1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Total Secure 2009 Has Taken Over My PC

Discussion in 'Malware and Virus Removal Archive' started by Waverley73, 2008/10/01.

  1. 2008/10/01
    Waverley73

    Waverley73 Inactive Thread Starter

    Joined:
    2008/01/06
    Messages:
    86
    Likes Received:
    0
    [Resolved] Total Secure 2009 Has Taken Over My PC

    Hi there - it is a miracle that I can even post this. I have been battling to take control back over my PC since earlier today when it seems it has been completely taken over by virus's.

    I have pop ups going all over the place saying my PC is infected and Total Secure 2009 keeps coming up. I have only now just managed to get the internet working (just).

    I have Comodo, Avast and Adaware on my PC but don't know how this has happened as I have been running virus free for probably 9 months now.

    I get random messages referring to things such as these:

    Variant of the Trojan-Spy.Win.32.BHO

    Worm.Win32.Netbooster

    etc.



    My PC is around 4 years old and I am running Windows XP.

    Please help.

    Thank you.
     
  2. 2008/10/01
    Juliet

    Juliet Well-Known Member

    Joined:
    2008/09/15
    Messages:
    976
    Likes Received:
    6
    Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a HJT log and start a new topic.


    Hi and welcome

    Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close every window that is open later in the fix.


    Please follow the instructions below and in the order given.


    Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop.

    Please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter ".
    • Choose your usual account.

    Double-click on SmitfraudFix.exe to start the tool.
    Select option #2 - Clean by typing 2 and press Enter. You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter

    The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter
    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Mode.

    The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C:(C:rapport.txt) or partition where your operating system is installed.
    Please post that log along with all others requested in your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
    Warning : running option #2 on a non infected computer will remove your Desktop background.


    NEXT**

    Double-click on SmitfraudFix.exe to start the tool.
    Select option #3 - Delete Trusted zone by typing 3 and press Enter
    Answer Yes to the question "Restore Trusted Zone ?" by typing Yes and press Enter Notes

    1. If you use SpywareBlaster and/or IE-SPYAD it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
    2. As many of the variants of Smitfraud have begun invading the Hosts file, this tool will reset your Hosts file as a necessary precaution. You will also have to reset any specific modifications you may require such as Hosts MVPS.




    NEXT**
    Please download Malwarebytes' Anti-Malware to your desktop

    Additional Link

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad. Please save it to a convenient location.
    * You can also access the log by doing the following:

    o Click on the Malwarebytes' Anti-Malware icon to launch the program.
    o Click on the Logs tab.
    o Click on the log at the bottom of those listed to highlight it.
    o Click Open.

    Tutorial if needed
    http://thespykiller.co.uk/index.php/topic,5946.0.html

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




    NEXT**
    Download Trend Micro Hijack Thisâ„¢ and save to desktop.
    It is important that you uninstall any previous versions by using Add/Remove programs in your control panel before installing a newer version.
    Doubleclick the HJTInstall.exe to start it.
    By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

    Accept the license agreement by clicking the "I Accept" button.
    Click on the "Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click "Save log" to save the log file and then the log will open in Notepad.
    Click on Edit-> Select All then click on "Edit -> Copy " to copy the entire contents of the log.


    In your next reply post:
    Smitfraud C:rapport.txt
    Malwarebytes' Anti-Malware log
    New HJT log taken after the above scans have run
     

  3. to hide this advert.

  4. 2008/10/01
    Waverley73

    Waverley73 Inactive Thread Starter

    Joined:
    2008/01/06
    Messages:
    86
    Likes Received:
    0
    Hello Juliet - thank you very much for replying so quickly.

    I was able to download the SmitfraudFix but couldn't get Malwarebytes' Anti-Malware (from either link - it just went to a blank firefox page).

    When I tried to start up in Safe Mode (after selecting Safe Mode in that first screen) it keeps hanging at this stage:

    multi(0)disk(0)partion(1)\windows\system32\drivers\mup.sys

    A heap of other similar lines to the one above fly up the screen but when it gets to that one it just stops. A message also comes up (for about 10 seconds) that says this:

    press 'esc' to cancel loading SPTD.sys

    The PC then just reboots itself and goes back to booting up normally.

    I'm not sure if this is related to the fact it wont boot up in safe mode but for the last 4 or 5 months when i start the PC up it always paused for about 3 or 4 minutes before going to the Windows XP logon screen. During that time my USB ports would lose power and I would have to reconnect my external hard-drive (connected through USB port) at the logon screen for it to be connected.

    I look forward to your reply.

    I am on Australian time (GMT +10) so I know that there may be a delay between our posts.

    Thanks again.
     
  5. 2008/10/01
    Juliet

    Juliet Well-Known Member

    Joined:
    2008/09/15
    Messages:
    976
    Likes Received:
    6
    Welcome back
    Can you try again using IE?

    I suspect that a sector on the hard drive might be bad and interferes with the boot process or we're looking at a hardware\driver issue, but then again - I could be sadly mistaken
    Is your data backed up? I would do while you still can.
    but if it is not harddrive death, then repairing the system with a XPcd might be the answer here, anyway here is the link with hope that it is just a corrupted system
    http://www.geekstogo.com/forum/How-to-repair-Windows-XP-t138.html


    Consider doing the following:

    Start - Run - (type) cmd then hit - Enter
    This will bring up a DOS style box with blinking cursor,

    At the blinking cursor, type:
    chkdsk /f /r hit - Enter <--- notice the required space before the "/ "s.

    CHECKDISK will inform you that it cannot be run because files are in use/locked, etc. and will invite you to allow CHECKDISK to run the next time you reboot your machine.

    Type Y for yes, and then reboot.

    The scans will take about 30-40 minutes, after which your machine will complete its boot into Windows.
    You may be good-to-go after the CHKDSK, if it finds any bad-clusters and moves files to known good areas of your hard drive. However, if CHKDSK does find bad-clusters and moves files, it may be necessary to run CHKDSK a 2nd and even 3rd time, until all the bad-clusters are found and all of the affected files are safely moved.


    Next:

    Run System File Checker (to identify and replace any missing or corrupted Windows system files)

    Start - Run - (type) sfc /scannow - Enter <-- notice the required space before the "/ "

    At that point, try your Defrag utility in Normal Mode


    sptd.sys - Driver used by the CD Rom emulation program, Daemon Tools Version 4.
    Many folks have reported problems with this Driver file.
    If you use Daemon Tools Version 4, consider uninstalling it.
    You can always Re-install it again later if you prefer.


    Let's try this:

    Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Link 1
    Link 2
    Link 3


    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    (Click on this link to see a list of programs that should be disabled.
    http://www.bleepingcomputer.com/forums/topic114351.html



    Double click on ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall



    Follow my previous reply for downloading HJT.

    Please post:
    ComboFix.txt
    New HJT log
     
    Last edited: 2008/10/01
  6. 2008/10/02
    Waverley73

    Waverley73 Inactive Thread Starter

    Joined:
    2008/01/06
    Messages:
    86
    Likes Received:
    0
    I haven't had a chance to do this yet (still at work) but just so you know since I got the virus I don't have access to the 'run' feature on the start menu. I also don't have access to my Task Manager either - it has locked me out of there.
     
  7. 2008/10/02
    Juliet

    Juliet Well-Known Member

    Joined:
    2008/09/15
    Messages:
    976
    Likes Received:
    6
    Welcome back

    Let's try to restore some settings and see if it can fix task manager and restore policies.
    Try these fixes one at a time, then check to see if after each one it worked, then follow instructions to run ComboFix and download HiJackThis.

    Please download Enable the Task Manager and save it to your desktop
    Double-click on taskmanager.reg and when it asks you if you want to merge the contents to the registry, click "Yes " or "OK ". You should receive a message that it was successful.
    REBOOT afterwards.... really important!

    NEXT**
    Download VArestorepolicies

    Right-click and select: Extract all…
    Open the VArestorepolicies folder, right-click the file VArestorepolicies, and select: Install a reboot may be needed for the effects to take place.


    If after trying the above and still no joy.......
    Next, launch Notepad, (Start > Run, type in: notepad) copy and paste next present in the Code box below in it:
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
     "NoRun "=dword:00000000
    
    
    Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: [​IMG]
    Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK ". You should receive a message that it was successful. You may delete the file afterwards

    Now please reboot your computer.

    If it's possible try to continue with the rest of the fix...
     
  8. 2008/10/02
    Waverley73

    Waverley73 Inactive Thread Starter

    Joined:
    2008/01/06
    Messages:
    86
    Likes Received:
    0
    Hi there,

    Just a quick update Juliet. I have just started going through your instructions. Have successfully got control of my task manager back. Now just working through the rest of the instructions.

    I will post back an update a little later.

    Cheers.
     
  9. 2008/10/02
    Juliet

    Juliet Well-Known Member

    Joined:
    2008/09/15
    Messages:
    976
    Likes Received:
    6
    good :D
     
  10. 2008/10/02
    Waverley73

    Waverley73 Inactive Thread Starter

    Joined:
    2008/01/06
    Messages:
    86
    Likes Received:
    0
    OK, a bit going on here.

    I was able to enable task manager - all good.

    I then was able to restore policies - all good.

    I then tried the chkdsk /f /r at the command prompt - when I rebooted the machine the following message came up:

    Checking File System on C:
    The type of the file system is RAW
    Autochk is not available for RAW drives.
    Windows has finished checking the disk.

    I tried rebooting a few times but it just kept coming up with that message.

    I then tried downloading Malware Anti-Malware and scanned. That worked (logfile below) and picked up a heap of infections.

    I then tried repeating the chkdsk but it still kept coming up with the above message.

    I noticed I started getting the odd virus stuff popping up again (after the first Malware scan it all seemed to go away) so I did another scan (again, logfile will be below).

    I then downloaded Combofix and ran. During one of the reboots it actually did a proper checkdisk and it appeared to fix 4 errors. I will put this logfile below also.

    I will now attempt to do the smitfraudfix (will try the safe mode again now) and possibly post in the morning (has hit midnite here).

    Cheers.

    FIRST MALWARE LOG:

    Malwarebytes' Anti-Malware 1.28
    Database version: 1225
    Windows 5.1.2600 Service Pack 2

    2/10/2008 9:59:27 PM
    mbam-log-2008-10-02 (21-59-27).txt

    Scan type: Quick Scan
    Objects scanned: 53368
    Time elapsed: 6 minute(s), 16 second(s)

    Memory Processes Infected: 6
    Memory Modules Infected: 4
    Registry Keys Infected: 45
    Registry Values Infected: 45
    Registry Data Items Infected: 17
    Folders Infected: 8
    Files Infected: 147

    Memory Processes Infected:
    C:\Program Files\PCHealthCenter\1.exe (Trojan.Fakealert) -> Unloaded process successfully.
    C:\Program Files\PCHealthCenter\2.exe (Trojan.Fakealert) -> Unloaded process successfully.
    C:\Program Files\PCHealthCenter\3.exe (Trojan.Fakealert) -> Unloaded process successfully.
    C:\Program Files\PCHealthCenter\4.exe (Trojan.Fakealert) -> Unloaded process successfully.
    C:\Program Files\PCHealthCenter\7.exe (Trojan.Fakealert) -> Unloaded process successfully.
    C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\WINDOWS\system32\opnkjgdB.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\iifgHwxu.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\neksolda.dll (Trojan.Zlob) -> Delete on reboot.
    C:\WINDOWS\system32\__c00BC7EB.dat (Trojan.Agent) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2503670-6d0e-4662-ac65-efa76e33056c} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iifghwxu (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{c2503670-6d0e-4662-ac65-efa76e33056c} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9323370-09d6-40fd-a01f-6d5f616013b6} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{c9323370-09d6-40fd-a01f-6d5f616013b6} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{5603752C-602C-D167-C95D-0014A2FC4743} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{32d3cb76-770c-4273-9f99-4d36773398cf} (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{3dbf2330-f8ad-4ccc-ad20-d155da5bc81a} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{c6c4e78f-65fb-48b1-aada-3855fdce8f52} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{15c7d7ad-a87a-4c0d-9d8b-637fcd3488ef} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{57be2636-f271-4151-9d4a-40a2663e4fd7} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57be2636-f271-4151-9d4a-40a2663e4fd7} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\TotalSecure2009 (Rogue.TotalSecure) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00bc7eb (Trojan.Vundo) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\cfgsrvchk (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moncom (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c2503670-6d0e-4662-ac65-efa76e33056c} (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\neksolda (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TotalSecure2009 (Rogue.TotalSecure) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00fbc34a.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur4f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur50.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur51.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur52.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur54.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1e.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurf.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yura.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur18.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur4f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur50.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur51.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur52.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur54.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1e.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurf.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yura.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur18.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\source (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnkjgdb -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnkjgdb -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55277-OEM-0011903-00100) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully.
    C:\Program Files\akl (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\Inet Delivery (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Program Files\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\iifgHwxu.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\opnkjgdB.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\Bdgjknpo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\Bdgjknpo.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\grdesirb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\brisedrg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\xdbtkaax.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\xaaktbdx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\Program Files\kpipllc\CfgSrvChk.dll (Trojan.FakeAlert.H) -> Delete on reboot.
    C:\WINDOWS\system32\yrwrudyh.exe (Trojan.FakeAlert.H) -> Delete on reboot.
    C:\WINDOWS\neksolda.dll (Trojan.Zlob) -> Delete on reboot.
    C:\Documents and Settings\user\Local Settings\Temp\_A00FBC34A.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sysbase32.dll (Trojan.BHO) -> Quarantined and deleted successfully.
    C:\WINDOWS\elrx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\evmd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\vtUonnkH.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ssqQKbAq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\efcBsTmn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\khfffFwu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\geBtSMgH.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ssqqNDur.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wvUMfdcb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\cbXRKDTL.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wvUnNeee.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nnnnOgHw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nnnoLDVM.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Local Settings\Temp\smchk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\C9QFWTER\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\S7MZEP6R\file[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W1YDABCH\ihwd[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\index.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\body.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\capt2.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\red.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\text.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.
    C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
    C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
    C:\Program Files\akl\akl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Program Files\akl\akl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Program Files\akl\uninstall.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Program Files\akl\unsetup.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\5.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\1.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\2.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\3.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\4.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\7.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\Inet Delivery\inetdl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Program Files\Inet Delivery\intdel.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Program Files\MicroAV\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
    C:\Program Files\MicroAV\MicroAV0.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
    C:\Program Files\MicroAV\MicroAV1.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
    C:\Program Files\MicroAV\MicroAV.exe (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
    C:\Program Files\MicroAV\MicroAV.ooo (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
    C:\Program Files\TS-2009\scan.exe (Rogue.TotalSecure) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\1.ico (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\2.ico (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\YURA.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\YURB.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\YURC.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\YURD.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\YUR18.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Application Data\Adobe\Player.exe (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\__c00BC7EB.dat (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\a.bat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\userconfig9x.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\winsystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\emesx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\medup012.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\medup020.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\vbsys2.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
    C:\WINDOWS\k.txt (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Desktop\Micro Antivirus 2009.lnk (Rogue.XPertAntivirus) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Application Data\TmpRecentIcons\Total Secure 2009.lnk (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Application Data\TmpRecentIcons\Micro Antivirus 2009.lnk (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Desktop\GAY FETISH SEX.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Desktop\Protect Your Privacy.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Desktop\Malware Defender.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Desktop\System Error Fixer.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Favorites\Malware Defender.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Favorites\Protect Your Privacy.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Favorites\System Error Fixer.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\WINDOWS\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
     
  11. 2008/10/02
    Waverley73

    Waverley73 Inactive Thread Starter

    Joined:
    2008/01/06
    Messages:
    86
    Likes Received:
    0
    SECOND MALWARE LOG:

    alwarebytes' Anti-Malware 1.28
    Database version: 1225
    Windows 5.1.2600 Service Pack 2

    2/10/2008 10:29:38 PM
    mbam-log-2008-10-02 (22-29-38).txt

    Scan type: Quick Scan
    Objects scanned: 52417
    Time elapsed: 3 minute(s), 32 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 2
    Files Infected: 8

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

    Folders Infected:
    C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\privacy_danger\index.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\body.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\capt2.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\red.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\text.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Delete on reboot.



    COMBOFIX LOG:

    ComboFix 08-10-01.02 - user 2008-10-02 23:37:54.4 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.298 [GMT 10:00]
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\dkwqgnbe.dll
    C:\WINDOWS\fkebanrw.exe
    C:\WINDOWS\nkefbltdxvk.dll
    C:\WINDOWS\privacy_danger
    C:\WINDOWS\privacy_danger\images\body.gif
    C:\WINDOWS\privacy_danger\images\capt.gif
    C:\WINDOWS\privacy_danger\images\capt2.gif
    C:\WINDOWS\privacy_danger\images\red.gif
    C:\WINDOWS\privacy_danger\images\text.gif
    C:\WINDOWS\privacy_danger\index.htm
    C:\WINDOWS\system32\AutoRun.inf
    C:\WINDOWS\system32\drivers\tdssserv.sys
    C:\WINDOWS\system32\mbxssxod.ini
    C:\WINDOWS\system32\TDSSadw.dll
    C:\WINDOWS\system32\TDSSerrors.log
    C:\WINDOWS\system32\TDSSinit.dll
    C:\WINDOWS\system32\tdssl.dll
    C:\WINDOWS\system32\tdsslog.dll
    C:\WINDOWS\system32\tdssmain.dll
    C:\WINDOWS\system32\tdssserf.dll
    C:\WINDOWS\system32\TDSSserf1.dll
    C:\WINDOWS\system32\TDSSservers.dat
    C:\WINDOWS\system32\windows_update.exe
    C:\WINDOWS\temp\perflib_perfdata_1cc.dat
    C:\WINDOWS\xgpsarbm.dll
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

    ----- BITS: Possible infected sites -----

    hxxp://78.157.143.198
    hxxp://78.157.143.163
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MCHINJDRV


    ((((((((((((((((((((((((( Files Created from 2008-09-02 to 2008-10-02 )))))))))))))))))))))))))))))))
    .

    2008-10-02 23:21 . 2008-10-02 23:21 <DIR> d--hs---- C:\FOUND.012
    2008-10-02 21:50 . 2008-10-02 21:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-02 21:50 . 2008-10-02 21:50 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
    2008-10-02 21:50 . 2008-10-02 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-02 21:50 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-02 21:50 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-01 15:07 . 2008-10-01 15:07 <DIR> d-------- C:\Program Files\kpipllc
    2008-10-01 15:07 . 2008-10-01 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\revmxwxw
    2008-10-01 15:07 . 2008-10-01 15:07 131,072 --a------ C:\WINDOWS\system32\uxqxgnir.exe
    2008-10-01 14:26 . 2008-10-01 14:26 <DIR> d-------- C:\Program Files\TS-2009
    2008-09-29 13:04 . 2008-09-29 13:04 0 -rahs---- C:\khq
    2008-09-28 10:20 . 2008-10-01 13:56 15,360 --a------ C:\WINDOWS\system32\MediaCodec.exe
    2008-09-22 01:04 . 2008-09-22 01:04 33,802 --a------ C:\WINDOWS\system32\ekrn.exe
    2008-09-21 16:34 . 2008-09-21 16:34 <DIR> d-------- C:\Documents and Settings\user\Application Data\Apple Computer
    2008-09-21 14:43 . 2008-09-21 14:43 <DIR> d-------- C:\Program Files\QuickTime
    2008-09-21 14:43 . 2008-09-21 14:43 <DIR> d-------- C:\Program Files\Common Files\Apple
    2008-09-21 14:43 . 2008-09-21 14:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-09-21 14:42 . 2008-09-21 14:42 <DIR> d-------- C:\Program Files\Apple Software Update
    2008-09-21 14:42 . 2008-09-21 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2008-09-21 14:25 . 2008-09-21 14:34 27,288,880 --a------ C:\QuickTimeInstaller.exe
    2008-09-19 20:01 . 2008-09-19 20:01 46,087 --a------ C:\WINDOWS\Ableton.exe
    2008-09-18 15:58 . 2008-09-21 14:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-09-18 15:58 . 2008-09-18 15:58 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-09-10 21:01 . 2008-09-10 21:01 <DIR> d-------- C:\Program Files\Audacity 1.3 Beta (Unicode)
    2008-09-10 21:01 . 2008-09-10 21:01 <DIR> d-------- C:\Documents and Settings\user\Application Data\Audacity
    2008-09-10 20:58 . 2008-09-10 21:00 3,192,653 --a------ C:\audacity-win-unicode-1.3.5.exe
    2008-09-09 07:17 . 2008-09-09 07:17 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
    2008-09-02 22:39 . 2008-09-02 22:39 <DIR> d-------- C:\Program Files\LucasArts

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-01 14:33 98,304 ----a-w C:\WINDOWS\DUMP447b.tmp
    2008-10-01 14:27 98,304 ----a-w C:\WINDOWS\DUMP5c0a.tmp
    2008-10-01 14:26 98,304 ----a-w C:\WINDOWS\DUMP5c77.tmp
    2008-10-01 12:36 98,304 ----a-w C:\WINDOWS\DUMP2fda.tmp
    2008-09-30 09:26 6,026 ----a-w C:\WINDOWS\system32\ealregsnapshot1.reg
    2008-08-28 11:12 2,228,534 ----a-w C:\audacity-win-1.2.6.exe
    2008-08-13 10:09 204,445 ----a-w C:\FLAC_plugin_with_library_support.exe
    2008-08-13 10:03 --------- d-----w C:\Program Files\Winamp
    2008-08-13 10:02 8,981,504 ----a-w C:\winamp5541_full_emusic-7plus_en-us.exe
    2008-08-07 01:23 1,142,900 ----a-w C:\WINDOWS\renwen.scr
    2008-08-06 22:59 1,001,434 ----a-w C:\WINDOWS\chundate.scr
    2008-08-03 06:39 --------- d-----w C:\Documents and Settings\user\Application Data\SPORE Creature Creator
    2008-08-03 06:38 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
    2008-08-03 06:33 --------- d-----w C:\Program Files\Electronic Arts
    2008-07-25 09:53 5,126,750 ----a-w C:\TVUPlayer.zip
    2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
    2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
    2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
    2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
    2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
    2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
    2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
    2008-07-11 10:09 104,960 ----a-w C:\Program Files\JavaRa.exe
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
    2008-06-19 06:29 17,987 ----a-w C:\Program Files\gpl-2.0.txt
    2008-03-07 08:19 94,664 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
    2008-02-23 07:47 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
    2007-07-01 10:42 297,992 ----a-w C:\Program Files\Thomas The Tank Engine and Friends.zip
    2007-07-01 09:56 1,384,960 ----a-w C:\Program Files\SDP_v2_3_0.msi
    2007-07-01 09:45 397,312 ----a-w C:\Program Files\MediaRecorder_Install.pgm.msi
    2007-06-18 14:14 280,227 ----a-w C:\Program Files\FreeMPC.jar
    2007-06-18 13:16 1,630,151 ----a-w C:\Program Files\Setup_AltoMP3Gold.exe
    2007-06-12 10:15 18,937,781 ----a-w C:\Program Files\650_222_win2kxp.zip
    2007-01-31 11:33 2,094,778 ----a-w C:\Program Files\kbpianost.exe
    2007-01-09 08:36 24,192 ----a-w C:\Documents and Settings\user\usbsermptxp.sys
    2007-01-09 08:36 22,768 ----a-w C:\Documents and Settings\user\usbsermpt.sys
    2006-10-31 13:53 14,405,024 ----a-w C:\Program Files\GoogleEarthWin.exe
    2006-09-18 10:56 627,995 ----a-w C:\Program Files\ZSNES_0904.zip
    2006-07-23 12:21 1,322,736 ----a-w C:\Program Files\DVDFabDecrypter29.exe
    2006-07-21 10:29 81,393 ----a-w C:\Program Files\AnyDVD[1].patch.rar
    2006-07-21 10:11 1,293,030 ----a-w C:\Program Files\SetupAnyDVD6031.exe
    2005-07-23 13:20 13,235,784 ----a-w C:\Program Files\avg70free_338a597.exe
    2005-05-05 01:18 2,833,536 ----a-w C:\Program Files\ToolbarSetup.exe
    2005-05-03 10:20 4,343,056 ----a-w C:\Program Files\sdtrial.exe
    2005-03-30 06:11 678,069 ----a-w C:\Program Files\DVDStyler-1.31.tar.gz
    2005-03-30 06:06 288,452 ----a-w C:\Program Files\dvdauthor-0.6.11.tar.gz
    2005-03-29 10:09 3,032,317 ----a-w C:\Program Files\WinAVITrial.exe
    2005-03-17 05:17 4,573,898 ----a-w C:\Program Files\sdvdcfullVer8.exe
    2005-03-16 12:09 4,571,247 ----a-w C:\Program Files\sdvdc.exe
    2005-03-13 07:49 877,056 ----a-w C:\Program Files\iview395.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "C:\Program Files\Messenger\MSMSGS.EXE" [2008-01-08 1694208]
    "DAEMON Tools "= "C:\Program Files\Daemon Tools\daemon.exe" [2008-01-08 165784]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 8491008]
    "UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2008-01-08 90112]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 81920]
    "SBDrvDet "= "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2008-01-08 45056]
    "NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2008-01-08 155648]
    "COMODO Firewall Pro "= "C:\Program Files\COMODO\Firewall\cfp.exe" [2008-06-23 1655552]
    "googletalk "= "C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
    "ekrn "= "C:\WINDOWS\system32\ekrn.exe" [2008-09-22 33802]
    "CTHelper "= "CTHELPER.EXE" [2008-01-08 C:\WINDOWS\system32\CTHELPER.EXE]
    "C-Media Mixer "= "Mixer.exe" [2002-10-15 C:\WINDOWS\mixer.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "NvMediaCenter "= "C:\WINDOWS\System32\NVMCTRAY.DLL" [2007-10-04 81920]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "= guard32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe "=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe "=

    R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-08-06 11264]
    R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 78416]
    R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-06-23 87056]
    R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-06-23 24208]
    R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 20560]
    R3 C4C_BSC2;C4C_BSC2;C:\WINDOWS\system32\DRIVERS\C4C_BSC2.sys [2002-07-08 84788]
    S3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2007-12-20 68672]
    S3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
    S3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2003-03-07 29603]
    S3 USB_RNDIS;NetComm NB5 USB;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 12672]
    S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab9bb862-1023-11dc-9ac6-000f3da4fee4}]
    \Shell\AutoRun\command - F:\tnuiqb.exe
    \Shell\explore\Command - F:\tnuiqb.exe
    \Shell\open\Command - F:\tnuiqb.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{925C74FF-3022-EE57-B71B-ECE8DF873806}]
    C:\WINDOWS\system32\ekrn.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{AA1601A0-0E35-4E80-A507-EBEAD0463D75} - C:\WINDOWS\nkefbltdxvk.dll
    Toolbar-{5314C6A2-514A-4B70-8185-A9C8FE0A4CFF} - C:\WINDOWS\dkwqgnbe.dll
    HKLM-Run-EM_EXEC - C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    HKLM-Run-Cmaudio - cmicnfg.cpl
    HKLM-Run-nwiz - nwiz.exe
    SSODL-xgpsarbm-{0FF0063E-C321-4716-8A97-34D65C724040} - C:\WINDOWS\xgpsarbm.dll


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mo4i5vit.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://groups.yahoo.com/
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-02 23:48:17
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    ekrn = C:\WINDOWS\system32\ekrn.exe

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\Ati2evxx.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    .
    **************************************************************************
    .
    Completion time: 2008-10-02 23:54:09 - machine was rebooted
    ComboFix2.txt 2008-01-08 21:21:14
    ComboFix-quarantined-files.txt 2008-10-02 13:53:54

    Pre-Run: 24,001,609,728 bytes free
    Post-Run: 23,910,219,776 bytes free

    240 --- E O F --- 2008-09-21 07:10:58
     
  12. 2008/10/02
    Waverley73

    Waverley73 Inactive Thread Starter

    Joined:
    2008/01/06
    Messages:
    86
    Likes Received:
    0
    OK, safe mode works now (hurray!) so here's the smitfraudfix logile (along with a HJT one):


    SmitFraudFix v2.354

    Scan done at 0:14:41.93, Fri 03/10/2008
    Run from C:\Documents and Settings\user\Desktop\Smitfraudfix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is FAT32
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» VACFix

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri



    »»»»»»»»»»»»»»»»»»»»»»»» 404Fix

    404Fix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix

    AntiXPVSTFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri



    »»»»»»»»»»»»»»»»»»»»»»»» RK


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{0AD75962-1E47-409E-98D8-F42C522D478E}: DhcpNameServer=10.0.0.138
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{1D70D096-2000-412F-B48D-849D0519844D}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{7AAFB379-B860-44B4-B796-7CAD21F447E1}: DhcpNameServer=210.15.254.240
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{1D70D096-2000-412F-B48D-849D0519844D}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=210.15.254.240
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System "=" "


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End





    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:27:18 AM, on 3/10/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Daemon Tools\daemon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [ekrn] C:\WINDOWS\system32\ekrn.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033
    O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
    O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1199965207687
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: guard32.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5626 bytes



    Everything seems to be running 100% better than what it was before I started this. No more constant popups and warnings etc.

    I look forward to what you think.

    Thanks again.
     
  13. 2008/10/02
    Juliet

    Juliet Well-Known Member

    Joined:
    2008/09/15
    Messages:
    976
    Likes Received:
    6
    Welcome back

    pfew!, good job.
    yes!
    wowsa!
    tiz music to my ears....
    Nasty rootkit infection here, we have more work ahead.


    Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close every window that is open later in the fix.


    Go to Microsoft's website => http://support.microsoft.com/kb/310994
    Select the download that's appropriate for your Operating System. No Validation is required.

    [​IMG]

    Download the file & save it as it's originally named, next to ComboFix.exe.
    [​IMG]

    Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Drag the setup package onto ComboFix.exe and drop it.
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    • At the next prompt, click 'NO' to run the full ComboFix scan.


    Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
    Don't select to run the Recovery Console as we don't need it.
    By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.



    NEXT**
    Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

    4 - HKLM\..\Run: [ekrn] C:\WINDOWS\system32\ekrn.exe


    NEXT**
    1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



    NEXT**
    Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
    Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
    This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

    Click on this link Here to see a list of programs that should be disabled.



    For this next step, please ensure that ComboFix.exe is on your desktop:

    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
    Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.


    Code:
    KillAll::
    
    File:: 
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat 
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\WINDOWS\system32\uxqxgnir.exe
    C:\WINDOWS\system32\MediaCodec.exe
    C:\WINDOWS\renwen.scr
    C:\WINDOWS\chundate.scr
    C:\WINDOWS\system32\ekrn.exe
     F:\tnuiqb.exe
    
    Folder:: 
    C:\Program Files\TS-2009
    C:\Documents and Settings\All Users\Application Data\revmxwxw
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
     "ekrn "=-
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab9bb862-1023-11dc-9ac6-000f3da4fee4}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{925C74FF-3022-EE57-B71B-ECE8DF873806}]
    [​IMG]

    Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.




    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



    NEXT**
    Go to Start > Control Panel > Internet Options
    In the General tab, Temporary Internet Files, click:Delete Files When prompted, check:Delete all offline content
    You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
    Click OK

    For I.E. 7 - under Browsing History, click delete... Under Temporary Internet Files, click Delete files...

    Then, go to Start >Run and enter: cleanmgr
    Select the drive to clean: C:\
    Check the following boxes and then press OK to remove:
    Temporary Files
    Temporary Internet Files
    RecycleBin

    Agree to the prompt to perform the action...


    NEXT**
    I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
    The below scan can take up to an hour or longer, please be patient.

    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


    Please do a scan with Kaspersky Online Scanner or from here
    http://www.kaspersky.com/virusscanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    Click on the Accept button and install any components it needs.
    [*]The program will install and then begin downloading the latest definition
    files.
    [*]After the files have been downloaded on the left side of the page in the Scan section select My Computer.
    [*]This will start the program and scan your system.
    [*]The scan will take a while, so be patient and let it run. (At times it may appear to stall)
    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Once the scan is complete, click on View scan report To obtain the report:
    Click on: Save Report As
    Next, in the Save as prompt, Save in area, select: Desktop
    In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
    Text file [*.txt]
    Then, click: Save
    Please post the Kaspersky Online Scanner Report in
    your reply.

    Animated tutorial
    http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

    (Note.. for Internet Explorer 7 users:
    If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%
    .)
    Or use Firefox with IE-Tab plugin
    https://addons.mozilla.org/en-US/firefox/addon/1419


    In your next reply post:
    ComboFix.txt
    Kaspersky log
    New HJT log taken after the above scans have run


    You may need several replies to post the requested logs, otherwise they might get cut off.

    Also at this time I need an update on how the computer is at the moment.
     
  14. 2008/10/03
    Waverley73

    Waverley73 Inactive Thread Starter

    Joined:
    2008/01/06
    Messages:
    86
    Likes Received:
    0
    Hi Juliet.

    OK, it all seems to be going well so far. I have just finished the combofix (the one where I dragged the notepad file onto it). Here is the logfile (I am continuing the rest of the instruction and will post the kaspersky and hjt logs when done).

    ComboFix 08-10-02.04 - user 2008-10-03 20:46:39.6 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.242 [GMT 10:00]
    Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\WINDOWS\chundate.scr
    C:\WINDOWS\renwen.scr
    C:\WINDOWS\system32\ekrn.exe
    C:\WINDOWS\system32\MediaCodec.exe
    C:\WINDOWS\system32\uxqxgnir.exe
    F:\tnuiqb.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\revmxwxw
    C:\Documents and Settings\All Users\Application Data\revmxwxw\joxmxevw.exe
    C:\WINDOWS\chundate.scr
    C:\WINDOWS\renwen.scr
    C:\WINDOWS\system32\ekrn.exe
    C:\WINDOWS\system32\MediaCodec.exe
    C:\WINDOWS\system32\uxqxgnir.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 )))))))))))))))))))))))))))))))
    .

    2008-10-03 00:33 . 2008-10-03 00:33 8,192 --ahs---- C:\WINDOWS\Thumbs.db
    2008-10-03 00:14 . 2008-10-03 00:14 2,268 --a------ C:\WINDOWS\system32\tmp.reg
    2008-10-02 23:21 . 2008-10-02 23:21 <DIR> d--hs---- C:\FOUND.012
    2008-10-02 21:50 . 2008-10-02 21:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-02 21:50 . 2008-10-02 21:50 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
    2008-10-02 21:50 . 2008-10-02 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-02 21:50 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-02 21:50 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-01 15:07 . 2008-10-01 15:07 <DIR> d-------- C:\Program Files\kpipllc
    2008-09-29 13:04 . 2008-09-29 13:04 0 -rahs---- C:\khq
    2008-09-21 16:34 . 2008-09-21 16:34 <DIR> d-------- C:\Documents and Settings\user\Application Data\Apple Computer
    2008-09-21 14:43 . 2008-09-21 14:43 <DIR> d-------- C:\Program Files\QuickTime
    2008-09-21 14:43 . 2008-09-21 14:43 <DIR> d-------- C:\Program Files\Common Files\Apple
    2008-09-21 14:43 . 2008-09-21 14:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-09-21 14:42 . 2008-09-21 14:42 <DIR> d-------- C:\Program Files\Apple Software Update
    2008-09-21 14:42 . 2008-09-21 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2008-09-21 14:25 . 2008-09-21 14:34 27,288,880 --a------ C:\QuickTimeInstaller.exe
    2008-09-19 20:01 . 2008-09-19 20:01 46,087 --a------ C:\WINDOWS\Ableton.exe
    2008-09-18 15:58 . 2008-09-21 14:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-09-18 15:58 . 2008-09-18 15:58 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-09-10 21:01 . 2008-09-10 21:01 <DIR> d-------- C:\Program Files\Audacity 1.3 Beta (Unicode)
    2008-09-10 21:01 . 2008-09-10 21:01 <DIR> d-------- C:\Documents and Settings\user\Application Data\Audacity
    2008-09-10 20:58 . 2008-09-10 21:00 3,192,653 --a------ C:\audacity-win-unicode-1.3.5.exe
    2008-09-09 07:17 . 2008-09-09 07:17 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-01 14:33 98,304 ----a-w C:\WINDOWS\DUMP447b.tmp
    2008-10-01 14:27 98,304 ----a-w C:\WINDOWS\DUMP5c0a.tmp
    2008-10-01 14:26 98,304 ----a-w C:\WINDOWS\DUMP5c77.tmp
    2008-10-01 12:36 98,304 ----a-w C:\WINDOWS\DUMP2fda.tmp
    2008-09-30 09:26 6,026 ----a-w C:\WINDOWS\system32\ealregsnapshot1.reg
    2008-09-02 12:39 --------- d-----w C:\Program Files\LucasArts
    2008-08-28 11:12 2,228,534 ----a-w C:\audacity-win-1.2.6.exe
    2008-08-13 10:09 204,445 ----a-w C:\FLAC_plugin_with_library_support.exe
    2008-08-13 10:03 --------- d-----w C:\Program Files\Winamp
    2008-08-13 10:02 8,981,504 ----a-w C:\winamp5541_full_emusic-7plus_en-us.exe
    2008-08-03 06:39 --------- d-----w C:\Documents and Settings\user\Application Data\SPORE Creature Creator
    2008-08-03 06:38 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
    2008-08-03 06:33 --------- d-----w C:\Program Files\Electronic Arts
    2008-07-25 09:53 5,126,750 ----a-w C:\TVUPlayer.zip
    2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
    2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
    2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
    2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
    2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
    2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
    2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
    2008-07-11 10:09 104,960 ----a-w C:\Program Files\JavaRa.exe
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
    2008-06-19 06:29 17,987 ----a-w C:\Program Files\gpl-2.0.txt
    2008-03-07 08:19 94,664 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
    2008-02-23 07:47 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
    2007-07-01 10:42 297,992 ----a-w C:\Program Files\Thomas The Tank Engine and Friends.zip
    2007-07-01 09:56 1,384,960 ----a-w C:\Program Files\SDP_v2_3_0.msi
    2007-07-01 09:45 397,312 ----a-w C:\Program Files\MediaRecorder_Install.pgm.msi
    2007-06-18 14:14 280,227 ----a-w C:\Program Files\FreeMPC.jar
    2007-06-18 13:16 1,630,151 ----a-w C:\Program Files\Setup_AltoMP3Gold.exe
    2007-06-12 10:15 18,937,781 ----a-w C:\Program Files\650_222_win2kxp.zip
    2007-01-31 11:33 2,094,778 ----a-w C:\Program Files\kbpianost.exe
    2007-01-09 08:36 24,192 ----a-w C:\Documents and Settings\user\usbsermptxp.sys
    2007-01-09 08:36 22,768 ----a-w C:\Documents and Settings\user\usbsermpt.sys
    2006-10-31 13:53 14,405,024 ----a-w C:\Program Files\GoogleEarthWin.exe
    2006-09-18 10:56 627,995 ----a-w C:\Program Files\ZSNES_0904.zip
    2006-07-23 12:21 1,322,736 ----a-w C:\Program Files\DVDFabDecrypter29.exe
    2006-07-21 10:29 81,393 ----a-w C:\Program Files\AnyDVD[1].patch.rar
    2006-07-21 10:11 1,293,030 ----a-w C:\Program Files\SetupAnyDVD6031.exe
    2005-07-23 13:20 13,235,784 ----a-w C:\Program Files\avg70free_338a597.exe
    2005-05-05 01:18 2,833,536 ----a-w C:\Program Files\ToolbarSetup.exe
    2005-05-03 10:20 4,343,056 ----a-w C:\Program Files\sdtrial.exe
    2005-03-30 06:11 678,069 ----a-w C:\Program Files\DVDStyler-1.31.tar.gz
    2005-03-30 06:06 288,452 ----a-w C:\Program Files\dvdauthor-0.6.11.tar.gz
    2005-03-29 10:09 3,032,317 ----a-w C:\Program Files\WinAVITrial.exe
    2005-03-17 05:17 4,573,898 ----a-w C:\Program Files\sdvdcfullVer8.exe
    2005-03-16 12:09 4,571,247 ----a-w C:\Program Files\sdvdc.exe
    2005-03-13 07:49 877,056 ----a-w C:\Program Files\iview395.exe
    .

    ((((((((((((((((((((((((((((( snapshot@2008-10-02_23.52.47.40 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-10-03 10:54:06 16,384 ----a-w C:\WINDOWS\temp\Perflib_Perfdata_638.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "C:\Program Files\Messenger\MSMSGS.EXE" [2008-01-08 1694208]
    "DAEMON Tools "= "C:\Program Files\Daemon Tools\daemon.exe" [2008-01-08 165784]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 8491008]
    "UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2008-01-08 90112]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 81920]
    "SBDrvDet "= "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2008-01-08 45056]
    "NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2008-01-08 155648]
    "COMODO Firewall Pro "= "C:\Program Files\COMODO\Firewall\cfp.exe" [2008-06-23 1655552]
    "googletalk "= "C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
    "CTHelper "= "CTHELPER.EXE" [2008-01-08 C:\WINDOWS\system32\CTHELPER.EXE]
    "C-Media Mixer "= "Mixer.exe" [2002-10-15 C:\WINDOWS\mixer.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "NvMediaCenter "= "C:\WINDOWS\System32\NVMCTRAY.DLL" [2007-10-04 81920]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "= guard32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe "=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe "=

    R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-08-06 11264]
    R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 78416]
    R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-06-23 87056]
    R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-06-23 24208]
    R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 20560]
    R3 C4C_BSC2;C4C_BSC2;C:\WINDOWS\system32\DRIVERS\C4C_BSC2.sys [2002-07-08 84788]
    S3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2007-12-20 68672]
    S3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
    S3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2003-03-07 29603]
    S3 USB_RNDIS;NetComm NB5 USB;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 12672]
    S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edfe639a-07cc-11db-999a-000f3da4fee4}]
    \Shell\AutoRun\command - H:\tsysgb.exe
    \Shell\explore\Command - H:\tsysgb.exe
    \Shell\open\Command - H:\tsysgb.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-03 20:55:32
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\Ati2evxx.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\PROGRAM FILES\COMODO\FIREWALL\CMDAGENT.EXE
    C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\WINDOWS\SYSTEM32\NVSVC32.EXE
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2008-10-03 21:01:01 - machine was rebooted
    ComboFix4.txt 2008-01-08 21:21:14
    ComboFix-quarantined-files.txt 2008-10-03 11:00:48
    ComboFix3.txt 2008-10-02 13:54:14
    ComboFix2.txt 2008-10-03 10:25:10

    Pre-Run: 23,702,667,264 bytes free
    Post-Run: 23,663,771,648 bytes free

    205 --- E O F --- 2008-09-21 07:10:58
     
  15. 2008/10/03
    Juliet

    Juliet Well-Known Member

    Joined:
    2008/09/15
    Messages:
    976
    Likes Received:
    6
    Welcome back
    good deal!

    Not looking to bad so far.
    Did you run Flash Drive Disinfector?

    Post the Kaspersky log when you can.
     
  16. 2008/10/03
    Waverley73

    Waverley73 Inactive Thread Starter

    Joined:
    2008/01/06
    Messages:
    86
    Likes Received:
    0
    Hi there,

    Yes, I did run the flash driver disinfector. I am currently running the kaspersky scan - it is taking a long time so I will have to leave it going overnight. Hopefully it will be done in the morning and I will be able to post that along with a hijak this log.

    Cheers.
     
  17. 2008/10/03
    Juliet

    Juliet Well-Known Member

    Joined:
    2008/09/15
    Messages:
    976
    Likes Received:
    6
    Welcome back

    Go to My Computer->Tools->Folder Options->View tab:
    • Under the Hidden files and folders heading:
    • Select - Show hidden files and folders.
    • Uncheck- Hide protected operating system files (recommended) option.
    • Also, make sure there is no checkmark beside Hide file extensions for known file types.
    • Click OK. (Remember to Hide files and folders once done)

    Using Windows Explorer (right-click your "Start" button and select "Explore "), please navigate to and delete the following files/folders in bold

    Also pay attention to the directory where this is located

    H:\tsysgb.exe<--this file


    Next, launch Notepad, (Start > Run, type in: notepad) copy and paste next present in the CODE box below in it:
    (don't forget to copy and paste REGEDIT4)
    Code:
    REGEDIT4
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edfe639a-07cc-11db-999a-000f3da4fee4}]
    
    
    Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: [​IMG]
    Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK ". You should receive a message that it was successful. You may delete the file afterwards



    reboot when done <--important

    please verify you have done the above procedure when you reply back with the Kaspersky log
     
  18. 2008/10/03
    Waverley73

    Waverley73 Inactive Thread Starter

    Joined:
    2008/01/06
    Messages:
    86
    Likes Received:
    0
    Hello again,

    OK the kaspersky scanner ran and I've been able to do a fresh HJT log. The computer is running really, really well with the only issue I can see is the pause of 3 or so minutes when I turn it on (between when you first see the windows stuff and the logon screen). It's during this time that the external hd turns off. This has been doing this for about 6 months so it doesn't bother me that much. It all started doing this around the time i got a new sound card if that helps. Anyway here are the log files:

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Saturday, October 4, 2008
    Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Friday, October 03, 2008 07:37:51
    Records in database: 1285439
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan statistics:
    Files scanned: 147711
    Threat name: 15
    Infected objects: 25
    Suspicious objects: 0
    Duration of the scan: 04:16:28


    File name / Threat name / Threats count
    C:\WINDOWS\Ableton.exe Infected: Trojan.Win32.Crypt.uq 1
    C:\Documents and Settings\user\Local Settings\Application Data\Identities\{BBC9D397-7476-4998-BE80-C3CD2EBF1AA1}\Microsoft\Outlook Express\Auctions.dbx Infected: Trojan-Spy.HTML.Bayfraud.hn 1
    C:\Documents and Settings\user\Local Settings\Application Data\Identities\{BBC9D397-7476-4998-BE80-C3CD2EBF1AA1}\Microsoft\Outlook Express\Auctions.dbx Infected: Trojan-Spy.HTML.Bayfraud.in 1
    C:\Documents and Settings\user\Desktop\SmitfraudFix.zip Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
    C:\Documents and Settings\user\Desktop\Smitfraudfix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
    C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\29\7b4cbb1d-45f7acb1 Infected: Trojan-Downloader.Java.OpenStream.ac 1
    C:\System Volume Information\_restore{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP1521\A0236008.exe Infected: Trojan.Win32.Autoit.dt 1
    C:\System Volume Information\_restore{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP1521\A0236011.exe Infected: Trojan.Win32.Autoit.dt 1
    C:\System Volume Information\_restore{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP1525\A0237669.exe Infected: Trojan.Win32.Buzus.zfq 1
    C:\System Volume Information\_restore{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP1526\A0237988.exe Infected: Trojan.Win32.Buzus.zfq 1
    C:\System Volume Information\_restore{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP1535\A0241682.exe Infected: Backdoor.Win32.TDSS.cd 1
    C:\System Volume Information\_restore{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP1536\A0242723.DLL Infected: Rootkit.Win32.Clbd.ks 1
    C:\System Volume Information\_restore{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP1536\A0242726.dll Infected: Backdoor.Win32.Agent.rfv 1
    C:\System Volume Information\_restore{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP1536\A0242728.dll Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1
    C:\System Volume Information\_restore{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP1538\A0243661.exe Infected: Trojan.Win32.Obfuscated.gx 1
    C:\System Volume Information\_restore{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP1538\A0243666.exe Infected: Trojan.Win32.Obfuscated.gx 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\tdssadw.dll.vir Infected: Rootkit.Win32.Clbd.ks 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\tdsslog.dll.vir Infected: Backdoor.Win32.Agent.rfv 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\tdssserf.dll.vir Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\uxqxgnir.exe.vir Infected: Trojan.Win32.Obfuscated.gx 1
    C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\revmxwxw\joxmxevw.exe.vir Infected: Trojan.Win32.Obfuscated.gx 1
    C:\Data\Glen's\Azureus\Need For Speed Carbon Crack.exe Infected: Backdoor.Win32.Mechbot.e 1
    C:\Data\Glen's\Azureus\Need For Speed Carbon Crack.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 1
    C:\Data\Glen's\Azureus\Need For Speed Carbon Crack.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 2

    The selected area was scanned.




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:22:40 AM, on 4/10/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\Daemon Tools\daemon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033
    O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
    O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1199965207687
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: guard32.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5884 bytes
     
  19. 2008/10/03
    Juliet

    Juliet Well-Known Member

    Joined:
    2008/09/15
    Messages:
    976
    Likes Received:
    6
    Welcome back

    wooohooo....yes!


    Go to My Computer->Tools->Folder Options->View tab:
    • Under the Hidden files and folders heading:
    • Select - Show hidden files and folders.
    • Uncheck- Hide protected operating system files (recommended) option.
    • Also, make sure there is no checkmark beside Hide file extensions for known file types.
    • Click OK. (Remember to Hide files and folders once done)


    Using Windows Explorer (right-click your "Start" button and select "Explore "), please navigate to and delete the following files/folders in bold


    C:\WINDOWS\Ableton.exe <--this file
    C:\Data\Glen's\Azureus\Need For Speed Carbon Crack.exe <--file and application needs to go, it's infected.

    NOTE:
    Backdoor.Win32.Mechbot.e 1
    Any type of backdoor infection in my mind warrants information to cover all avenues for security.
    If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, Pin numbers, credit card numbers, account numbers, etc. should all be changed immediately.

    (We do not approve of nor support illegal software. Cracked software is not only unethical, it's a good way to get your machine infected.
    Malware and virus authors love to spread their infections via cracks. I recommend you cease this activity and get rid of any cracked software.)



    C:\Documents and Settings\user\Local Settings\Application Data\Identities\{BBC9D397-7476-4998-BE80-C3CD2EBF1AA1}\Microsoft\Outlook Express\Auctions.dbx
    I can't tell if this is in your Inbox/deleted items/sent/ or where so you'll have to look in your Outlook Express folders and delete this

    C:\Documents and Settings\user\Desktop\SmitfraudFix<---delete this


    Go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked

      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.
    ===================================================

    Don't miss or skip this next step, it will remove bad files from quarantine and set a clean restore point.

    [*] Click START then RUN

    [*] Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.


    Now reboot your computer to set the registry.

    This I can't help with but I can send you over to the hardware forum and let the tech guys over there try and help with this issue.
    http://www.windowsbbs.com/hardware/



    That should do it, if there are no more issues I can help you with your good to go, good job!


    Below are recommendations to protect your computer.

    Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


    Firefox 2.0 The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

    How to prevent Malware: Created by Miekiemoes

    Here are some additional utilities that will further enhance your safety.
    # http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


    Read this article 'Safe Computing Practices'.
    So how did I get infected in the first place.

    Secure My Computer: A Layered Approach

    Strong passwords: How to create and use them

    Slow Computer? Check here first; it may not be malware
    http://www.castlecops.com/postitle175256-0-0-.html
    Free Antivirus-AntiSpyware-Firewall Software


    PC Safety and Security--What Do I Need?
    http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

    Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
    This site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware
     
  20. 2008/10/03
    Waverley73

    Waverley73 Inactive Thread Starter

    Joined:
    2008/01/06
    Messages:
    86
    Likes Received:
    0
    I've actually just seen your reply above my kaspersky log. I can't actually find that file that you mention (even did a search for it too). (H:\tsysgb.exe<--this file)

    I am doing the fix.reg right now.
     
  21. 2008/10/03
    Juliet

    Juliet Well-Known Member

    Joined:
    2008/09/15
    Messages:
    976
    Likes Received:
    6
    Thats OK
    I had posted that information in case you had not run Flash Drive Disinfector.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.