Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't delete W32 ngvck


  • Please log in to reply
50 replies to this topic

#1 Colin Clarinet

Colin Clarinet

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 22 November 2010 - 07:12 AM

Can't delete this virus (for one)On restarting pc windows will not start in normal or safe only last known good config. so virus is back. Can anyone help please?

Hijack log att.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:41:28, on 22/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\FILMS\System32\smss.exe
C:\WINDOWS\FILMS\system32\winlogon.exe
C:\WINDOWS\FILMS\system32\services.exe
C:\WINDOWS\FILMS\system32\lsass.exe
C:\WINDOWS\FILMS\system32\svchost.exe
C:\WINDOWS\FILMS\System32\svchost.exe
C:\WINDOWS\FILMS\system32\svchost.exe
C:\WINDOWS\FILMS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\FILMS\system32\DVDRAMSV.exe
C:\Program Files\isposure\IsposureAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\FILMS\Explorer.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\FILMS\system32\HPZipm12.exe
C:\WINDOWS\FILMS\system32\ctfmon.exe
C:\WINDOWS\FILMS\system32\rundll32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\FILMS\system32\cryptainersrv.exe
C:\WINDOWS\FILMS\system32\svchost.exe
C:\WINDOWS\FILMS\System32\StkASv2K.exe
C:\WINDOWS\FILMS\system32\spnsrvnt.exe
D:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
D:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
C:\PROGRA~1\JAVA\JRE6\bin\java.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
D:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - D:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\FILMS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\FILMS\system32\ctfmon.exe
O4 - HKCU\..\Run: [{00F5052F-65CF-65FB-25F7-2423EBE155B3}] "C:\Documents and Settings\Colin New\Application Data\Mayns\quvo.exe"
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - Startup: wgksveph.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - D:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - D:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\FILMS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\FILMS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://*.broadband.o2.co.uk
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mystery%20Solitaire/Images/stg_drm.ocx
O16 - DPF: {1B735B98-8010-11D5-AD0B-00500463D885} (SearchCD Control) - http://www.partsarena.net/wolseley/Plugins/IMIESRCHie7.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {36C17E9B-3354-11D1-95CF-0000B4530F04} (GrafixViewControl) - http://www.partsarena.net/wolseley/Plugins/GFXVIEW.cab
O16 - DPF: {4FEE6316-7B6F-4A6C-BD4E-4157C59A9E9D} (Ovi maps browser plugin) - http://static.s2g.gate5.de/ovi_maps/OviMaps_4.0.12.12.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231514148593
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Solitaire/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.mypix.com/importer/ImageUploader4.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\FILMS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\FILMS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BestSync Service (BestSyncSvc) - Unknown owner - D:\Program Files\RiseFly\BestSync 2009\BestSyncSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COSIDS_TB - Unknown owner - D:\PROGRA~1\COSIDS\BIN\TbMux32.exe (file missing)
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\FILMS\system32\DVDRAMSV.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IsposureAgent (isposure_svc) - Epitiro Ltd. - C:\Program Files\isposure\IsposureAgent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\FILMS\system32\nvsvc32.exe
O23 - Service: PCPitstop Scheduling - Unknown owner - C:\Program Files\PCPitstop\PCPitstopScheduleService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\FILMS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Unknown owner - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\FILMS\system32\cryptainersrv.exe
O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\FILMS\System32\StkASv2K.exe
O23 - Service: SentinelSuperProNet Server (SuperProServer) - Rainbow Technologies - C:\WINDOWS\FILMS\system32\spnsrvnt.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: TIS 2000 Apache Web Server - Unknown owner - D:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 16525 bytes

Attached Files


Edited by Noviciate, 22 November 2010 - 03:23 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:28 PM

Posted 01 December 2010 - 02:20 AM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Regards,
Georgi :hello:

cXfZ4wS.png


#3 Colin Clarinet

Colin Clarinet
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 01 December 2010 - 05:39 PM

Hi, and thanks for your offer to help, yes I still need it! I have run DDS and saved log, and now waiting for GMER. First time I ran it, this morning, it became unresponsive after a couple of hours, PC froze, only way out was reset button. Second attempt after 5 mins PC rebooted itself, now its been running for about 6 hours but seems to be running ok, I will post again as soon as it's done, just thought I had better make contact. Sorry it's taking so long.

Thanks for your help.

Colin

#4 Colin Clarinet

Colin Clarinet
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 01 December 2010 - 07:11 PM

Hi, scans finished, here are the logs thanks:
Attached File  DDS.txt   20.66KB   1 downloadsAttached File  Attach.txt   14.7KB   1 downloadsAttached File  gmer log.log   128.22KB   3 downloads

#5 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:12:28 PM

Posted 02 December 2010 - 09:41 PM

Welcome to BC :)

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Microsoft MVP Consumer Security--2007-2010

#6 Colin Clarinet

Colin Clarinet
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 03 December 2010 - 07:00 AM

hi thanks for your help, i cant seem to copy and paste anything, also i cant see what i am typing so i dont know if this is comming out or not
colinhhhh

(Edit)Just checked on laptop, when typing on pc no text was comming up on screen although as you can see it came out. Also have not been able to copy/paste anything so can only att. things.
Thanks
Colin

Attached Files

  • Attached File  log.txt   20.12KB   5 downloads

Edited by Colin Clarinet, 03 December 2010 - 07:10 AM.


#7 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:12:28 PM

Posted 03 December 2010 - 11:18 AM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic362267.html/page__pid__2041602#entry2041602

Collect::[70]
c:\program files\win\2.exe
C:\wgksveph.exe
Folder::
c:\program files\win
c:\documents and settings\Colin New\Application Data\Conoyz
c:\documents and settings\Colin New\Application Data\Ecow
c:\documents and settings\Colin New\Application Data\Zyla
c:\documents and settings\Colin New\Application Data\Riba
c:\documents and settings\Colin New\Application Data\Opore
c:\documents and settings\Colin New\Application Data\Woeq
c:\documents and settings\Colin New\Application Data\Vyidyb
c:\documents and settings\Colin New\Application Data\Mayns
c:\documents and settings\Colin New\Application Data\Ubxav
c:\documents and settings\Colin New\Application Data\Alvi
c:\documents and settings\Colin New\Application Data\Golo
c:\documents and settings\Colin New\Application Data\Sidi
c:\documents and settings\Colin New\Application Data\Yvlyn
c:\documents and settings\Colin New\Application Data\Uqko
c:\documents and settings\Colin New\Application Data\Axylo
c:\documents and settings\Colin New\Application Data\RiseFly
c:\documents and settings\Colin New\Application Data\Huys
c:\documents and settings\Colin New\Application Data\Bizi
c:\documents and settings\Colin New\Application Data\Nidi
c:\documents and settings\Colin New\Application Data\Feve
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{00F5052F-65CF-65FB-25F7-2423EBE155B3}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rap"=-
DirLook::
c:\windows\FILMS
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image\
Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this computer only!!!!

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.


Note!!!! I attached the script too just in case you still can't copy and paste. This script is custom for the following user. Using this script on another computer could damage it and i will not be responsible.

Attached Files


Microsoft MVP Consumer Security--2007-2010

#8 Colin Clarinet

Colin Clarinet
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 03 December 2010 - 12:07 PM

Started to run combofix and it's just come up ,"there is a newer version do i want to update"?
I clicked no and it's running.

Colin

Edited by Colin Clarinet, 03 December 2010 - 12:20 PM.


#9 Colin Clarinet

Colin Clarinet
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 03 December 2010 - 01:28 PM

Combofix ran and I got a message "webserver appears to be temporally inaccessable" File save At C:\CF-Submit.htm. Where\how can I submit this now.
The log txt file was too large to Attach.

Thanks

Colin

#10 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:12:28 PM

Posted 03 December 2010 - 02:07 PM

Please upload that file here --> http://www.bleepingcomputer.com/submit-malware.php?channel=70


The file will be located here C:\ComboFix\Quarantine\Submit 1203****.zip. Let me know if you can't find it. Can you try and couple and paste the log to a few posts?
Microsoft MVP Consumer Security--2007-2010

#11 Colin Clarinet

Colin Clarinet
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 03 December 2010 - 02:48 PM

Combofix folder was empty, found this zip file at C:\Qoobox\Quarantine and have uploaded it. Please let me know if incorrect.
Still can't copy\paste or split log file so will try and copy to laptop and edit from there if possible.

Thank you

Colin

#12 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:12:28 PM

Posted 03 December 2010 - 03:14 PM

go ahead and run ComboFix again, but make sure you allow it to update. In your next reply, please post the log.


==================================



Posted Image Please download Malwarebytes' Anti-Malware from Here.



Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
Microsoft MVP Consumer Security--2007-2010

#13 Colin Clarinet

Colin Clarinet
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 03 December 2010 - 03:36 PM

1st part of log file att.

Attached Files

  • Attached File  1.txt   201.38KB   5 downloads


#14 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:12:28 PM

Posted 03 December 2010 - 04:51 PM

This folder is a little troubling.

c:\windows\FILMS

Did you run ComboFix some othertime before?
Microsoft MVP Consumer Security--2007-2010

#15 Colin Clarinet

Colin Clarinet
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 03 December 2010 - 06:47 PM

Malwarebytes log att. didn't find anything. Combofix found rootkit activity C:\documents and settings\colin new\application data\conoyz\xyus.exe
rebooted pc
when finished waring box: Error saving file C:\combofix\hiv\software. Continue to next file Yes/No [Reg save key ex:1016-an Io/opperation inhibated by the registry failed unrecoverable. The registry could not read in, or write out, or flush one of thr files that contain the systems image of the registry]

Yes I have run combofix about 10 days ago, looking on a website and advised to run with ad-aware and superantispyware before posting.

C:\windows\films is I think the folder my main opperating system is in (XP)



Sorry to be such a pain in the rear!

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users