Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect making life miserable


  • This topic is locked This topic is locked
13 replies to this topic

#1 country lane

country lane

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 15 April 2011 - 10:12 AM

Hi,

I hope this is the right place to post, and you guys can come to the rescue.

Hi there,

As it says in the heading, im afraid im another one struck down with the 'Google redirect' virus, which points me to licosearch.

It does not allow me to download various '.exe' files or visit a range of sites including bleepingcomputer, so I am having to log into my works network from home.

I have followed the common processes that are consistantly recommended on other sites and forums, but cannot get rid of it.

I have checked manually the files under system32 and devices, but do not have the corrupt files or text others refer too.

I then downloaded the rkill.exe, followed by spybots 'search and destroy' but neither of these work either.

I've got to the stage now that I dont know what to do next and dont want to risk trying something that will kill my computer, so would be grateful for assistance in getting rid of what is the worst virus i've had to deal with....I should also point out that I have run Kaperskys KPSS but no luck there either

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:14 AM

Posted 15 April 2011 - 10:55 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Note:
If you are unable to run a Gmer scan due the fact you are running a64bit machine please run the following tool and post its log.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.



Thanks and again sorry for the delay.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 country lane

country lane
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 16 April 2011 - 06:22 AM

Hi Fireman,


Thanks for your reply.

You have to bear with me also as the virus is restricting what I can and cant do. For

example, I cannot access the Bleeping Computer website and have to remote into my work

network, which also has its own firewall restricting what I can and cant do, such as

downloading files etc.

As an example, this is the error message when i try to access your site
'Unable to connect Firefox can't establish a connection to the server at

www.bleepingcomputer.com

* The site could be temporarily unavailable or too busy. Try again in a few
moments.

* If you are unable to load any pages, check your computer's network
connection.

* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.'

In answer to some of your points.

§ I do not have the original Windows CD/DVD
§ I have outlined above the steps I have taken, but please let me know if you need

more detail.
§ Searches are all redirected, primarily to licosearch

I am not a techie so, but ill do my best to follow your instructions.

Below are the results of the dds scan



.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 10:08:36.49 on 16/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.495.123 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Creative\Software Update 3\SoftAuto.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscript.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.pif
C:\WINDOWS\System32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: N/A: {ff365cdc-88fe-4ffa-a3f3-357855231dfa} - c:\program

files\puredefmusic\toolbar\1.bin\p3SrcAs.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program

files\lcocmrdv\tigowumm.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program

files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: Toolbar BHO: {e30a55b1-f1b7-43a4-b3f6-ec90cdc4fe60} - c:\program

files\puredefmusic\toolbar\1.bin\p3bar.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program

files\google\googletoolbar2.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh

networks\veoh\plugins\reg\VeohToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: PureDef Music Toolbar: {e30a55b9-f1b7-43a4-b3f6-ec90cdc4fe60} - c:\program

files\puredefmusic\toolbar\1.bin\p3bar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SoftAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe"
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [ccleaner] "d:\ccleaner\ccleaner.exe" /AUTO
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application

data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0

\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PureDef Music Plugin] rundll32 c:\progra~1\purede~1\toolbar\1.bin\p3Plugin.dll,UPF
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
IE: &Search - http://edits.mywebsearch.com/menusearch.jhtml?s=4&p=YD&si=&a=79E90918-8875-

45B7-951F-73549393402F&n=2010061304
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} -

c:\program files\iepro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} -

c:\program files\iepro\iepro.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
Trusted Zone: amaena.com
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -

hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} - ms-its:mhtml:file://c:\\nores.mht!

http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} -

hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} -

hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program

files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -

c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -

c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -

c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -

c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -

c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -

c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -

c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -

c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -

c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -

c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -

c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -

c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -

c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -

c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica

client\IcaMimeFilter.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: c00EC464 - c00EC464.mat
Notify: igfxcui - igfxsrvc.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
Notify: wvUnLCVn - wvUnLCVn.dll
Notify: xxyxYrQk - xxyxYrQk.dll
AppInit_DLLs: ms32clod.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32

\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\vtUlJcAT
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1

\mozilla\firefox\profiles\r1sztw7u.default\
FF - prefs.js: browser.search.selectedEngine - PureDef Music
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://results.myway.com/dft_redir.jhtml?id=YD&ptb=79E90918-

8875-45B7-951F-73549393402F&ind=2010061304&ptnrS=YD&si=&n=&psa=&st=kwd&searchfor=
FF - plugin: c:\documents and settings\administrator\application

data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\administrator\local settings\application

data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPp3Stub.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla

firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%

\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: Walnut for Firefox: {5A170DD3-63CA-4c58-93B7-DE9FF536C2FF} - %profile%

\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}
FF - Ext: Black Steel: {e2c58150-9d72-11dd-ad8b-0800200c9a66} - %profile%

\extensions\{e2c58150-9d72-11dd-ad8b-0800200c9a66}
FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%

\extensions\extension@virtusdesigns.com
.
============= SERVICES / DRIVERS ===============
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14

65584]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32

\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
.
=============== Created Last 30 ================
.
2011-04-13 11:58:57 -------- dc----w- c:\program files\Spybot - Search &

Destroy
2011-04-12 20:28:53 -------- dc----w- c:\program files\lcocmrdv
2011-03-19 10:14:34 -------- dc----w- c:\docume~1\alluse~1\applic~1

\Citrix
2011-03-19 10:13:54 -------- dc----w- c:\docume~1\admini~1\locals~1

\applic~1\Citrix
2011-03-19 10:13:54 -------- dc----w- c:\docume~1\admini~1\applic~1

\ICAClient
2011-03-19 10:13:30 -------- dc----w- c:\program files\Citrix
.
==================== Find3M ====================
.
2011-02-04 13:00:03 73728 -c--a-w- c:\windows\system32\javacpl.cpl
2011-02-04 13:00:02 472808 -c--a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 10:10:35.43 ===============

#4 country lane

country lane
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 16 April 2011 - 06:24 AM

and here are the results from the mbrcheck scan

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 129):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EC000 \WINDOWS\system32\hal.dll
0xF7CBE000 \WINDOWS\system32\KDCOM.DLL
0xF7BCE000 \WINDOWS\system32\BOOTVID.dll
0xF776F000 ACPI.sys
0xF7CC0000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF775E000 pci.sys
0xF77BE000 isapnp.sys
0xF7BD2000 compbatt.sys
0xF7BD6000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF7D86000 pciide.sys
0xF7A3E000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF7CC2000 intelide.sys
0xF7740000 pcmcia.sys
0xF77CE000 MountMgr.sys
0xF7721000 ftdisk.sys
0xF7CC4000 dmload.sys
0xF76FB000 dmio.sys
0xF7A46000 PartMgr.sys
0xF77DE000 VolSnap.sys
0xF76E3000 atapi.sys
0xF77EE000 disk.sys
0xF77FE000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF76C4000 fltmgr.sys
0xF76B2000 sr.sys
0xF780E000 PxHelp20.sys
0xF769B000 KSecDD.sys
0xF7688000 WudfPf.sys
0xF75FB000 Ntfs.sys
0xF75CE000 NDIS.sys
0xF7BDA000 TVALZ.SYS
0xF75B3000 Mup.sys
0xF6F0E000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
0xF6EFA000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF7BC6000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF6ED7000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7A66000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF6CBB000 \SystemRoot\System32\DRIVERS\w29n51.sys
0xF6C95000 \SystemRoot\System32\DRIVERS\e100b325.sys
0xF799E000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF7A6E000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF6C7D000 \SystemRoot\System32\DRIVERS\Apfiltr.sys
0xF7A76000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF79AE000 \SystemRoot\System32\DRIVERS\serial.sys
0xF757B000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF6C69000 \SystemRoot\System32\DRIVERS\parport.sys
0xF7577000 \SystemRoot\System32\Drivers\cdrbsvsd.SYS
0xF79BE000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF79CE000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF79DE000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF6C46000 \SystemRoot\System32\DRIVERS\ks.sys
0xF7A7E000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF6C0D000 \SystemRoot\system32\drivers\stac97.sys
0xF6BE9000 \SystemRoot\system32\drivers\portcls.sys
0xF79EE000 \SystemRoot\system32\drivers\drmk.sys
0xF6B23000 \SystemRoot\System32\DRIVERS\LTSM.sys
0xF7A86000 \SystemRoot\System32\Drivers\Modem.SYS
0xF756B000 \SystemRoot\System32\DRIVERS\CmBatt.sys
0xF79FE000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF7DB5000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF7A0E000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF7C52000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF6B0C000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF7A1E000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF7A2E000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7A8E000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF6AFB000 \SystemRoot\System32\DRIVERS\psched.sys
0xF783E000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF7A96000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7A9E000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF6ACA000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF784E000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7D22000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF6A96000 \SystemRoot\System32\DRIVERS\update.sys
0xF7C6E000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xEE9FD000 \SystemRoot\system32\drivers\ialmkchw.sys
0xEE9DF000 \SystemRoot\system32\drivers\ialmsbw.sys
0xF78CE000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7083000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7D24000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF7D2E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7DFA000 \SystemRoot\System32\Drivers\Null.SYS
0xF7D30000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7AC6000 \SystemRoot\System32\drivers\vga.sys
0xF7D32000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7D34000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7ACE000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7AD6000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6F42000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xEE915000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xEE8BD000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xEE895000 \SystemRoot\System32\DRIVERS\netbt.sys
0xEE873000 \SystemRoot\System32\drivers\afd.sys
0xF7073000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF7D36000 \SystemRoot\System32\Drivers\TMEI3E.SYS
0xEE848000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xEE7D9000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF7053000 \SystemRoot\System32\Drivers\Fips.SYS
0xEE7B8000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF7043000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xEE78C000 \SystemRoot\system32\DRIVERS\ctxusbm.sys
0xB5EC4000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB5EAC000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7CD0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEB6AD000 \SystemRoot\System32\drivers\Dxapi.sys
0xEBB76000 \SystemRoot\System32\watchdog.sys
0xBF9C3000 \SystemRoot\System32\drivers\dxg.sys
0xF7DBA000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9E3000 \SystemRoot\System32\ialmdnt5.dll
0xBF9D5000 \SystemRoot\System32\ialmrnt5.dll
0xBFA05000 \SystemRoot\System32\ialmdev5.DLL
0xBFA36000 \SystemRoot\System32\ialmdd5.DLL
0xF6F54000 \SystemRoot\System32\DRIVERS\AegisP.sys
0xEE950000 \SystemRoot\System32\DRIVERS\mdc8021x.sys
0xEE94C000 \SystemRoot\System32\DRIVERS\s24trans.sys
0xEE723000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xEE71F000 \SystemRoot\System32\DRIVERS\netdevio.sys
0xB5E2F000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xB7013000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB5E2B000 \SystemRoot\System32\Drivers\MASPINT.SYS
0xB5D3D000 \SystemRoot\System32\DRIVERS\srv.sys
0xB5C60000 \SystemRoot\system32\drivers\wdmaud.sys
0xEE6EB000 \SystemRoot\system32\drivers\sysaudio.sys
0xB59A5000 \SystemRoot\System32\Drivers\HTTP.sys
0xB57B7000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB9B42000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys
0xB4F43000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 51):
0 System Idle Process
4 System
752 C:\WINDOWS\system32\smss.exe
800 C:\WINDOWS\system32\csrss.exe
824 C:\WINDOWS\system32\winlogon.exe
868 C:\WINDOWS\system32\services.exe
880 C:\WINDOWS\system32\lsass.exe
1028 C:\WINDOWS\system32\svchost.exe
1104 C:\WINDOWS\system32\svchost.exe
1144 C:\WINDOWS\system32\svchost.exe
1180 C:\WINDOWS\system32\svchost.exe
1260 C:\WINDOWS\system32\S24EvMon.exe
1324 C:\WINDOWS\system32\svchost.exe
1480 C:\WINDOWS\system32\svchost.exe
1716 C:\WINDOWS\system32\spoolsv.exe
1812 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1836 C:\Program Files\Creative\Shared Files\CTDevSrv.exe
1928 C:\Program Files\Java\jre6\bin\jqs.exe
1992 C:\WINDOWS\system32\RegSrvc.exe
204 C:\WINDOWS\system32\svchost.exe
596 C:\WINDOWS\system32\alg.exe
1392 C:\WINDOWS\explorer.exe
1520 C:\Program Files\Internet Explorer\iexplore.exe
1636 C:\WINDOWS\system32\svchost.exe
1424 C:\Program Files\Internet Explorer\iexplore.exe
1444 C:\Program Files\Internet Explorer\iexplore.exe
2248 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
2276 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
2292 C:\Program Files\iTunes\iTunesHelper.exe
2344 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2428 C:\Program Files\Citrix\ICA Client\concentr.exe
2464 C:\WINDOWS\system32\ctfmon.exe
2500 C:\Program Files\Messenger\msmsgs.exe
2532 C:\Program Files\Citrix\ICA Client\wfcrun32.exe
2556 C:\Program Files\Creative\Software Update 3\SoftAuto.exe
2596 C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
2684 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
2996 C:\Program Files\iPod\bin\iPodService.exe
3180 C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
3344 C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
3416 C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
2116 C:\Program Files\Common Files\Java\Java Update\jucheck.exe
2540 C:\WINDOWS\system32\rundll32.exe
532 C:\Program Files\Microsoft Office\Office\WINWORD.EXE
4064 C:\WINDOWS\system32\notepad.exe
1160 C:\WINDOWS\system32\notepad.exe
3960 C:\PROGRA~1\Citrix\ICACLI~1\wfica32.exe
3868 \Device\HarddiskVolume3\Administrator.exe
2176 C:\Documents and Settings\Administrator\Administrator.exe
3352 C:\Program Files\Mozilla Firefox\firefox.exe
3680 C:\Documents and Settings\Administrator\My Documents\Downloads\MBRCheck(2).exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000004`a8537e00 (FAT32)

PhysicalDrive0 Model Number: IC25N040ATMR04-0, Rev: MO2OAD4A

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows 98 MBR code detected
SHA1: 48F01D7E76A0F3C038D08611E3FDC0EE4EF9FD3E


Done!

#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:14 AM

Posted 16 April 2011 - 09:56 AM

Hello,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

You can try and do this in Safemode with Networking. If that doesn't work then you will have to download Combofixto a good machine and transfer it to the bad machine.



Now reboot into Safe Mode with Networking.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with networking support.
Please see here for additional details.


1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply::
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:14 AM

Posted 19 April 2011 - 12:20 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 country lane

country lane
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 20 April 2011 - 10:56 AM

Hi Fireman,

Dont worry, i'm still here :busy: Just didnt get a chance to try the fix until last night.

I ran combofix, but no luck with removing the redirect.

My computer wouldnt switch to safe mode by tapping F8, and it was even looking as if it wasnt going to start up at all for much of it. I managed to switch it to safe mode via msconfig, though could not see an option for 'safe mode with networking'

Here are the results from combofix:



ComboFix 11-04-17.02 - Administrator 19/04/2011 20:54:58.1.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.495.301 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.SKILLSD2\WINDOWS
c:\documents and settings\Administrator\Administrator.exe
c:\documents and settings\Administrator\Application Data\MiniDm
c:\documents and settings\Administrator\Application Data\MiniDm\conf.ini
c:\documents and settings\Administrator\Application Data\MiniDm\history.dat
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\program files\Mozilla Firefox\chrome\p3ffxtbr.jar
c:\program files\Mozilla Firefox\chrome\p3ffxtbr.manifest
c:\program files\Mozilla Firefox\plugins\NPp3Stub.dll
c:\program files\puredefmusic\toolbar
c:\program files\puredefmusic\toolbar\1.bin\LOGO.BMP
c:\program files\puredefmusic\toolbar\1.bin\NPp3Stub.dll
c:\program files\puredefmusic\toolbar\1.bin\p3bar.dll
c:\program files\puredefmusic\toolbar\1.bin\p3barsvc.exe
c:\program files\puredefmusic\toolbar\1.bin\p3ffxtbr.jar
c:\program files\puredefmusic\toolbar\1.bin\p3ffxtbr.manifest
c:\program files\puredefmusic\toolbar\1.bin\p3highin.exe
c:\program files\puredefmusic\toolbar\1.bin\p3Plugin.dll
c:\program files\puredefmusic\toolbar\Cache\00014BA6
c:\program files\puredefmusic\toolbar\Cache\00019653.bmp
c:\program files\puredefmusic\toolbar\Cache\00019906.bmp
c:\program files\puredefmusic\toolbar\Cache\00019A6F.bmp
c:\program files\puredefmusic\toolbar\Cache\00019BE1.bmp
c:\program files\puredefmusic\toolbar\Cache\00019E08.bmp
c:\program files\puredefmusic\toolbar\Cache\00019F52.bmp
c:\program files\puredefmusic\toolbar\Cache\0001A0C5.bmp
c:\program files\puredefmusic\toolbar\Cache\0001A35A.bmp
c:\program files\puredefmusic\toolbar\Cache\files.ini
c:\program files\puredefmusic\toolbar\History\search3
c:\program files\puredefmusic\toolbar\Settings\prevcfg2.htm
c:\program files\puredefmusic\toolbar\Settings\s_pid.dat
c:\program files\WinRAR\rarext.dll
c:\windows\ST6UNST.000
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\NWFgQqss.ini
c:\windows\system32\Packet.dll
c:\windows\system32\pst.dat
c:\windows\system32\pthreadVC.dll
c:\windows\system32\TAcJlUtv.ini
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\twain_16.dll
D:\eXplorer.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-03-19 to 2011-04-19 )))))))))))))))))))))))))))))))
.
.
2011-04-13 11:58 . 2011-04-13 12:00 -------- dc----w- c:\program files\Spybot - Search & Destroy
2011-04-12 20:28 . 2011-04-19 20:18 -------- dc----w- c:\program files\lcocmrdv
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 13:00 . 2011-02-04 13:00 73728 -c--a-w- c:\windows\system32\javacpl.cpl
2011-02-04 13:00 . 2011-02-04 13:00 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2010-10-12 16:33 . 2010-10-12 16:33 124344 -c----w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-10-12 18:15 . 2010-10-12 18:15 13240 -c----w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-10-12 16:37 . 2010-10-12 16:37 70592 -c----w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-10-12 16:35 . 2010-10-12 16:35 91576 -c----w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-10-12 16:34 . 2010-10-12 16:34 22464 -c----w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-10-12 16:32 . 2010-10-12 16:32 255416 -c----w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-10-12 16:35 . 2010-10-12 16:35 31672 -c----w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-10-12 16:34 . 2010-10-12 16:34 40384 -c----w- c:\program files\mozilla firefox\plugins\icalogon.dll
2010-07-14 12:42 . 2010-07-14 12:42 898480 -c--a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-10-12 16:37 . 2010-10-12 16:37 24000 -c----w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"ccleaner"="d:\ccleaner\ccleaner.exe" [2010-08-26 1779512]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2004-08-04 208896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 598410]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\lcocmrdv\tigowumm.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 15:49 110592 ----a-w- c:\windows\system32\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
2001-06-23 19:28 24576 -c--a-w- c:\windows\system32\000StTHK.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
2004-03-29 09:39 253952 -c--a-w- c:\windows\system32\00THotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2003-10-30 13:46 369157 -c--a-r- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\basicsmssmenu]
2007-10-09 16:21 169328 -c--a-w- c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-01-26 16:03 118784 -c--a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-01-26 16:03 155648 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 17:16 421160 -c----w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTSMMSG]
2003-04-18 08:06 32768 -c--a-w- c:\windows\ltsmmsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 07:56 1667584 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
2003-12-10 01:36 262510 -c--a-w- c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 598410 -c--a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-04 22:32 229739 -c----w- c:\program files\REGSHAVE\REGSHAVE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmaTel StacMon]
2003-08-03 14:01 86073 -c--a-w- c:\program files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2004-03-24 10:56 295325 -c--a-w- c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 -c----w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-04-27 06:19 32881 -c--a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
2003-12-02 11:15 73728 -c--a-r- c:\windows\system32\TFNF5.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMERzCtl.EXE]
2003-10-28 13:38 258475 -c--a-w- c:\program files\Toshiba\TME3\TMERzCtl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMESRV.EXE]
2004-04-13 10:54 303511 -c--a-w- c:\program files\Toshiba\TME3\TMESRV31.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
2003-09-05 02:24 242155 -c--a-w- c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
2003-03-11 12:56 122880 -c--a-w- c:\program files\Toshiba\TouchED\TouchED.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2004-03-30 09:30 266240 -c--a-w- c:\windows\system32\TPSMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-08-28 09:18 3660848 -c--a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-01-15 22:54 213963 -c--a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"Tmesrv"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SavRoam"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"DefWatch"=2 (0x2)
"CFSvcs"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Basics Service"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"aawservice"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\explorer.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20758:TCP"= 20758:TCP:port
"18602:TCP"= 18602:TCP:port
.
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [14/07/2010 13:51 65584]
S1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.SYS [27/04/2004 07:56 5760]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 11:50]
.
2011-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 16:41]
.
2011-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 16:41]
.
2011-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1246340514-469389927-2469049192-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-19 13:01]
.
2011-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1246340514-469389927-2469049192-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-19 13:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
Trusted Zone: amaena.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} - ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\r1sztw7u.default\
FF - prefs.js: browser.search.selectedEngine - PureDef Music
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://results.myway.com/dft_redir.jhtml?id=YD&ptb=79E90918-8875-45B7-951F-73549393402F&ind=2010061304&ptnrS=YD&si=&n=&psa=&st=kwd&searchfor=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: Walnut for Firefox: {5A170DD3-63CA-4c58-93B7-DE9FF536C2FF} - %profile%\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}
FF - Ext: Black Steel: {e2c58150-9d72-11dd-ad8b-0800200c9a66} - %profile%\extensions\{e2c58150-9d72-11dd-ad8b-0800200c9a66}
FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{FF365CDC-88FE-4ffa-A3F3-357855231DFA} - c:\program files\puredefmusic\toolbar\1.bin\p3SrcAs.dll
BHO-{E30A55B1-F1B7-43a4-B3F6-EC90CDC4FE60} - c:\program files\puredefmusic\toolbar\1.bin\p3bar.dll
Toolbar-Locked - (no file)
Toolbar-{E30A55B9-F1B7-43a4-B3F6-EC90CDC4FE60} - c:\program files\puredefmusic\toolbar\1.bin\p3bar.dll
WebBrowser-{E30A55B9-F1B7-43A4-B3F6-EC90CDC4FE60} - c:\program files\puredefmusic\toolbar\1.bin\p3bar.dll
HKLM-Run-PureDef Music Plugin - c:\progra~1\PUREDE~1\toolbar\1.bin\p3Plugin.dll
Notify-avgrsstarter - avgrsstx.dll
Notify-c00EC464 - c00EC464.mat
Notify-wvUnLCVn - wvUnLCVn.dll
Notify-xxyxYrQk - xxyxYrQk.dll
MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-TFncKy - TFncKy.exe
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\VPTray.exe
AddRemove-InstallShield_{48B0F38D-1913-44F3-99AA-D4C55A2B038E} - c:\program files\InstallShield Installation Information\{48B0F38D-1913-44F3-99AA-D4C55A2B038E}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-19 21:18
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\tigowumm.exe 173419 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1246340514-469389927-2469049192-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,24,df,98,48,e9,34,49,bb,fb,2c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,01,5c,6b,8a,e0,5e,40,91,23,91,\
.
[HKEY_USERS\S-1-5-21-1246340514-469389927-2469049192-500\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1246340514-469389927-2469049192-500\Data\e161255a-37c3-11d2-bcaa-00c04fd929db\e161255a-37c3-11d2-bcaa-00c04fd929db]
@DACL=(02 0000)
"Display String"="Internet Explorer"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(240)
c:\windows\System32\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(920)
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-04-19 21:30:22 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-19 20:30
.
Pre-Run: 4,716,290,048 bytes free
Post-Run: 4,660,383,744 bytes free
.
- - End Of File - - 1535FE3D8E36E4C70503A9B470C39665

Just so you know, i've got to go into hosp tomorrow, so if you dont hear from me for a couple of days please dont close the call.

Cheers mate

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:14 AM

Posted 20 April 2011 - 04:55 PM

Hello,


We need to run Combofix this time in regular mode and make sure you have access to the internet. We need to get a recovery console on board.

1.
With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image

Download the file & save it as it's originally named.

---------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

[list][*]Drag the setup package onto ComboFix.exe and drop it.

[*]Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

Posted Image

[*]At the next prompt, click NO to run the full ComboFix scan.

[*]Then exit the program


2.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Rootkit::
c:\program files\lcocmrdv\tigowumm.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\tigowumm.exe

Folder::
c:\program files\lcocmrdv
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"

Domains::

DDS::
DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} - ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx

Firefox::
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\r1sztw7u.default\
FF - prefs.js: browser.search.selectedEngine - PureDef Music
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://results.myway.com/dft_redir.jhtml?id=YD&ptb=79E90918-8875-45B7-951F-73549393402F&ind=2010061304&ptnrS=YD&si=&n=&psa=&st=kwd&searchfor=

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"

Reglock::
[HKEY_USERS\S-1-5-21-1246340514-469389927-2469049192-500\Software\Microsoft\Internet Explorer]

Reglockdel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by fireman4it, 20 April 2011 - 04:55 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 country lane

country lane
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 22 April 2011 - 12:03 PM

Hi Fireman,

This is the result of that scan:

ComboFix 11-04-21.06 - Administrator 22/04/2011 17:35:45.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.495.240 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\thebettingbay\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-03-22 to 2011-04-22 )))))))))))))))))))))))))))))))
.
.
2011-04-19 20:18 . 2011-04-22 16:32 173419 -c--a-w- c:\windows\Explorermgr.exe
2011-04-13 11:58 . 2011-04-13 12:00 -------- dc----w- c:\program files\Spybot - Search & Destroy
2011-04-12 20:28 . 2011-04-19 20:18 -------- dc----w- c:\program files\lcocmrdv
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 13:00 . 2011-02-04 13:00 73728 -c--a-w- c:\windows\system32\javacpl.cpl
2011-02-04 13:00 . 2011-02-04 13:00 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2010-10-12 16:33 . 2010-10-12 16:33 124344 -c----w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-10-12 18:15 . 2010-10-12 18:15 13240 -c----w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-10-12 16:37 . 2010-10-12 16:37 70592 -c----w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-10-12 16:35 . 2010-10-12 16:35 91576 -c----w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-10-12 16:34 . 2010-10-12 16:34 22464 -c----w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-10-12 16:32 . 2010-10-12 16:32 255416 -c----w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-10-12 16:35 . 2010-10-12 16:35 31672 -c----w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-10-12 16:34 . 2010-10-12 16:34 40384 -c----w- c:\program files\mozilla firefox\plugins\icalogon.dll
2010-07-14 12:42 . 2010-07-14 12:42 898480 -c--a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-10-12 16:37 . 2010-10-12 16:37 24000 -c----w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"ccleaner"="d:\ccleaner\ccleaner.exe" [2010-08-26 1779512]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2004-08-04 208896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 598410]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\lcocmrdv\tigowumm.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 15:49 110592 ----a-w- c:\windows\system32\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
2001-06-23 19:28 24576 -c--a-w- c:\windows\system32\000StTHK.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
2004-03-29 09:39 253952 -c--a-w- c:\windows\system32\00THotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2003-10-30 13:46 369157 -c--a-r- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\basicsmssmenu]
2007-10-09 16:21 169328 -c--a-w- c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-01-26 16:03 118784 -c--a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-01-26 16:03 155648 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 17:16 421160 -c----w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTSMMSG]
2003-04-18 08:06 32768 -c--a-w- c:\windows\ltsmmsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 07:56 1667584 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
2003-12-10 01:36 262510 -c--a-w- c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 598410 -c--a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-04 22:32 229739 -c----w- c:\program files\REGSHAVE\REGSHAVE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmaTel StacMon]
2003-08-03 14:01 86073 -c--a-w- c:\program files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2004-03-24 10:56 295325 -c--a-w- c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 -c----w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-04-27 06:19 32881 -c--a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
2003-12-02 11:15 73728 -c--a-r- c:\windows\system32\TFNF5.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMERzCtl.EXE]
2003-10-28 13:38 258475 -c--a-w- c:\program files\Toshiba\TME3\TMERzCtl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMESRV.EXE]
2004-04-13 10:54 303511 -c--a-w- c:\program files\Toshiba\TME3\TMESRV31.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
2003-09-05 02:24 242155 -c--a-w- c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
2003-03-11 12:56 122880 -c--a-w- c:\program files\Toshiba\TouchED\TouchED.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2004-03-30 09:30 266240 -c--a-w- c:\windows\system32\TPSMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-08-28 09:18 3660848 -c--a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-01-15 22:54 213963 -c--a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"Tmesrv"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SavRoam"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"DefWatch"=2 (0x2)
"CFSvcs"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Basics Service"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"aawservice"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\explorer.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20758:TCP"= 20758:TCP:port
"18602:TCP"= 18602:TCP:port
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [14/07/2010 13:51 65584]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.SYS [27/04/2004 07:56 5760]
S2 gupdate1cab70297749e10;Google Update Service (gupdate1cab70297749e10);c:\program files\Google\Update\GoogleUpdate.exe [26/02/2010 17:41 133104]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [21/05/2008 12:42 240601]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
S4 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.EXE [27/04/2004 07:56 303511]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 11:50]
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 16:41]
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 16:41]
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1246340514-469389927-2469049192-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-19 13:01]
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1246340514-469389927-2469049192-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-19 13:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\r1sztw7u.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: Walnut for Firefox: {5A170DD3-63CA-4c58-93B7-DE9FF536C2FF} - %profile%\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}
FF - Ext: Black Steel: {e2c58150-9d72-11dd-ad8b-0800200c9a66} - %profile%\extensions\{e2c58150-9d72-11dd-ad8b-0800200c9a66}
FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-22 17:43
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\tigowumm.exe 173419 bytes executable
C:\Temp
C:\tigowumm.exe 173419 bytes executable
C:\unzipped
C:\USB_DRV
C:\WINDOWS
.
scan completed successfully
hidden files: 6
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\windows\System32\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
d:\malaware\Malwarebytes' Anti-Malware\mbamext.dll
c:\windows\system32\syncui.dll
c:\progra~1\WINZIP\WZSHLSTB.DLL
c:\progra~1\WINZIP\wzshlex1.dll
c:\progra~1\WINZIP\WZCAB3.DLL
.
Completion time: 2011-04-22 17:48:48
ComboFix-quarantined-files.txt 2011-04-22 16:48
ComboFix2.txt 2011-04-19 20:30
.
Pre-Run: 4,599,152,640 bytes free
Post-Run: 4,498,788,352 bytes free
.
- - End Of File - - 19266DEACC42E9C5F79ED83D4867D90A

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:14 AM

Posted 22 April 2011 - 03:06 PM

Hello,

Click here to download Kaspersky Virus Removal Tool.
  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop.
  • After that leave what is selected and put a check next to My Computer.
  • Click on the option that says Threat Detection and change it to Disinfect => Do not select, delete if disinfection fails.
  • Then click on Start Scan.
  • Before it is done it may prompt for action regardless of the setting so choose skip if prompted.
  • When the scan is done no log will be produced.
  • Click on the bottom where it says Report to open the report.
  • Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  • You can save this on the desktop.
  • Post the contents of the document in your next reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 country lane

country lane
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 23 April 2011 - 08:00 AM

Hi Fireman,

Here are the results from the scan:

Autoscan: completed 46 minutes ago (events: 6, objects: 6639, time: 00:08:20)
23/04/2011 11:05:26 Task started
23/04/2011 11:07:28 Detected: Virus.Win32.Nimnul.a C:\Program Files\QuickTime\QTTask.exe
23/04/2011 11:49:46 Untreated: Virus.Win32.Nimnul.a C:\Program Files\QuickTime\QTTask.exe Cannot be disinfected
23/04/2011 11:58:00 Task stopped
23/04/2011 12:40:27 Task started
23/04/2011 12:48:49 Task completed
Disinfect active threats: completed 1 hour ago (events: 248, objects: 3135, time: 00:32:01)
23/04/2011 11:58:00 Task started
23/04/2011 11:58:03 Detected: Virus.Win32.Nimnul.a C:\Program Files\QuickTime\QTTask.exe
23/04/2011 11:58:35 Deleted: Virus.Win32.Nimnul.a C:\Program Files\QuickTime\QTTask.exe
23/04/2011 11:59:57 Detected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Software Update 3\SoftAuto.exe
23/04/2011 11:59:58 Detected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Software Update 3\CTIntrfu.dll
23/04/2011 11:59:59 Detected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Shared Files\MtpManU.dll
23/04/2011 12:00:42 Disinfection on system restart failed: Virus.Win32.Nimnul.a C:\Program Files\Creative\Software Update 3\CTIntrfu.dll
23/04/2011 12:00:42 Detected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Software Update 3\SoftAuto.exe
23/04/2011 12:00:42 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Software Update 3\SoftAuto.exe
23/04/2011 12:00:43 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Creative\Software Update 3\SoftAuto.exe
23/04/2011 12:00:45 Detected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Shared Files\MtpManU.dll
23/04/2011 12:00:45 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Shared Files\MtpManU.dll
23/04/2011 12:00:45 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Creative\Shared Files\MtpManU.dll
23/04/2011 12:01:00 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Creative\Software Update 3\CTIntrfu.dll
23/04/2011 12:01:20 Detected: Virus.Win32.Nimnul.a C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
23/04/2011 12:01:26 Disinfection on system restart failed: Virus.Win32.Nimnul.a C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
23/04/2011 12:01:30 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
23/04/2011 12:01:45 Detected: Virus.Win32.Nimnul.a C:\Program Files\Mozilla Firefox\nssdbm3.dll
23/04/2011 12:01:46 Detected: Virus.Win32.Nimnul.a C:\Program Files\Mozilla Firefox\freebl3.dll
23/04/2011 12:01:49 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
23/04/2011 12:01:54 Disinfection on system restart failed: Virus.Win32.Nimnul.a C:\Program Files\Mozilla Firefox\nssdbm3.dll
23/04/2011 12:01:54 Disinfection on system restart failed: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
23/04/2011 12:01:55 Detected: Virus.Win32.Nimnul.a C:\Program Files\Mozilla Firefox\freebl3.dll
23/04/2011 12:01:55 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Mozilla Firefox\freebl3.dll
23/04/2011 12:01:55 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Mozilla Firefox\freebl3.dll
23/04/2011 12:01:56 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\client\jvm.dll
23/04/2011 12:02:32 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Mozilla Firefox\nssdbm3.dll
23/04/2011 12:02:32 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
23/04/2011 12:02:33 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\java.dll
23/04/2011 12:02:33 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\verify.dll
23/04/2011 12:02:35 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\client\jvm.dll
23/04/2011 12:02:35 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\client\jvm.dll
23/04/2011 12:02:36 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\client\jvm.dll
23/04/2011 12:02:36 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\hpi.dll
23/04/2011 12:02:38 Disinfection on system restart failed: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\verify.dll
23/04/2011 12:02:41 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\verify.dll
23/04/2011 12:02:42 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\zip.dll
23/04/2011 12:02:44 Disinfection on system restart failed: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\java.dll
23/04/2011 12:02:47 Disinfection on system restart failed: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\hpi.dll
23/04/2011 12:02:47 Disinfection on system restart failed: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\zip.dll
23/04/2011 12:02:49 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\java.dll
23/04/2011 12:02:50 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\jp2native.dll
23/04/2011 12:02:50 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\zip.dll
23/04/2011 12:02:54 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\hpi.dll
23/04/2011 12:02:56 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\net.dll
23/04/2011 12:02:56 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\deploy.dll
23/04/2011 12:02:56 Disinfection on system restart failed: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\jp2native.dll
23/04/2011 12:03:01 Disinfection on system restart failed: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\deploy.dll
23/04/2011 12:03:03 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\jp2native.dll
23/04/2011 12:03:05 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\deploy.dll
23/04/2011 12:03:06 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\nio.dll
23/04/2011 12:03:06 Disinfection on system restart failed: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\net.dll
23/04/2011 12:03:06 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\regutils.dll
23/04/2011 12:03:12 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\net.dll
23/04/2011 12:03:14 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\regutils.dll
23/04/2011 12:03:14 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\regutils.dll
23/04/2011 12:03:14 Disinfection on system restart failed: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\nio.dll
23/04/2011 12:03:15 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\regutils.dll
23/04/2011 12:03:17 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\nio.dll
23/04/2011 12:03:47 Detected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Software Update 3\SoftAuto.exe
23/04/2011 12:03:54 Detected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Software Update 3\SoftAuto.exe
23/04/2011 12:03:54 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Software Update 3\SoftAuto.exe
23/04/2011 12:03:54 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Creative\Software Update 3\SoftAuto.exe
23/04/2011 12:03:57 Detected: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
23/04/2011 12:03:58 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe Cannot be disinfected
23/04/2011 12:04:43 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe Object is locked
23/04/2011 12:04:43 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
23/04/2011 12:05:02 Detected: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
23/04/2011 12:05:04 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe Cannot be disinfected
23/04/2011 12:05:44 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe Object is locked
23/04/2011 12:05:44 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
23/04/2011 12:05:45 Detected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe
23/04/2011 12:05:48 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe Cannot be disinfected
23/04/2011 12:06:34 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe Object is locked
23/04/2011 12:06:34 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe
23/04/2011 12:06:48 Detected: Virus.Win32.Nimnul.a C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
23/04/2011 12:06:57 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe Cannot be disinfected
23/04/2011 12:07:40 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe Object is locked
23/04/2011 12:07:40 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
23/04/2011 12:08:05 Detected: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TME3\TMESRV31.EXE
23/04/2011 12:08:08 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TME3\TMESRV31.EXE Cannot be disinfected
23/04/2011 12:08:53 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TME3\TMESRV31.EXE Object is locked
23/04/2011 12:08:53 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TME3\TMESRV31.EXE
23/04/2011 12:09:35 Detected: Virus.Win32.Nimnul.a C:\Program Files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
23/04/2011 12:09:48 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll Cannot be disinfected
23/04/2011 12:10:20 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll Object is locked
23/04/2011 12:10:20 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
23/04/2011 12:10:21 Detected: Virus.Win32.Nimnul.a C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
23/04/2011 12:11:01 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll Cannot be disinfected
23/04/2011 12:11:28 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll Object is locked
23/04/2011 12:11:28 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
23/04/2011 12:11:30 Detected: Virus.Win32.Nimnul.a C:\Program Files\Apoint2K\Apoint.exe
23/04/2011 12:11:32 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Apoint2K\Apoint.exe Cannot be disinfected
23/04/2011 12:12:01 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Apoint2K\Apoint.exe Object is locked
23/04/2011 12:12:01 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Apoint2K\Apoint.exe
23/04/2011 12:12:03 Detected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Creative Centrale\Centrale.exe
23/04/2011 12:12:05 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Creative\Creative Centrale\Centrale.exe Cannot be disinfected
23/04/2011 12:12:33 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Creative\Creative Centrale\Centrale.exe Object is locked
23/04/2011 12:12:33 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Creative\Creative Centrale\Centrale.exe
23/04/2011 12:13:07 Detected: Virus.Win32.Nimnul.a C:\Program Files\ConTEXT\ConTEXT.exe
23/04/2011 12:13:11 Untreated: Virus.Win32.Nimnul.a C:\Program Files\ConTEXT\ConTEXT.exe Cannot be disinfected
23/04/2011 12:13:33 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\ConTEXT\ConTEXT.exe Object is locked
23/04/2011 12:13:33 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\ConTEXT\ConTEXT.exe
23/04/2011 12:13:33 Detected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Shared Files\CTRegSvr.exe
23/04/2011 12:13:35 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Creative\Shared Files\CTRegSvr.exe Cannot be disinfected
23/04/2011 12:13:58 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Creative\Shared Files\CTRegSvr.exe Object is locked
23/04/2011 12:13:58 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Creative\Shared Files\CTRegSvr.exe
23/04/2011 12:14:05 Detected: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe
23/04/2011 12:14:08 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe Cannot be disinfected
23/04/2011 12:14:32 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe Object is locked
23/04/2011 12:14:32 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe
23/04/2011 12:14:34 Detected: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\Extension Manager\Extension Manager.exe
23/04/2011 12:14:37 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\Extension Manager\Extension Manager.exe Cannot be disinfected
23/04/2011 12:15:09 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\Extension Manager\Extension Manager.exe Object is locked
23/04/2011 12:15:09 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\Extension Manager\Extension Manager.exe
23/04/2011 12:15:26 Detected: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\Flash MX\Flash.exe
23/04/2011 12:15:31 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\Flash MX\Flash.exe Cannot be disinfected
23/04/2011 12:15:56 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\Flash MX\Flash.exe Object is locked
23/04/2011 12:15:56 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\Flash MX\Flash.exe
23/04/2011 12:15:58 Detected: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\FreeHand 10\FreeHand 10.exe
23/04/2011 12:16:01 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\FreeHand 10\FreeHand 10.exe Cannot be disinfected
23/04/2011 12:16:25 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\FreeHand 10\FreeHand 10.exe Object is locked
23/04/2011 12:16:25 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Macromedia\FreeHand 10\FreeHand 10.exe
23/04/2011 12:17:07 Detected: Virus.Win32.Nimnul.a C:\Program Files\MSN\MSNCoreFiles\msn6.exe
23/04/2011 12:17:11 Untreated: Virus.Win32.Nimnul.a C:\Program Files\MSN\MSNCoreFiles\msn6.exe Cannot be disinfected
23/04/2011 12:17:34 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\MSN\MSNCoreFiles\msn6.exe Object is locked
23/04/2011 12:17:34 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\MSN\MSNCoreFiles\msn6.exe
23/04/2011 12:17:35 Detected: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
23/04/2011 12:17:37 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\ConfigFree\NDSTray.exe Cannot be disinfected
23/04/2011 12:18:04 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\ConfigFree\NDSTray.exe Object is locked
23/04/2011 12:18:04 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
23/04/2011 12:18:07 Detected: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\PCDiag\PCDiag.exe
23/04/2011 12:18:11 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\PCDiag\PCDiag.exe Cannot be disinfected
23/04/2011 12:18:41 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\PCDiag\PCDiag.exe Object is locked
23/04/2011 12:18:41 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\PCDiag\PCDiag.exe
23/04/2011 12:18:52 Detected: Virus.Win32.Nimnul.a C:\Program Files\QuickTime\PictureViewer.exe
23/04/2011 12:18:54 Untreated: Virus.Win32.Nimnul.a C:\Program Files\QuickTime\PictureViewer.exe Cannot be disinfected
23/04/2011 12:19:22 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\QuickTime\PictureViewer.exe Object is locked
23/04/2011 12:19:22 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\QuickTime\PictureViewer.exe
23/04/2011 12:19:26 Detected: Virus.Win32.Nimnul.a C:\Program Files\FinePixViewer\EXTENSIONS\HELPERS\RAFCNVLE.EXE
23/04/2011 12:19:28 Untreated: Virus.Win32.Nimnul.a C:\Program Files\FinePixViewer\EXTENSIONS\HELPERS\RAFCNVLE.EXE Cannot be disinfected
23/04/2011 12:19:50 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\FinePixViewer\EXTENSIONS\HELPERS\RAFCNVLE.EXE Object is locked
23/04/2011 12:19:50 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\FinePixViewer\EXTENSIONS\HELPERS\RAFCNVLE.EXE
23/04/2011 12:19:52 Detected: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
23/04/2011 12:19:54 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe Cannot be disinfected
23/04/2011 12:20:17 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe Object is locked
23/04/2011 12:20:17 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
23/04/2011 12:20:19 Detected: Virus.Win32.Nimnul.a C:\Program Files\SopCast\SopCast.exe
23/04/2011 12:20:21 Untreated: Virus.Win32.Nimnul.a C:\Program Files\SopCast\SopCast.exe Cannot be disinfected
23/04/2011 12:20:50 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\SopCast\SopCast.exe Object is locked
23/04/2011 12:20:50 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\SopCast\SopCast.exe
23/04/2011 12:20:51 Detected: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
23/04/2011 12:20:53 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe Cannot be disinfected
23/04/2011 12:21:17 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe Object is locked
23/04/2011 12:21:17 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
23/04/2011 12:21:18 Detected: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSHIBA Console\TInTouch.exe
23/04/2011 12:21:21 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSHIBA Console\TInTouch.exe Cannot be disinfected
23/04/2011 12:21:44 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSHIBA Console\TInTouch.exe Object is locked
23/04/2011 12:21:44 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Toshiba\TOSHIBA Console\TInTouch.exe
23/04/2011 12:21:46 Detected: Virus.Win32.Nimnul.a C:\Program Files\Winamp\winamp.exe
23/04/2011 12:21:48 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Winamp\winamp.exe Cannot be disinfected
23/04/2011 12:22:11 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Winamp\winamp.exe Object is locked
23/04/2011 12:22:11 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Winamp\winamp.exe
23/04/2011 12:22:12 Detected: Virus.Win32.Nimnul.a C:\Program Files\InterVideo\WinDVD\WinDVD.exe
23/04/2011 12:22:14 Untreated: Virus.Win32.Nimnul.a C:\Program Files\InterVideo\WinDVD\WinDVD.exe Cannot be disinfected
23/04/2011 12:22:36 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\InterVideo\WinDVD\WinDVD.exe Object is locked
23/04/2011 12:22:36 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\InterVideo\WinDVD\WinDVD.exe
23/04/2011 12:22:38 Detected: Virus.Win32.Nimnul.a C:\Program Files\WinRAR\WinRAR.exe
23/04/2011 12:22:52 Untreated: Virus.Win32.Nimnul.a C:\Program Files\WinRAR\WinRAR.exe Cannot be disinfected
23/04/2011 12:23:49 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\WinRAR\WinRAR.exe Object is locked
23/04/2011 12:23:49 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\WinRAR\WinRAR.exe
23/04/2011 12:24:13 Detected: Virus.Win32.Nimnul.a C:\Program Files\TCWorks\TCNativeEssentials202\TC Native Essentials.dll
23/04/2011 12:24:16 Untreated: Virus.Win32.Nimnul.a C:\Program Files\TCWorks\TCNativeEssentials202\TC Native Essentials.dll Cannot be disinfected
23/04/2011 12:25:08 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\TCWorks\TCNativeEssentials202\TC Native Essentials.dll Object is locked
23/04/2011 12:25:08 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\TCWorks\TCNativeEssentials202\TC Native Essentials.dll
23/04/2011 12:25:38 Detected: Virus.Win32.Nimnul.a C:\Program Files\DivX\DivX Plus Player\DivX Plus Player.exe
23/04/2011 12:25:40 Untreated: Virus.Win32.Nimnul.a C:\Program Files\DivX\DivX Plus Player\DivX Plus Player.exe Cannot be disinfected
23/04/2011 12:25:47 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\DivX\DivX Plus Player\DivX Plus Player.exe Object is locked
23/04/2011 12:25:47 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\DivX\DivX Plus Player\DivX Plus Player.exe
23/04/2011 12:26:44 Detected: Virus.Win32.Nimnul.a C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
23/04/2011 12:26:46 Untreated: Virus.Win32.Nimnul.a C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe Cannot be disinfected
23/04/2011 12:26:52 Cannot be deleted: Virus.Win32.Nimnul.a C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe Object is locked
23/04/2011 12:26:52 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
23/04/2011 12:27:03 Detected: Virus.Win32.Nimnul.a C:\Documents and Settings\Administrator\Desktop\ZCfgSvc.exe
23/04/2011 12:27:05 Untreated: Virus.Win32.Nimnul.a C:\Documents and Settings\Administrator\Desktop\ZCfgSvc.exe Cannot be disinfected
23/04/2011 12:27:12 Cannot be deleted: Virus.Win32.Nimnul.a C:\Documents and Settings\Administrator\Desktop\ZCfgSvc.exe Object is locked
23/04/2011 12:27:12 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Documents and Settings\Administrator\Desktop\ZCfgSvc.exe
23/04/2011 12:27:14 Detected: Trojan-Dropper.JS.Agent.ex C:\Documents and Settings\Administrator.SKILLSD2\Desktop\V92 Modem.html
23/04/2011 12:27:16 Untreated: Trojan-Dropper.JS.Agent.ex C:\Documents and Settings\Administrator.SKILLSD2\Desktop\V92 Modem.html Cannot be disinfected
23/04/2011 12:27:23 Cannot be deleted: Trojan-Dropper.JS.Agent.ex C:\Documents and Settings\Administrator.SKILLSD2\Desktop\V92 Modem.html Object is locked
23/04/2011 12:27:23 Will be deleted on system restart: Trojan-Dropper.JS.Agent.ex C:\Documents and Settings\Administrator.SKILLSD2\Desktop\V92 Modem.html
23/04/2011 12:27:53 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\awt.dll
23/04/2011 12:27:56 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\awt.dll Cannot be disinfected
23/04/2011 12:28:03 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\awt.dll Object is locked
23/04/2011 12:28:03 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\awt.dll
23/04/2011 12:28:05 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\client\jvm.dll
23/04/2011 12:28:19 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\client\jvm.dll
23/04/2011 12:28:19 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\client\jvm.dll
23/04/2011 12:28:20 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\client\jvm.dll
23/04/2011 12:28:20 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\dcpr.dll
23/04/2011 12:28:21 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\dcpr.dll Cannot be disinfected
23/04/2011 12:28:28 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\dcpr.dll Object is locked
23/04/2011 12:28:28 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\dcpr.dll
23/04/2011 12:28:29 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\deploy.dll
23/04/2011 12:28:31 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\deploy.dll
23/04/2011 12:28:31 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\deploy.dll
23/04/2011 12:28:31 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\deploy.dll
23/04/2011 12:28:32 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\fontmanager.dll
23/04/2011 12:28:33 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\fontmanager.dll Cannot be disinfected
23/04/2011 12:28:40 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\fontmanager.dll Object is locked
23/04/2011 12:28:40 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\fontmanager.dll
23/04/2011 12:28:42 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\hpi.dll
23/04/2011 12:28:46 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\hpi.dll
23/04/2011 12:28:46 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\hpi.dll
23/04/2011 12:28:46 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\hpi.dll
23/04/2011 12:28:47 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\java.dll
23/04/2011 12:28:51 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\java.dll
23/04/2011 12:28:51 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\java.dll
23/04/2011 12:28:51 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\java.dll
23/04/2011 12:28:52 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\jp2native.dll
23/04/2011 12:28:54 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\jp2native.dll
23/04/2011 12:28:54 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\jp2native.dll
23/04/2011 12:28:54 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\jp2native.dll
23/04/2011 12:28:54 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\jpeg.dll
23/04/2011 12:28:55 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\jpeg.dll Cannot be disinfected
23/04/2011 12:29:01 Cannot be deleted: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\jpeg.dll Object is locked
23/04/2011 12:29:01 Will be deleted on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\jpeg.dll
23/04/2011 12:29:02 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\net.dll
23/04/2011 12:29:10 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\net.dll
23/04/2011 12:29:10 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\net.dll
23/04/2011 12:29:10 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\net.dll
23/04/2011 12:29:10 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\nio.dll
23/04/2011 12:29:15 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\nio.dll
23/04/2011 12:29:15 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\nio.dll
23/04/2011 12:29:15 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\nio.dll
23/04/2011 12:29:15 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\regutils.dll
23/04/2011 12:29:17 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\regutils.dll
23/04/2011 12:29:17 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\regutils.dll
23/04/2011 12:29:18 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\regutils.dll
23/04/2011 12:29:18 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\verify.dll
23/04/2011 12:29:20 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\verify.dll
23/04/2011 12:29:20 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\verify.dll
23/04/2011 12:29:20 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\verify.dll
23/04/2011 12:29:21 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\zip.dll
23/04/2011 12:29:24 Detected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\zip.dll
23/04/2011 12:29:24 Disinfected: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\zip.dll
23/04/2011 12:29:24 Will be disinfected on system restart: Virus.Win32.Nimnul.a C:\Program Files\Java\jre6\bin\zip.dll
23/04/2011 12:30:02 Task completed

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:14 AM

Posted 23 April 2011 - 10:31 AM

Hello country lane,

I'm afraid I have very bad news. I now know why we cant get your machine clean. If you Google Win32.Nimnul.a you will see it another name for the virus Ramnit.A.

Win32/Ramnit.A / Win32/Ramnit.B is a dangerous file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).



You can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions . Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.

Note:
Again, do not back up any data with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:14 AM

Posted 26 April 2011 - 06:31 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:14 AM

Posted 28 April 2011 - 07:18 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users