 20091.2.0.41 2010.04.10 W32.IRCBot
TheHacker 6.5.2.0.258 2010.04.09 -
TrendMicro 9.120.0.1004 2010.04.10 -
VBA32 3.12.12.4 2010.04.09 -
ViRobot 2010.4.9.2269 2010.04.09 -
VirusBuster 5.0.27.0 2010.04.09 Trojan.Buzus.BGQK

Additional information
File size: 405581 bytes
MD5...: 08b9536a90fc7386524a741413c2866f
SHA1..: 83ce56ced8b2b7ba5506578d17ea23d0c3ebbc24
SHA256: 3c67a11d6634852123f68bb23eb333585e4754680bf446cc67126544402d0fc7
ssdeep: 6144:zd5WpvWCN9hHp2YDZITlYQwGYN3vLBw9hUeC1sw:JCN9hHp2YlIT7rY+7hC
Cw
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3150
timedatestamp.....: 0x4a3ab2ac (Thu Jun 18 21:33:32 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5dc4 0x5e00 6.51 edf99746478ec4f22d3f839540b0378e
.rdata 0x7000 0x129c 0x1400 5.05 e1b381c03cad2ee5a1d8b8d88a277d84
.data 0x9000 0x25c58 0x400 4.80 72224490b487b215a4fcfaa7237504f6
.ndata 0x2f000 0x8000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x37000 0x5d10 0x5e00 5.54 7330698f49c808b21f26ca204f56d232

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Microsoft Visual Basic 6 (90.9%)
Win32 Executable Generic (6.1%)
Generic Win/DOS Executable (1.4%)
DOS Executable Generic (1.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: EvITCBpbCZ
copyright....: uxA
product......: rGcdm
description..: RuZJEt
original name: FhneujcNR.exe
internal name: FhneujcNR
file version.: 3.43.0037
comments.....: zhyko
signers......: -
signing date.: -
verified.....: Unsigned
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=D8BA414B4D30FDB430C306AC05123D000E506AB1' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=D8BA414B4D30FDB430C306AC05123D000E506AB1</a>


3. From Kaspersky Webscanner


Note: I had problem running the online scanner the first time on Saturday night. It was very slow and only finished less than 10% after more than 1 hr. So I decided to let it run till the next morning. When I checked it at 7.30am, after more than 8 hours since I started, I was surprised to find that it had stopped running at 1 hr. 36 min and only 18% completed. When I tried to close it and open a new windows, the computer froze and I had to force it to shutdown.

I ran it the second time today and it took more than 4 hours 36 mins before it completes scanning. I had to disable the Avast antivirus when I ran the online scan thro the night and this afternoon today. I am not sure whether any virus or spyware get into my computer during these times. I really hope not. Anyway, this is the report.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, April 11, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, April 11, 2010 11:42:48
Records in database: 3935152
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 73094
Threats found: 9
Infected objects found: 13
Suspicious objects found: 0
Scan duration: 04:26:45


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\s-slee42\Application Data\Microsoft\download.exe.vir Infected: Trojan.Win32.Buzus.dlpf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.Tdss.ai 1
C:\System Volume Information\_restore{128F9ED8-F533-4435-88F1-F3F3DC9878FC}\RP24\A0029849.exe Infected: Packed.Win32.Krap.gy 1
C:\System Volume Information\_restore{128F9ED8-F533-4435-88F1-F3F3DC9878FC}\RP24\A0029850.dll Infected: Backdoor.Win32.Agent.aopu 1
C:\System Volume Information\_restore{128F9ED8-F533-4435-88F1-F3F3DC9878FC}\RP24\A0029851.exe Infected: Packed.Win32.Krap.gy 1
C:\System Volume Information\_restore{128F9ED8-F533-4435-88F1-F3F3DC9878FC}\RP24\A0029852.exe Infected: Packed.Win32.Krap.gy 1
C:\System Volume Information\_restore{128F9ED8-F533-4435-88F1-F3F3DC9878FC}\RP24\A0029853.dll Infected: Trojan.Win32.Monder.ddly 1
C:\System Volume Information\_restore{128F9ED8-F533-4435-88F1-F3F3DC9878FC}\RP24\A0029854.exe Infected: Trojan.Win32.Tdss.azzn 1
C:\System Volume Information\_restore{128F9ED8-F533-4435-88F1-F3F3DC9878FC}\RP24\A0029855.exe Infected: Packed.Win32.Krap.gy 1
C:\System Volume Information\_restore{128F9ED8-F533-4435-88F1-F3F3DC9878FC}\RP24\A0030174.exe Infected: Trojan.Win32.Scar.bypt 1
C:\System Volume Information\_restore{128F9ED8-F533-4435-88F1-F3F3DC9878FC}\RP27\A0033740.exe Infected: Trojan.Win32.Buzus.dlpf 1
C:\uro.exe Infected: Trojan.Win32.Buzus.dqak 1
D:\My Received Files\Battle Ships.exe Infected: Trojan-GameThief.Win32.Lmir.jhm 1

Selected area has been scanned.



4. DSS reports are attached.




Overall, my computer is running well. The only problem I notice now is the computer's task bar froze for a few minutes after start up. I was not able to do anything on the task bar but I can click on the main window. The windows start up tune only come on after the task bar become active again. I wonder whether it is the doing of some virus/spyware still in my computer?

Anyway, looking forward to your reply soon. Thank you.


Sincerely,

Csea

Attached Files



#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 AM

Posted 12 April 2010 - 07:23 PM

Hello. It's looking good. Just some left over things we need to do here.

Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    CODE
    http://www.bleepingcomputer.com/forums/t/307207/infected-with-serverexe-and-many-other-viruses/
  • Click Browse and select the C:\uro.exe file
  • Under the comments section, say that Extremeboy asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.

Once you have uploaded that file to me, please go ahead and delete these two malicious files:

C:\uro.exe <- This file

D:\My Received Files\Battle Ships.exe <- This file

--
Update Java to Version 6 Update 19

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 19 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u19-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

The logs looking good. I don't see any malware left, any other problems still? If all is good, we can wrap up next post.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Csea

Csea
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 12 April 2010 - 11:32 PM

Hi Extremeboy,

I have submitted the file c:\uro.exe and it was successfully sent.

When I tried to delete the uro.exe file, a message pop up saying it cannot be removed (or something to that effect) and the file disappeared. It was not found in the Recycle Bin or anywhere in the drives. Do you think that it has been deleted?

There was no problem getting rid of the other file D:\My Received Files\Battle Ships.exe.

I followed up with the download of the newer Java "JDK 6 Update 19 (JDK or JRE)" version before I uninstalled the Java older JRE version. I than instaledl the Java newer version offline. I also disable the Java Quick Starter.

Finally, I did a quick scan with Avast and found 13 infected files, which some of them were similar to those found with the Kaspersky online scan, and they were deleted.

Yes, the computer is working very much better than before I got your help. I appreciated it very much. What is your advise to maintain a clean computer from viruses? Should I run the scan frequently? Or any other precaution that I should take constantly?

If you think that my computer is clean or "healthy", I would have no problem to close this topic. Once again, thank you for your invaluable assistance.

Sincerely,

Csea

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 AM

Posted 13 April 2010 - 03:15 PM

Hello again.

Firstly, I'm happy that your computer is better. smile.gif

With regards to the uro.exe if it's not there then it should be good. I wouldn't worry about it. Your logs are indeed looking good so, we can give you some prevention tips and let you go. smile.gif What Kaspersky detected and also probably what your Avast detected were just infected system restore points and quarantine items from Combofix. I said those were fine, since we were going to uninstall Combofix and those will all be deal with automatically. ;)

QUOTE
Yes, the computer is working very much better than before I got your help. I appreciated it very much. What is your advise to maintain a clean computer from viruses? Should I run the scan frequently? Or any other precaution that I should take constantly?

Yup, that's what I will talk about next -with the prevention/all-clean speech.

Good job on your side too -following instructions and getting the logs I need. smile.gif

--
Please follow/read the steps below to remove the tools we used and for some more information. smile.gif


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips below.

Preventing Infections in the Future


Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

Some of the main things you should consider to perform/read are:
  • Disabling Autorun/Play on Flash-Drive/Removable Drives
  • Avoid gaming sites, underground web pages, pirated software sites, and Peer to Peer Programs
  • Keep Windows Updated through going to Windows Updates
  • Updating Non-Microsoft Programs
  • Keeping Security softwares updated

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck thumbup2.gif


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks smile.gif

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Csea

Csea
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 13 April 2010 - 10:02 PM

Hi Extremeboy,

I have cleaned up Combofix and OTC by following your instruction. I have also downloaded StartupLite. Thank you for your advise on ways to prevent Malware and virus attack.

I believe my computer is running well now. Thank you very much for a great job well done. Please go ahead and close off this topic.


Best regards,

Csea

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 AM

Posted 14 April 2010 - 08:13 PM

You're welcome.

Glad I could help out.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 AM

Posted 14 April 2010 - 08:14 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad we could help smile.gif
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users