Windows BBS The Place for Microsoft Windows Support! Windows, Support, Help Site

Go Back   Windows BBS > Security > Malware and Virus Removal
Reload this Page

[InActive] spyware help

Register FAQDonate Mark Forums Read

Malware and Virus Removal Problems removing malware/viruses? Get help from our Malware removal experts.

Register your FREE account to unlock additional features at WindowsBBS.com
Register
Welcome to WindowsBBS.com
Microsoft Windows Support

Mission Statement

WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.

Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.

Discussion Forums
Operating Systems
Windows 7 Windows 7
Windows Vista Windows Vista
Windows XP Windows XP
Windows Server System Windows Server System
Windows 2000 Windows 2000
Windows 95/98/Me/NT Windows 95/98/Me/NT
Internet & Networking
Networking
Internet Explorer
Microsoft Mail
Firefox, Thunderbird
      & SeaMonkey
General Internet
Security
General Security
Malware and Virus
     Removal
Other
Other Software
Hardware
Test Posts
Community
Introductions
General Discussions
Comments
      & Suggestions
News @ WindowsBBS

Forum Sponsor
Image

Reply
Page 2 of 3 1 2 3
 
LinkBack Thread Tools
Old 13th November 2008   #16
Senior Member
 
Profile:
Join Date: Oct 2002
Location: Florida
Posts: 128
Computer Experience:
intermediate
johngkerr Reputation Level
spybot will not run
I instaled sypbot but after instal the program is like other will not run?
johngkerr is offline   Reply With Quote
Old 13th November 2008   #17
Senior Member
 
Profile:
Join Date: Oct 2002
Location: Florida
Posts: 128
Computer Experience:
intermediate
johngkerr Reputation Level
spybot will not run
I instaled sypbot ok but now it is like the other program it will not run?
johngkerr is offline   Reply With Quote
Old 13th November 2008   #18
Staff
 
Geri's Avatar
 
Profile:
Join Date: Mar 2003
Location: Washington State
Posts: 4,633
Computer Experience:
Somedays it's like Taz
Geri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation Level

My System

Hi
Please check your PM's

Thanks
Geri is offline   Reply With Quote
Old 14th November 2008   #19
Senior Member
 
Profile:
Join Date: Oct 2002
Location: Florida
Posts: 128
Computer Experience:
intermediate
johngkerr Reputation Level
found a way to run combofix
i found a way to run combofix and this is the log
i did not disable McAfee how is the best way to do that.
should i disable McAfee and run combofix again

ComboFix 08-11-12.01 - john 2008-11-13 21:14:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.589 [GMT -6:00]
Running from: c:\documents and settings\john\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Adam Kerr\Application Data\SCURIT~1
c:\documents and settings\john\My Documents\WNSXS~1
c:\documents and settings\john\My Documents\WNSXS~1\W?nSxS\
c:\program files\Common\helper.sig
c:\windows\asembl~1
c:\windows\crosof~1
c:\windows\crosof~1\??crosoft\
c:\windows\sndrec32.exe
c:\windows\system32\MSVolume.dll
c:\windows\system32\wini10451631.exe
c:\windows\system32\wtssvsu32.exe
c:\windows\wiaservv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))
.

2008-11-12 20:08 . 2008-11-12 21:31 <DIR> d-------- c:\program files\AntiMalwarePro
2008-11-11 20:54 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:54 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 10:02 . 2008-11-11 19:45 73,728 --a------ c:\windows\system32\TDSSxfum.dll
2008-11-11 10:02 . 2008-11-11 19:45 35,840 --a------ c:\windows\system32\TDSSoiqt.dll
2008-11-11 10:02 . 2008-11-13 12:59 3,349 --a------ c:\windows\system32\TDSSlxwp.dll
2008-11-11 10:02 . 2008-11-11 19:45 527 --a------ c:\windows\system32\TDSSlrvd.dat
2008-10-23 12:22 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-21 11:20 . 2008-10-21 11:21 <DIR> d-------- c:\documents and settings\Adam Kerr\Application Data\Ventrilo
2008-10-15 06:43 . 2008-09-08 04:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-15 06:42 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 06:42 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 06:42 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 06:42 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 06:42 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-14 11:51 . 2008-10-14 11:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 03:15 --------- d-----w c:\program files\Common
2008-11-13 19:11 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-13 19:01 --------- d-----w c:\program files\World of Warcraft
2008-11-13 03:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-12 03:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-12 02:38 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-12 01:55 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-12 01:52 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-10 09:21 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-10-30 08:08 --------- d-----w c:\program files\McAfee
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 17:27 --------- d-----w c:\documents and settings\All Users\Application Data\badczido
2008-10-14 00:53 --------- d-----w c:\program files\fhuuifg
2008-10-14 00:26 --------- d-----w c:\documents and settings\john\Application Data\Malwarebytes
2008-10-14 00:26 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-11 20:17 --------- d-----w c:\program files\Lavasoft
2008-10-10 04:07 1,128 ----a-w C:\settings.dat
2008-10-04 13:39 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-09-29 08:08 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-06-20 02:15 61,224 ----a-w c:\documents and settings\john\GoToAssistDownloadHelper.exe
2007-03-28 19:57 18,895,728 ----a-w c:\program files\Install_Messenger.exe
2006-01-24 00:27 10,179,432 ----a-w c:\documents and settings\john\HCUpgrade3.1.exe
2005-07-30 01:39 14,651,330 ----a-w c:\program files\OldeEnglish.org_-_Deadpuppies.mov
2005-07-28 15:35 959,653,376 ----a-w c:\program files\ragnarok_setup.exe
2004-03-11 19:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe
2003-07-28 11:16 36,864 ----a-w c:\windows\inf\i386\Vizmicro.dll
2003-07-28 11:16 172,032 ----a-w c:\windows\inf\i386\viceo.dll
2003-07-28 11:01 36,207 ----a-w c:\windows\inf\i386\9320FW.bin
2003-07-28 11:01 274,432 ----a-w c:\windows\inf\i386\9320LLD.dll
2003-07-28 11:01 155,648 ----a-w c:\windows\inf\i386\rtscan.dll
2001-08-03 23:29 13,824 ----a-w c:\windows\inf\i386\Usbscan.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-22 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-16 282624]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"MWLExe"="c:\program files\Mcafee\MWL\MWLGuiSt.exe" [2007-07-28 206184]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-12 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-12 40960]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2004-01-20 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2007-12-05 c:\windows\system32\nvmctray.dll]

c:\documents and settings\Adam Kerr\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\Scott Kerr\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\evelyn\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\john\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"vidc.mpng"= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.mvjp"= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.444p"= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.dscc"= c:\progra~1\TALESA~1\dscc.dll
"vidc.dsvc"= c:\progra~1\TALESA~1\dsvc.dll
"vidc.dsfs"= c:\progra~1\TALESA~1\dsfs.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"=c:\program files\Yahoo!\Messenger\ypager.exe -quiet
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\darkneox102\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\McAfee\\MWL\\MwlSvc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.2.0.7272-to-2.2.2.7318-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.2.2.7318-to-2.2.3.7359-enUS-downloader.exe"=
"c:\\Program Files\\Warcraft III\\War3.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0.7561-to-2.3.2.7741-enUS-downloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.1-to-3.0.2-enUS-Win-Update-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [1998-10-06 1984]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-08 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\DRIVERS\rt2500usb.sys [2004-07-16 140416]
S3 XPAD;XBox Controllers USB HID Mini Driver;c:\windows\system32\Drivers\xpad.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{6920d68e-584d-11dd-af43-000fea6a477b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-09-19 16:36]

2008-11-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AntiMalwareProMFCT - c:\program files\AntiMalwarePro\AntiMalwarePro.exe
HKCU-Run-Power2GoExpress - (no file)
HKCU-Run-PowerBar - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 -: HKLM-Main,Window Title =
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 -: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 -: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 -: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 -: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 -: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 -: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 -: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
O8 -: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
O8 -: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

O16 -: {072CB141-B793-11D1-89B6-0020182C1446} - file://d:\utilities\IntraLaunch.CAB
c:\windows\Downloaded Program Files\IntraLaunch.INF
c:\windows\system32\ASYCFILT.DLL
c:\windows\system32\MSVBVM50.DLL
c:\windows\Downloaded Program Files\INTRALAUNCH.OCX

O16 -: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://creatives3.lakefield.net:85/SysCamInst.cab
c:\windows\Downloaded Program Files\install.inf
c:\windows\Downloaded Program Files\ipv6cam.ocx
c:\windows\Downloaded Program Files\AudioClient.ocx

O16 -: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://212.129.168.37:81/kxhcm10.ocx
c:\windows\Downloaded Program Files\kxhcm10.ocx
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 21:27:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\explorer.exe
-> c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\LxrJD31s.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-11-13 21:36:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-14 03:35:58

Pre-Run: 6,278,856,704 bytes free
Post-Run: 7,165,132,800 bytes free

271 --- E O F --- 2008-11-12 03:02:46
Last edited by johngkerr; 14th November 2008 at 03:45.
johngkerr is offline   Reply With Quote
Old 14th November 2008   #20
Staff
 
Geri's Avatar
 
Profile:
Join Date: Mar 2003
Location: Washington State
Posts: 4,633
Computer Experience:
Somedays it's like Taz
Geri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation Level

My System

Hi
OK good.
Quote:
should i disable McAfee and run combofix again
Yes.

Please navigate to the system tray on the bottom right hand corner and look for the M sign.
right-click it -> chose "Exit."
a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.

Now run Combofix again and post the log.

Thanks
Geri
Geri is offline   Reply With Quote
Old 14th November 2008   #21
Senior Member
 
Profile:
Join Date: Oct 2002
Location: Florida
Posts: 128
Computer Experience:
intermediate
johngkerr Reputation Level
McAfree disable
When I right click on McAfree icon it dose not have exit in the window.
I can go under setting and disable real time protection wiil that do it?
Last edited by johngkerr; 14th November 2008 at 14:40. Reason: spelling
johngkerr is offline   Reply With Quote
Old 15th November 2008   #22
Staff
 
Geri's Avatar
 
Profile:
Join Date: Mar 2003
Location: Washington State
Posts: 4,633
Computer Experience:
Somedays it's like Taz
Geri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation Level

My System

Hi
Yes that will work.
Geri is offline   Reply With Quote
Old 16th November 2008   #23
Senior Member
 
Profile:
Join Date: Oct 2002
Location: Florida
Posts: 128
Computer Experience:
intermediate
johngkerr Reputation Level
combofix log
what is RECOVERY CONSOLE?


ComboFix 08-11-14.01 - john 2008-11-16 13:29:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.539 [GMT -6:00]
Running from: c:\documents and settings\john\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-13 22:02 . 2008-11-13 22:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-13 22:02 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-13 22:02 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-12 20:08 . 2008-11-12 21:31 <DIR> d-------- c:\program files\AntiMalwarePro
2008-11-11 20:54 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:54 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 10:02 . 2008-11-11 19:45 73,728 --a------ c:\windows\system32\TDSSxfum.dll
2008-11-11 10:02 . 2008-11-11 19:45 35,840 --a------ c:\windows\system32\TDSSoiqt.dll
2008-11-11 10:02 . 2008-11-13 12:59 3,349 --a------ c:\windows\system32\TDSSlxwp.dll
2008-11-11 10:02 . 2008-11-11 19:45 527 --a------ c:\windows\system32\TDSSlrvd.dat
2008-10-23 12:22 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-21 11:20 . 2008-10-21 11:21 <DIR> d-------- c:\documents and settings\Adam Kerr\Application Data\Ventrilo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 05:38 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-15 21:27 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-15 09:06 --------- d-----w c:\program files\McAfee
2008-11-14 03:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-14 03:15 --------- d-----w c:\program files\Common
2008-11-13 19:01 --------- d-----w c:\program files\World of Warcraft
2008-11-13 03:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-12 03:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-12 02:38 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-12 01:52 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 17:27 --------- d-----w c:\documents and settings\All Users\Application Data\badczido
2008-10-14 17:51 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-14 00:53 --------- d-----w c:\program files\fhuuifg
2008-10-14 00:26 --------- d-----w c:\documents and settings\john\Application Data\Malwarebytes
2008-10-14 00:26 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-11 20:17 --------- d-----w c:\program files\Lavasoft
2008-10-10 04:07 1,128 ----a-w C:\settings.dat
2008-10-04 13:39 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-29 08:08 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-06-20 02:15 61,224 ----a-w c:\documents and settings\john\GoToAssistDownloadHelper.exe
2007-03-28 19:57 18,895,728 ----a-w c:\program files\Install_Messenger.exe
2006-01-24 00:27 10,179,432 ----a-w c:\documents and settings\john\HCUpgrade3.1.exe
2005-07-30 01:39 14,651,330 ----a-w c:\program files\OldeEnglish.org_-_Deadpuppies.mov
2005-07-28 15:35 959,653,376 ----a-w c:\program files\ragnarok_setup.exe
2004-03-11 19:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe
2003-07-28 11:16 36,864 ----a-w c:\windows\inf\i386\Vizmicro.dll
2003-07-28 11:16 172,032 ----a-w c:\windows\inf\i386\viceo.dll
2003-07-28 11:01 36,207 ----a-w c:\windows\inf\i386\9320FW.bin
2003-07-28 11:01 274,432 ----a-w c:\windows\inf\i386\9320LLD.dll
2003-07-28 11:01 155,648 ----a-w c:\windows\inf\i386\rtscan.dll
2001-08-03 23:29 13,824 ----a-w c:\windows\inf\i386\Usbscan.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-13_21.35.26.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-14 02:56:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-16 18:46:32 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-14 02:56:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-16 18:46:32 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-14 03:09:16 64,372 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-14 03:31:16 64,372 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-14 03:09:16 409,232 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-14 03:31:17 409,232 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-22 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-16 282624]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"MWLExe"="c:\program files\Mcafee\MWL\MWLGuiSt.exe" [2007-07-28 206184]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-12 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-12 40960]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2004-01-20 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2007-12-05 c:\windows\system32\nvmctray.dll]

c:\documents and settings\Adam Kerr\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\Scott Kerr\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\evelyn\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\john\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"vidc.mpng"= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.mvjp"= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.444p"= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.dscc"= c:\progra~1\TALESA~1\dscc.dll
"vidc.dsvc"= c:\progra~1\TALESA~1\dsvc.dll
"vidc.dsfs"= c:\progra~1\TALESA~1\dsfs.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"=c:\program files\Yahoo!\Messenger\ypager.exe -quiet
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\darkneox102\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\McAfee\\MWL\\MwlSvc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.2.0.7272-to-2.2.2.7318-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.2.2.7318-to-2.2.3.7359-enUS-downloader.exe"=
"c:\\Program Files\\Warcraft III\\War3.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0.7561-to-2.3.2.7741-enUS-downloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.1-to-3.0.2-enUS-Win-Update-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [2005-02-07 1984]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-09-28 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\DRIVERS\rt2500usb.sys [2005-06-18 140416]
S3 XPAD;XBox Controllers USB HID Mini Driver;c:\windows\system32\Drivers\xpad.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{6920d68e-584d-11dd-af43-000fea6a477b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-09-19 16:36]

2008-11-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mWindow Title =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

c:\windows\system32\ASYCFILT.DLL - c:\windows\system32\MSVBVM50.DLL
c:\windows\Downloaded Program Files\INTRALAUNCH.OCX
O16 -: {072CB141-B793-11D1-89B6-0020182C1446}
file://d:\utilities\IntraLaunch.CAB
c:\windows\Downloaded Program Files\IntraLaunch.INF

c:\windows\Downloaded Program Files\ipv6cam.ocx - c:\windows\Downloaded Program Files\AudioClient.ocx
O16 -: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9}
hxxp://creatives3.lakefield.net:85/SysCamInst.cab
c:\windows\Downloaded Program Files\install.inf

c:\windows\Downloaded Program Files\kxhcm10.ocx - O16 -: {2E28242B-A689-11D4-80F2-0040266CBB8D}
hxxp://212.129.168.37:81/kxhcm10.ocx
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 13:35:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\program files\McAfee\SiteAdvisor\saHook.dll

PROCESS: c:\windows\explorer.exe
-> c:\program files\McAfee\SiteAdvisor\saHook.dll
.
Completion time: 2008-11-16 13:37:21
ComboFix-quarantined-files.txt 2008-11-16 19:36:49
ComboFix2.txt 2008-11-14 03:36:08

Pre-Run: 10,747,117,568 bytes free
Post-Run: 10,838,970,368 bytes free

242 --- E O F --- 2008-11-12 03:02:46
johngkerr is offline   Reply With Quote
Old 16th November 2008   #24
Staff
 
Geri's Avatar
 
Profile:
Join Date: Mar 2003
Location: Washington State
Posts: 4,633
Computer Experience:
Somedays it's like Taz
Geri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation Level

My System

Hi
OK please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:
File::
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSlrvd.dat

Folder::
c:\program files\AntiMalwarePro
c:\program files\fhuuifg
Thanks
Geri
Geri is offline   Reply With Quote
Old 18th November 2008   #25
Senior Member
 
Profile:
Join Date: Oct 2002
Location: Florida
Posts: 128
Computer Experience:
intermediate
johngkerr Reputation Level
combofix log
I downloaded RegCure is it a good program and should i run it?

ComboFix 08-11-14.01 - john 2008-11-17 20:36:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.605 [GMT -6:00]
Running from: c:\documents and settings\john\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\john\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\TDSSlrvd.dat
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSxfum.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AntiMalwarePro
c:\program files\AntiMalwarePro\SchedulePlan.txt
c:\program files\fhuuifg
c:\windows\system32\TDSSlrvd.dat
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSxfum.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 )))))))))))))))))))))))))))))))
.

2008-11-13 22:02 . 2008-11-13 22:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-13 22:02 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-13 22:02 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-11 20:54 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:54 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:22 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-21 11:20 . 2008-10-21 11:21 <DIR> d-------- c:\documents and settings\Adam Kerr\Application Data\Ventrilo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-17 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-17 02:08 --------- d-----w c:\program files\RegCure
2008-11-16 05:38 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-15 09:06 --------- d-----w c:\program files\McAfee
2008-11-14 03:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-14 03:15 --------- d-----w c:\program files\Common
2008-11-13 19:01 --------- d-----w c:\program files\World of Warcraft
2008-11-13 03:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-12 03:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-12 02:38 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-12 01:52 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 17:27 --------- d-----w c:\documents and settings\All Users\Application Data\badczido
2008-10-14 17:51 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-14 00:26 --------- d-----w c:\documents and settings\john\Application Data\Malwarebytes
2008-10-14 00:26 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-11 20:17 --------- d-----w c:\program files\Lavasoft
2008-10-10 04:07 1,128 ----a-w C:\settings.dat
2008-10-04 13:39 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-29 08:08 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-06-20 02:15 61,224 ----a-w c:\documents and settings\john\GoToAssistDownloadHelper.exe
2007-03-28 19:57 18,895,728 ----a-w c:\program files\Install_Messenger.exe
2006-01-24 00:27 10,179,432 ----a-w c:\documents and settings\john\HCUpgrade3.1.exe
2005-07-30 01:39 14,651,330 ----a-w c:\program files\OldeEnglish.org_-_Deadpuppies.mov
2005-07-28 15:35 959,653,376 ----a-w c:\program files\ragnarok_setup.exe
2004-03-11 19:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe
2003-07-28 11:16 36,864 ----a-w c:\windows\inf\i386\Vizmicro.dll
2003-07-28 11:16 172,032 ----a-w c:\windows\inf\i386\viceo.dll
2003-07-28 11:01 36,207 ----a-w c:\windows\inf\i386\9320FW.bin
2003-07-28 11:01 274,432 ----a-w c:\windows\inf\i386\9320LLD.dll
2003-07-28 11:01 155,648 ----a-w c:\windows\inf\i386\rtscan.dll
2001-08-03 23:29 13,824 ----a-w c:\windows\inf\i386\Usbscan.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-13_21.35.26.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-14 02:56:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-18 00:17:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-14 02:56:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-18 00:17:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-18 00:17:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-14 03:09:16 64,372 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-14 03:31:16 64,372 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-14 03:09:16 409,232 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-14 03:31:17 409,232 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-22 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-16 282624]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"MWLExe"="c:\program files\Mcafee\MWL\MWLGuiSt.exe" [2007-07-28 206184]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-12 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-12 40960]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2004-01-20 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2007-12-05 c:\windows\system32\nvmctray.dll]

c:\documents and settings\Adam Kerr\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\Scott Kerr\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\evelyn\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\john\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"vidc.mpng"= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.mvjp"= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.444p"= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.dscc"= c:\progra~1\TALESA~1\dscc.dll
"vidc.dsvc"= c:\progra~1\TALESA~1\dsvc.dll
"vidc.dsfs"= c:\progra~1\TALESA~1\dsfs.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"=c:\program files\Yahoo!\Messenger\ypager.exe -quiet
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\darkneox102\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\McAfee\\MWL\\MwlSvc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.2.0.7272-to-2.2.2.7318-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.2.2.7318-to-2.2.3.7359-enUS-downloader.exe"=
"c:\\Program Files\\Warcraft III\\War3.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0.7561-to-2.3.2.7741-enUS-downloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.1-to-3.0.2-enUS-Win-Update-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [2005-02-07 1984]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-09-28 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\DRIVERS\rt2500usb.sys [2005-06-18 140416]
S3 XPAD;XBox Controllers USB HID Mini Driver;c:\windows\system32\Drivers\xpad.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{6920d68e-584d-11dd-af43-000fea6a477b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-09-19 16:36]

2008-11-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-11-18 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 15:21]

2008-11-17 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 15:21]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 20:40:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\program files\McAfee\SiteAdvisor\saHook.dll
.
Completion time: 2008-11-17 20:42:16
ComboFix-quarantined-files.txt 2008-11-18 02:41:47
ComboFix2.txt 2008-11-16 19:37:23
ComboFix3.txt 2008-11-14 03:36:08

Pre-Run: 10,695,512,064 bytes free
Post-Run: 10,710,589,440 bytes free

223 --- E O F --- 2008-11-12 03:02:46
johngkerr is offline   Reply With Quote
Old 18th November 2008   #26
Staff
 
Geri's Avatar
 
Profile:
Join Date: Mar 2003
Location: Washington State
Posts: 4,633
Computer Experience:
Somedays it's like Taz
Geri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation Level

My System

Hi
Quote:
I downloaded RegCure is it a good program and should i run it?
Please do not do so until you are clean. and then I don't recommend registry cleaners, I've seen them do harm to a system.

If you feel that you just have to use it, then download and install this before doing so, that way you can restore the registry if you need to.


Download ERUNT from Derfisch or Aumha and save it to your desktop.

Use the setup program to install ERUNT on your computer
Click ERUNT.Setup.exe to install ERUNT and backup your registry.
Uncheck the "Create NTREGOPT desktop icon” box.
In the window that comes up to Create an ERUNT entry to the Start up folder select No.

By Default the backup location is C:\windows\erunt\ (current date)
Click OK to continue with the registry backup.
If the folder does not exist then let ERUNT create the folder for you by clicking Yes
You should see a progress bar when ERUNT is backing up the Windows Registry.
After ERUNT has completed the Windows Registry backup. Click OK to exit ERUNT


OK please do the following.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now a on line scan.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.
  • The program will launch and then begin downloading the latest definition files:
  • Under Scan on the left side.Click on My Computer
  • This will start the program and scan your system.
  • Click the “Scan Report” On the left side.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
  • Save the text file to your desktop.
  • Copy and paste that information in your next post.

Please post the Kaspersky results.

Also remind me about the recovery console and we'll install it.

Thanks
Geri
Geri is offline   Reply With Quote
Old 23rd November 2008   #27
Senior Member
 
Profile:
Join Date: Oct 2002
Location: Florida
Posts: 128
Computer Experience:
intermediate
johngkerr Reputation Level
scan report
when should I install it RECOVERY CONSOLE

You do not like any reg clean? I should not use them?


Sunday, November 23, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 23, 2008 02:00:45
Records in database: 1404358


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\

Scan statistics
Files scanned 150185
Threat name 3
Infected objects 3
Suspicious objects 0
Duration of the scan 02:29:15

File name Threat name Threats count
C:\Documents and Settings\Adam Kerr\Application Data\Sun\Java\Deployment\cache\6.0\48\6b488e30-7c82aa3a Infected: Trojan-Downloader.Java.OpenConnection.ar 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqt.dll.vir Infected: Backdoor.Win32.TDSS.blh 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSxfum.dll.vir Infected: Rootkit.Win32.Clbd.lb 1

The selected area was scanned.
johngkerr is offline   Reply With Quote
Old 24th November 2008   #28
Staff
 
Geri's Avatar
 
Profile:
Join Date: Mar 2003
Location: Washington State
Posts: 4,633
Computer Experience:
Somedays it's like Taz
Geri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation Level

My System

Hi
OK great.

Please do the following.

Please download JavaRa and save the file to your desktop.
  • Right click and Extract All
  • Once extracted, open and run JavaRa.exe
  • Click Search For Updates
  • Select Update Using jucheck.exe
  • Click Search
  • If a newer version is found, allow it to be installed
  • Uncheck the Google Toolbar option. (if you don't want the Google tool bar)
  • When complete, click Remove Older Versions in the JavaRa interface and allow it to proceed
  • When that is complete, click Additional Tasks, then select Remove Useless JRE Files and click Go
  • Exit the tool when complete.
Read and then You can delete the gpl-2.0.txt file.


Click Start > Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing any infected files there as well.
Please check and verify that C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.


Delete RSIT.exe and this folder C:\rsit

Let me know how things are running.

Thanks
Geri
Geri is offline   Reply With Quote
Old 25th November 2008   #29
Senior Member
 
Profile:
Join Date: Oct 2002
Location: Florida
Posts: 128
Computer Experience:
intermediate
johngkerr Reputation Level
problem
JavaRa.exe ran but had a error when it was removing old ver of java
combofix and C:\Qoobox was removed but c:\combofix folder and C:\ComboFix.txt was not removed?
should i delete them myself?
johngkerr is offline   Reply With Quote
Old 25th November 2008   #30
Staff
 
Geri's Avatar
 
Profile:
Join Date: Mar 2003
Location: Washington State
Posts: 4,633
Computer Experience:
Somedays it's like Taz
Geri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation Level

My System

Hi

Quote:
JavaRa.exe ran but had a error when it was removing old ver of java
OK go into Add and Remove Programs and delete the older versions

Quote:
c:\combofix folder and C:\ComboFix.txt was not removed?
should i delete them myself?
Yes. but you don't need to just yet.

OK I forgot about the Recovery Console, sorry. You will need to re-download Combofix.

Download ComboFix from Here to your Desktop.


You need to download the installation package for the Setup Disks for Floppy Boot Install from Microsoft so that we can use it to install the Recovery Console on your computer. No validation required! Please select the download link below that's appropriate for your Operating System then download and save the setup package to your desktop. If necessary, change the language version to match your installation. Do NOT change the name of the downloaded file Use the one below For XP professional SP3.

Service Pack 2
http://www.microsoft.com/downloads/d...C-0A0205368124

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

[B]Please do not reboot your machine until we have reviewed the log.

Geri
Geri is offline   Reply With Quote



Reply
Page 2 of 3 1 2 3

« [Resolved] Spyware.RemoteSpy [B-Type] Popup from Vista Secuity Alert | [InActive] Virus-scan 2009 / Download Registry defender »
Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Inactive] Computer infected with spyware SoCal20 Malware and Virus Removal 5 7th November 2008 19:32
CPU Usage is 100% wahlroot Windows XP 13 25th April 2007 02:37
Best anti virus, adware etc? chasthur General Security 6 7th January 2007 17:41
Spyware 101 Johanna General Security 0 4th August 2004 20:33
Spyware jerryhillman General Security 5 23rd June 2004 12:41


All times are GMT +1. The time now is 15:49.




Advertise - Contact Us - Windows BBS - Archive - Privacy Statement - Top

Advertisements do not imply our endorsement of the product or service advertised.
Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.3.2
Copyright © 2002 - 2009 WindowsBBS.com. All rights reserved.
Terms of Use, Legal Information & Privacy Policy
[]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32