Jump to content


Photo
- - - - -

I'm infected and malware prevents scans


  • This topic is locked This topic is locked
78 replies to this topic

#61 heir

heir

    True Member

  • Experts
  • PipPipPipPip
  • 295 posts

Posted 15 October 2010 - 09:22 AM

Btw, I tried once again for the tsk0000.dta and when the message (the same one above and only the file name is different) came up there are two buttons underneath it one is "ReScan", and other one is "Scan Report". I just pressed ReScan, and it's checking for virus.

Probably comes back the same. No need to rescan the others. It's the same file with a different filename.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#62 inangie

inangie

    New Member

  • Members
  • Pip
  • 44 posts

Posted 15 October 2010 - 09:31 AM

Btw, I tried once again for the tsk0000.dta and when the message (the same one above and only the file name is different) came up there are two buttons underneath it one is "ReScan", and other one is "Scan Report". I just pressed ReScan, and it's checking for virus.


I was waiting for the scanner to finish and then do the cpuz_x32.sys file again with the method which you had suggested. However, a different scan result came up, and here is the web link:
http://virscan.org/r...f4d3d32a17.html

#63 inangie

inangie

    New Member

  • Members
  • Pip
  • 44 posts

Posted 16 October 2010 - 06:14 AM

here is the OTL fixlog:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
C:\Users\Administrator\Desktop\OTL(2).scr moved successfully.
C:\Users\Administrator\Desktop\eXplorer.exe moved successfully.
C:\Users\Administrator\Desktop\iExplore.exe moved successfully.
C:\Users\Administrator\Desktop\OTH.scr moved successfully.
C:\Users\Administrator\Desktop\OTH(2).scr moved successfully.
C:\Users\Administrator\Desktop\OTL.scr moved successfully.
C:\Users\Administrator\Desktop\in.exe moved successfully.
C:\Users\Administrator\Desktop\OTL(3).exe moved successfully.
C:\Users\Administrator\Desktop\inalangie.exe moved successfully.
C:\Users\Administrator\Desktop\OTL(2).exe moved successfully.
C:\Users\Administrator\Desktop\OTL.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2C52DE7C-DB6A-42EC-93AE-D17BD539BA7F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C52DE7C-DB6A-42EC-93AE-D17BD539BA7F}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{630EDC35-FD85-48BB-9B32-6B368AC2CD3E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{630EDC35-FD85-48BB-9B32-6B368AC2CD3E}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{7BA8D332-7384-4137-8D8D-73B0DAFC04AC}C:\program files\utorrent\utorrent.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{8E63E824-AA65-4D08-965C-0F43D2718C7F}C:\program files\easymule\emule.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{BD747BF5-7163-4875-87B5-4E98392EE189}C:\program files\easymule\emule.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{7891C201-3244-46DA-AE7C-9813460C5733}C:\program files\easymule\emule.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{BB8C8B60-DAFA-468F-AAE2-BD0921A37C4F}C:\program files\utorrent\utorrent.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{EE5F72BA-73C1-449F-873C-080E8024220E}C:\program files\easymule\emule.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{F3079C73-BB3A-49B0-932A-D6A56902F93C}C:\program files\bitcomet\bitcomet.exe deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 80181 bytes
->Temporary Internet Files folder emptied: 7369875 bytes
->Java cache emptied: 13978980 bytes
->FireFox cache emptied: 49756578 bytes
->Flash cache emptied: 114106 bytes

User: All Users

User: Angie
->Temp folder emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 68.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Angie

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.15.2 log created on 10152010_111434

Files\Folders moved on Reboot...
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DF104A.tmp not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DF1056.tmp not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DFD97A.tmp not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DFD986.tmp not found!
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NPMTMF1F\ads[5].htm moved successfully.
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NPMTMF1F\ads[6].htm moved successfully.
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AE6LX1A2\iframe[1].htm moved successfully.
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AE6LX1A2\index[6].htm moved successfully.
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9FUVOLNN\876c22aa08da1d24ea0ad6f4d3d32a17[1].htm moved successfully.
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9FUVOLNN\ads[8].htm moved successfully.
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...

#64 inangie

inangie

    New Member

  • Members
  • Pip
  • 44 posts

Posted 16 October 2010 - 06:17 AM

And here is the log of Combofix in step 3:

ComboFix 10-10-15.03 - Administrator 10/16/2010 4:39.1.2 - x86
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.2037.1276 [GMT -4:00]
Running from: c:\users\Administrator\Desktop\hi.exe
Command switches used :: c:\users\Administrator\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\windows\hellow.exe"

file zipped: c:\windows\maxdrive\vbma92a1.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\angiein
c:\angiein\023.dat
c:\angiein\023v.dat
c:\angiein\Administrator.user.cf
c:\angiein\AppData.folder.dat
c:\angiein\appinit.bad
c:\angiein\asp.str
c:\angiein\Assoc.cmd
c:\angiein\attr.dat
c:\angiein\ATTRIB.cfxxe
c:\angiein\autorun_inf.dat
c:\angiein\autorun_infB.dat
c:\angiein\av.cmd
c:\angiein\av.vbs
c:\angiein\AWF.cmd
c:\angiein\badclsid
c:\angiein\Boot-Rk.cmd
c:\angiein\Boot.bat
c:\angiein\BootDrv.vbs
c:\angiein\borlander_file.dat
c:\angiein\borlander_folder.dat
c:\angiein\c.bat
c:\angiein\c.mrk
c:\angiein\Cache.folder.dat
c:\angiein\Catch-sub.cmd
c:\angiein\catchme.cfxxe
c:\angiein\Catchme.tmp
c:\angiein\CCS.bat
c:\angiein\CF-Script.cmd
c:\angiein\CF13256.cfxxe
c:\angiein\Cfiles.dat
c:\angiein\Cfolders.dat
c:\angiein\CFVersionOld
c:\angiein\CHCP.bat
c:\angiein\ClistB.dat
c:\angiein\clsid.c
c:\angiein\clsid.dat
c:\angiein\cmd.cfxxe
c:\angiein\Combobatch.bat
c:\angiein\ComboFix-Download.cfxxe
c:\angiein\ConEnv.sed
c:\angiein\Cookies.folder.dat
c:\angiein\Create.cmd
c:\angiein\Creg.dat
c:\angiein\CregC.cmd
c:\angiein\CregC.dat
c:\angiein\CregC_.dat
c:\angiein\CSCRIPT.cfxxe
c:\angiein\CSet.cmd
c:\angiein\d-del_A.dat
c:\angiein\d-delA.dat
c:\angiein\dd.cfxxe
c:\angiein\ddsDo.sed
c:\angiein\DelClsid.bat
c:\angiein\DelClsid64.bat
c:\angiein\Desktop.folder.dat
c:\angiein\desktop.ini
c:\angiein\DisclaimED.dat
c:\angiein\dll_whitelist.dat
c:\angiein\dnd.dat
c:\angiein\DPF.str
c:\angiein\Drive.folder.dat
c:\angiein\Drives.dat
c:\angiein\DrvRun.vbs
c:\angiein\dumphive.cfxxe
c:\angiein\embedded.sed
c:\angiein\en-US\ATTRIB.cfxxe.mui
c:\angiein\en-US\CF13256.cfxxe.mui
c:\angiein\en-US\cmd.cfxxe.mui
c:\angiein\en-US\CSCRIPT.cfxxe.mui
c:\angiein\en-US\PING.cfxxe.mui
c:\angiein\en-US\REGT.cfxxe.mui
c:\angiein\en-US\ROUTE.cfxxe.mui
c:\angiein\Env.sed
c:\angiein\ERDNT.e_e
c:\angiein\ERDNTDOS.LOC
c:\angiein\ERDNTWIN.LOC
c:\angiein\ERUNT.cfxxe
c:\angiein\erunt.dat
c:\angiein\ERUNT.LOC
c:\angiein\Exe.reg
c:\angiein\extract.cfxxe
c:\angiein\f_system
c:\angiein\Favorites.folder.dat
c:\angiein\FD-SV.cmd
c:\angiein\FdsvOK
c:\angiein\ffdefstr.dll
c:\angiein\FileKill.cfxxe
c:\angiein\files.pif
c:\angiein\Fin.dat
c:\angiein\FIND3M.bat
c:\angiein\FIXLSP.bat
c:\angiein\FKMGen.cmd
c:\angiein\ForeignWht
c:\angiein\Gateway
c:\angiein\GetHive.cmd
c:\angiein\GOLDUN.DAT
c:\angiein\grep.cfxxe
c:\angiein\gsar.cfxxe
c:\angiein\handle.cfxxe
c:\angiein\hidec.exe
c:\angiein\history.bat
c:\angiein\History.folder.dat
c:\angiein\iexplore.exe
c:\angiein\image001.gif
c:\angiein\Imefile.dat
c:\angiein\katch.cmd
c:\angiein\katchNT-OS
c:\angiein\Kill-All.cmd
c:\angiein\kmd.dat
c:\angiein\Lang.bat
c:\angiein\LatestVer
c:\angiein\List-B.bat
c:\angiein\List-C.bat
c:\angiein\lnkread.vbs
c:\angiein\LocalAppData.folder.dat
c:\angiein\LocalService.dat
c:\angiein\LocalServiceNetworkRestricted.dat
c:\angiein\LocalSettings.folder.dat
c:\angiein\LocalSystemNetworkRestricted.dat
c:\angiein\mbr.cfxxe
c:\angiein\mbr.chk
c:\angiein\md5sum.pif
c:\angiein\Mirrors
c:\angiein\MoveIt.bat
c:\angiein\mtee.cfxxe
c:\angiein\MUI
c:\angiein\Music.folder.dat
c:\angiein\MWindows.dat
c:\angiein\mynul.dat
c:\angiein\n.pif
c:\angiein\N_\10414
c:\angiein\N_\10773
c:\angiein\N_\11193
c:\angiein\N_\11216
c:\angiein\N_\12916
c:\angiein\N_\12997
c:\angiein\N_\13137
c:\angiein\N_\15438
c:\angiein\N_\1632
c:\angiein\N_\17181
c:\angiein\N_\18551
c:\angiein\N_\19368
c:\angiein\N_\21971
c:\angiein\N_\24929
c:\angiein\N_\25236
c:\angiein\N_\26958
c:\angiein\N_\27120
c:\angiein\N_\27882
c:\angiein\N_\28533
c:\angiein\N_\29843
c:\angiein\N_\29858
c:\angiein\N_\29899
c:\angiein\N_\31023
c:\angiein\N_\378
c:\angiein\N_\3799
c:\angiein\N_\4183
c:\angiein\N_\5105
c:\angiein\N_\6258
c:\angiein\N_\cfdummy00
c:\angiein\N_\CmdLine00
c:\angiein\ncmd.com
c:\angiein\ND_.bat
c:\angiein\ndis_combofix.dat
c:\angiein\NetHood.folder.dat
c:\angiein\netsvc.bad.dat
c:\angiein\netsvc.dat
c:\angiein\NetworkService.dat
c:\angiein\NirCmd.cfxxe
c:\angiein\NircmdB.exe
c:\angiein\NirCmdC.cfxxe
c:\angiein\NlsLanguageDefault
c:\angiein\notifykeys.dat
c:\angiein\notifykeysB.dat
c:\angiein\NT-OS.cmd
c:\angiein\nt-osSvcDump00
c:\angiein\NULL
c:\angiein\OsId.txt
c:\angiein\OSid.vbs
c:\angiein\OsVer
c:\angiein\pausep.cfxxe
c:\angiein\pend.txt
c:\angiein\Personal.folder.dat
c:\angiein\PEV.cfxxe
c:\angiein\pev.exe
c:\angiein\Pictures.folder.dat
c:\angiein\PING.cfxxe
c:\angiein\Policies.dat
c:\angiein\powp.dat
c:\angiein\PreDIR
c:\angiein\Prep.inf
c:\angiein\PrintHood.folder.dat
c:\angiein\Profiles.Folder.dat
c:\angiein\Profiles.Folder.folder.dat
c:\angiein\progfile.dat
c:\angiein\Programs.folder.dat
c:\angiein\Purity.dat
c:\angiein\pv.com
c:\angiein\RCLink.dat
c:\angiein\RcVer00
c:\angiein\Recent.folder.dat
c:\angiein\REGDACL.sed
c:\angiein\RegDo.sed
c:\angiein\region.dat
c:\angiein\RegScan.cmd
c:\angiein\RegScan64.cmd
c:\angiein\REGT.cfxxe
c:\angiein\Resident.txt
c:\angiein\restore_pt.dat
c:\angiein\restore_pt.vbs
c:\angiein\Rkey.cmd
c:\angiein\rogues.dat
c:\angiein\ROUTE.cfxxe
c:\angiein\run.sed
c:\angiein\run2.sed
c:\angiein\Rust.str
c:\angiein\s0rt.cfxxe
c:\angiein\safeboot.dat
c:\angiein\safeboot.def.dat
c:\angiein\sed.cfxxe
c:\angiein\SendTo.folder.dat
c:\angiein\SetEnvmt.bat
c:\angiein\SetPath.bat
c:\angiein\setpath.cfxxe
c:\angiein\SF.exe
c:\angiein\sfx.cmd
c:\angiein\SnapShot.cmd
c:\angiein\SRestore.cmd
c:\angiein\srizbi.md5
c:\angiein\Start_dat
c:\angiein\StartMenu.folder.dat
c:\angiein\StartUp.folder.dat
c:\angiein\SuppScan.cmd
c:\angiein\svc_wht.dat
c:\angiein\SvcDrv.vbs
c:\angiein\svchost.dat
c:\angiein\SWREG.cfxxe
c:\angiein\swreg.exe
c:\angiein\swsc.cfxxe
c:\angiein\swxcacls.cfxxe
c:\angiein\SysPath.dat
c:\angiein\system_ini.dat
c:\angiein\tail.cfxxe
c:\angiein\Temp.dat
c:\angiein\Templates.folder.dat
c:\angiein\toolbar.sed
c:\angiein\unhand.dat
c:\angiein\Update-CF.cmd
c:\angiein\v_wht.dat
c:\angiein\VerCF.bat
c:\angiein\version.txt
c:\angiein\VikPev00
c:\angiein\Vikpev01
c:\angiein\VInfo
c:\angiein\VInfo2
c:\angiein\Vipev.dat
c:\angiein\ViPev00
c:\angiein\ViPev01
c:\angiein\Vista.krl
c:\angiein\Vista.mac
c:\angiein\vistaMcode.dat
c:\angiein\vistareg.dat
c:\angiein\vRun_DLL
c:\angiein\vun.dat
c:\angiein\vundonames.dat
c:\angiein\VwinTemp.dacl
c:\angiein\w_sock.dll
c:\angiein\w7Mcode.dat
c:\angiein\whiteAll.dat
c:\angiein\whitedir.dat
c:\angiein\whitedirCreated.dat
c:\angiein\Wmi_rem.vbs
c:\angiein\xpmcode.dat
c:\angiein\XPSBoot.reg
c:\angiein\zDomain.dat
c:\angiein\zhsvc.dat
c:\angiein\zip.cfxxe
c:\angiein\Zlob01
C:\hellow
c:\hellow\023.dat
c:\hellow\023v.dat
c:\hellow\Administrator.user.cf
c:\hellow\AppData.folder.dat
c:\hellow\appinit.bad
c:\hellow\asp.str
c:\hellow\Assoc.cmd
c:\hellow\attr.dat
c:\hellow\ATTRIB.cfxxe
c:\hellow\autorun_inf.dat
c:\hellow\autorun_infB.dat
c:\hellow\av.cmd
c:\hellow\av.vbs
c:\hellow\AWF.cmd
c:\hellow\badclsid
c:\hellow\Boot-Rk.cmd
c:\hellow\Boot.bat
c:\hellow\BootDrv.vbs
c:\hellow\borlander_file.dat
c:\hellow\borlander_folder.dat
c:\hellow\c.bat
c:\hellow\c.mrk
c:\hellow\Cache.folder.dat
c:\hellow\Catch-sub.cmd
c:\hellow\catchme.cfxxe
c:\hellow\Catchme.tmp
c:\hellow\CCS.bat
c:\hellow\CF-Script.cmd
c:\hellow\CF12938.cfxxe
c:\hellow\Cfiles.dat
c:\hellow\Cfolders.dat
c:\hellow\CFVersionOld
c:\hellow\CHCP.bat
c:\hellow\ClistB.dat
c:\hellow\clsid.c
c:\hellow\clsid.dat
c:\hellow\Combobatch.bat
c:\hellow\ComboFix-Download.cfxxe
c:\hellow\ConEnv.sed
c:\hellow\Cookies.folder.dat
c:\hellow\Create.cmd
c:\hellow\Creg.dat
c:\hellow\CregC.cmd
c:\hellow\CregC.dat
c:\hellow\CregC_.dat
c:\hellow\CSCRIPT.cfxxe
c:\hellow\CSet.cmd
c:\hellow\d-del_A.dat
c:\hellow\d-delA.dat
c:\hellow\dd.cfxxe
c:\hellow\ddsDo.sed
c:\hellow\DelClsid.bat
c:\hellow\DelClsid64.bat
c:\hellow\Desktop.folder.dat
c:\hellow\desktop.ini
c:\hellow\DisclaimED.dat
c:\hellow\dll_whitelist.dat
c:\hellow\dnd.dat
c:\hellow\DPF.str
c:\hellow\Drive.folder.dat
c:\hellow\Drives.dat
c:\hellow\DrvRun.vbs
c:\hellow\dumphive.cfxxe
c:\hellow\embedded.sed
c:\hellow\en-US\ATTRIB.cfxxe.mui
c:\hellow\en-US\CF12938.cfxxe.mui
c:\hellow\en-US\cmd.cfxxe.mui
c:\hellow\en-US\CSCRIPT.cfxxe.mui
c:\hellow\en-US\PING.cfxxe.mui
c:\hellow\en-US\REGT.cfxxe.mui
c:\hellow\en-US\ROUTE.cfxxe.mui
c:\hellow\Env.sed
c:\hellow\ERDNT.e_e
c:\hellow\ERDNTDOS.LOC
c:\hellow\ERDNTWIN.LOC
c:\hellow\ERUNT.cfxxe
c:\hellow\erunt.dat
c:\hellow\ERUNT.LOC
c:\hellow\Exe.reg
c:\hellow\extract.cfxxe
c:\hellow\f_system
c:\hellow\Favorites.folder.dat
c:\hellow\FD-SV.cmd
c:\hellow\FdsvOK
c:\hellow\ffdefstr.dll
c:\hellow\FileKill.cfxxe
c:\hellow\files.pif
c:\hellow\Fin.dat
c:\hellow\FIND3M.bat
c:\hellow\FIXLSP.bat
c:\hellow\FKMGen.cmd
c:\hellow\ForeignWht
c:\hellow\Gateway
c:\hellow\GetHive.cmd
c:\hellow\GOLDUN.DAT
c:\hellow\grep.cfxxe
c:\hellow\gsar.cfxxe
c:\hellow\handle.cfxxe
c:\hellow\hidec.exe
c:\hellow\history.bat
c:\hellow\History.folder.dat
c:\hellow\iexplore.exe
c:\hellow\image001.gif
c:\hellow\Imefile.dat
c:\hellow\katch.cmd
c:\hellow\katchNT-OS
c:\hellow\Kill-All.cmd
c:\hellow\kmd.dat
c:\hellow\Lang.bat
c:\hellow\List-B.bat
c:\hellow\List-C.bat
c:\hellow\lnkread.vbs
c:\hellow\LocalAppData.folder.dat
c:\hellow\LocalService.dat
c:\hellow\LocalServiceNetworkRestricted.dat
c:\hellow\LocalSettings.folder.dat
c:\hellow\LocalSystemNetworkRestricted.dat
c:\hellow\mbr.cfxxe
c:\hellow\mbr.chk
c:\hellow\md5sum.pif
c:\hellow\MoveIt.bat
c:\hellow\mtee.cfxxe
c:\hellow\MUI
c:\hellow\Music.folder.dat
c:\hellow\MWindows.dat
c:\hellow\mynul.dat
c:\hellow\n.pif
c:\hellow\N_\11454
c:\hellow\N_\13014
c:\hellow\N_\14323
c:\hellow\N_\14776
c:\hellow\N_\14833
c:\hellow\N_\15135
c:\hellow\N_\1550
c:\hellow\N_\1565
c:\hellow\N_\18400
c:\hellow\N_\18839
c:\hellow\N_\19034
c:\hellow\N_\1918
c:\hellow\N_\19268
c:\hellow\N_\19663
c:\hellow\N_\19855
c:\hellow\N_\21036
c:\hellow\N_\24304
c:\hellow\N_\25745
c:\hellow\N_\3070
c:\hellow\N_\31499
c:\hellow\N_\32064
c:\hellow\N_\4641
c:\hellow\N_\5460
c:\hellow\N_\6169
c:\hellow\N_\7859
c:\hellow\N_\7886
c:\hellow\N_\8024
c:\hellow\N_\8174
c:\hellow\N_\cfdummy00
c:\hellow\N_\CmdLine00
c:\hellow\ncmd.com
c:\hellow\ND_.bat
c:\hellow\ndis_combofix.dat
c:\hellow\NetHood.folder.dat
c:\hellow\netsvc.bad.dat
c:\hellow\netsvc.dat
c:\hellow\NetworkService.dat
c:\hellow\NirCmd.cfxxe
c:\hellow\NircmdB.exe
c:\hellow\NirCmdC.cfxxe
c:\hellow\NlsLanguageDefault
c:\hellow\notifykeys.dat
c:\hellow\notifykeysB.dat
c:\hellow\NT-OS.cmd
c:\hellow\nt-osSvcDump00
c:\hellow\NULL
c:\hellow\OsId.txt
c:\hellow\OSid.vbs
c:\hellow\OsVer
c:\hellow\pausep.cfxxe
c:\hellow\pend.txt
c:\hellow\Personal.folder.dat
c:\hellow\PEV.cfxxe
c:\hellow\pev.exe
c:\hellow\Pictures.folder.dat
c:\hellow\PING.cfxxe
c:\hellow\Policies.dat
c:\hellow\powp.dat
c:\hellow\PreDIR
c:\hellow\Prep.inf
c:\hellow\PrintHood.folder.dat
c:\hellow\Profiles.Folder.dat
c:\hellow\Profiles.Folder.folder.dat
c:\hellow\progfile.dat
c:\hellow\Programs.folder.dat
c:\hellow\Purity.dat
c:\hellow\pv.com
c:\hellow\RCLink.dat
c:\hellow\RcVer00
c:\hellow\Recent.folder.dat
c:\hellow\REGDACL.sed
c:\hellow\RegDo.sed
c:\hellow\region.dat
c:\hellow\RegScan.cmd
c:\hellow\RegScan64.cmd
c:\hellow\REGT.cfxxe
c:\hellow\Resident.txt
c:\hellow\restore_pt.dat
c:\hellow\restore_pt.vbs
c:\hellow\Rkey.cmd
c:\hellow\rogues.dat
c:\hellow\ROUTE.cfxxe
c:\hellow\run.sed
c:\hellow\run2.sed
c:\hellow\Rust.str
c:\hellow\s0rt.cfxxe
c:\hellow\safeboot.dat
c:\hellow\safeboot.def.dat
c:\hellow\sed.cfxxe
c:\hellow\SendTo.folder.dat
c:\hellow\SetEnvmt.bat
c:\hellow\SetPath.bat
c:\hellow\setpath.cfxxe
c:\hellow\SF.exe
c:\hellow\sfx.cmd
c:\hellow\SnapShot.cmd
c:\hellow\SRestore.cmd
c:\hellow\srizbi.md5
c:\hellow\Start_dat
c:\hellow\StartMenu.folder.dat
c:\hellow\StartUp.folder.dat
c:\hellow\SuppScan.cmd
c:\hellow\svc_wht.dat
c:\hellow\SvcDrv.vbs
c:\hellow\svchost.dat
c:\hellow\SWREG.cfxxe
c:\hellow\swreg.exe
c:\hellow\swsc.cfxxe
c:\hellow\swxcacls.cfxxe
c:\hellow\SysPath.dat
c:\hellow\system_ini.dat
c:\hellow\tail.cfxxe
c:\hellow\Temp.dat
c:\hellow\Templates.folder.dat
c:\hellow\toolbar.sed
c:\hellow\unhand.dat
c:\hellow\Update-CF.cmd
c:\hellow\v_wht.dat
c:\hellow\VerCF.bat
c:\hellow\VikPev00
c:\hellow\Vikpev01
c:\hellow\VInfo
c:\hellow\VInfo2
c:\hellow\Vipev.dat
c:\hellow\ViPev00
c:\hellow\ViPev01
c:\hellow\Vista.krl
c:\hellow\Vista.mac
c:\hellow\vistaMcode.dat
c:\hellow\vistareg.dat
c:\hellow\vRun_DLL
c:\hellow\vun.dat
c:\hellow\vundonames.dat
c:\hellow\VwinTemp.dacl
c:\hellow\w_sock.dll
c:\hellow\w7Mcode.dat
c:\hellow\whiteAll.dat
c:\hellow\whitedir.dat
c:\hellow\whitedirCreated.dat
c:\hellow\Wmi_rem.vbs
c:\hellow\xpmcode.dat
c:\hellow\XPSBoot.reg
c:\hellow\zDomain.dat
c:\hellow\zhsvc.dat
c:\hellow\zip.cfxxe
c:\hellow\Zlob01
C:\inangie
c:\inangie\023.dat
c:\inangie\023v.dat
c:\inangie\Administrator.user.cf
c:\inangie\AppData.folder.dat
c:\inangie\appinit.bad
c:\inangie\asp.str
c:\inangie\Assoc.cmd
c:\inangie\attr.dat
c:\inangie\ATTRIB.cfxxe
c:\inangie\autorun_inf.dat
c:\inangie\autorun_infB.dat
c:\inangie\av.cmd
c:\inangie\av.vbs
c:\inangie\AWF.cmd
c:\inangie\badclsid
c:\inangie\Boot-Rk.cmd
c:\inangie\Boot.bat
c:\inangie\BootDrv.vbs
c:\inangie\borlander_file.dat
c:\inangie\borlander_folder.dat
c:\inangie\c.bat
c:\inangie\c.mrk
c:\inangie\Cache.folder.dat
c:\inangie\Catch-sub.cmd
c:\inangie\catchme.cfxxe
c:\inangie\Catchme.tmp
c:\inangie\CCS.bat
c:\inangie\CF-Script.cmd
c:\inangie\CF11466.cfxxe
c:\inangie\Cfiles.dat
c:\inangie\Cfolders.dat
c:\inangie\CFVersionOld
c:\inangie\CHCP.bat
c:\inangie\ClistB.dat
c:\inangie\clsid.c
c:\inangie\clsid.dat
c:\inangie\Combobatch.bat
c:\inangie\ComboFix-Download.cfxxe
c:\inangie\ConEnv.sed
c:\inangie\Cookies.folder.dat
c:\inangie\Create.cmd
c:\inangie\Creg.dat
c:\inangie\CregC.cmd
c:\inangie\CregC.dat
c:\inangie\CregC_.dat
c:\inangie\CSCRIPT.cfxxe
c:\inangie\CSet.cmd
c:\inangie\d-del_A.dat
c:\inangie\d-delA.dat
c:\inangie\dd.cfxxe
c:\inangie\ddsDo.sed
c:\inangie\DelClsid.bat
c:\inangie\DelClsid64.bat
c:\inangie\Desktop.folder.dat
c:\inangie\desktop.ini
c:\inangie\DisclaimED.dat
c:\inangie\dll_whitelist.dat
c:\inangie\dnd.dat
c:\inangie\DPF.str
c:\inangie\Drive.folder.dat
c:\inangie\Drives.dat
c:\inangie\DrvRun.vbs
c:\inangie\dumphive.cfxxe
c:\inangie\embedded.sed
c:\inangie\en-US\ATTRIB.cfxxe.mui
c:\inangie\en-US\CF11466.cfxxe.mui
c:\inangie\en-US\cmd.cfxxe.mui
c:\inangie\en-US\CSCRIPT.cfxxe.mui
c:\inangie\en-US\PING.cfxxe.mui
c:\inangie\en-US\REGT.cfxxe.mui
c:\inangie\en-US\ROUTE.cfxxe.mui
c:\inangie\Env.sed
c:\inangie\ERDNT.e_e
c:\inangie\ERDNTDOS.LOC
c:\inangie\ERDNTWIN.LOC
c:\inangie\ERUNT.cfxxe
c:\inangie\erunt.dat
c:\inangie\ERUNT.LOC
c:\inangie\Exe.reg
c:\inangie\extract.cfxxe
c:\inangie\f_system
c:\inangie\Favorites.folder.dat
c:\inangie\FD-SV.cmd
c:\inangie\FdsvOK
c:\inangie\ffdefstr.dll
c:\inangie\FileKill.cfxxe
c:\inangie\files.pif
c:\inangie\Fin.dat
c:\inangie\FIND3M.bat
c:\inangie\FIXLSP.bat
c:\inangie\FKMGen.cmd
c:\inangie\ForeignWht
c:\inangie\Gateway
c:\inangie\GetHive.cmd
c:\inangie\GOLDUN.DAT
c:\inangie\grep.cfxxe
c:\inangie\gsar.cfxxe
c:\inangie\handle.cfxxe
c:\inangie\hidec.exe
c:\inangie\history.bat
c:\inangie\History.folder.dat
c:\inangie\iexplore.exe
c:\inangie\image001.gif
c:\inangie\Imefile.dat
c:\inangie\katch.cmd
c:\inangie\katchNT-OS
c:\inangie\Kill-All.cmd
c:\inangie\kmd.dat
c:\inangie\Lang.bat
c:\inangie\LatestVer
c:\inangie\List-B.bat
c:\inangie\List-C.bat
c:\inangie\lnkread.vbs
c:\inangie\LocalAppData.folder.dat
c:\inangie\LocalService.dat
c:\inangie\LocalServiceNetworkRestricted.dat
c:\inangie\LocalSettings.folder.dat
c:\inangie\LocalSystemNetworkRestricted.dat
c:\inangie\mbr.cfxxe
c:\inangie\mbr.chk
c:\inangie\md5sum.pif
c:\inangie\Mirrors
c:\inangie\MoveIt.bat
c:\inangie\mtee.cfxxe
c:\inangie\MUI
c:\inangie\Music.folder.dat
c:\inangie\MWindows.dat
c:\inangie\mynul.dat
c:\inangie\n.pif
c:\inangie\N_\10512
c:\inangie\N_\12022
c:\inangie\N_\12430
c:\inangie\N_\1284
c:\inangie\N_\12910
c:\inangie\N_\1460
c:\inangie\N_\15650
c:\inangie\N_\15950
c:\inangie\N_\16198
c:\inangie\N_\17308
c:\inangie\N_\17859
c:\inangie\N_\1787
c:\inangie\N_\19297
c:\inangie\N_\19309
c:\inangie\N_\20961
c:\inangie\N_\21783
c:\inangie\N_\22825
c:\inangie\N_\23210
c:\inangie\N_\23338
c:\inangie\N_\25067
c:\inangie\N_\25405
c:\inangie\N_\27811
c:\inangie\N_\28715
c:\inangie\N_\31546
c:\inangie\N_\607
c:\inangie\N_\7827
c:\inangie\N_\8162
c:\inangie\N_\9447
c:\inangie\N_\cfdummy00
c:\inangie\N_\CmdLine00
c:\inangie\ncmd.com
c:\inangie\ND_.bat
c:\inangie\ndis_combofix.dat
c:\inangie\NetHood.folder.dat
c:\inangie\netsvc.bad.dat
c:\inangie\netsvc.dat
c:\inangie\NetworkService.dat
c:\inangie\NirCmd.cfxxe
c:\inangie\NircmdB.exe
c:\inangie\NirCmdC.cfxxe
c:\inangie\NlsLanguageDefault
c:\inangie\notifykeys.dat
c:\inangie\notifykeysB.dat
c:\inangie\NT-OS.cmd
c:\inangie\nt-osSvcDump00
c:\inangie\NULL
c:\inangie\OsId.txt
c:\inangie\OSid.vbs
c:\inangie\OsVer
c:\inangie\pausep.cfxxe
c:\inangie\pend.txt
c:\inangie\Personal.folder.dat
c:\inangie\PEV.cfxxe
c:\inangie\pev.exe
c:\inangie\Pictures.folder.dat
c:\inangie\PING.cfxxe
c:\inangie\Policies.dat
c:\inangie\powp.dat
c:\inangie\PreDIR
c:\inangie\Prep.inf
c:\inangie\PrintHood.folder.dat
c:\inangie\Profiles.Folder.dat
c:\inangie\Profiles.Folder.folder.dat
c:\inangie\progfile.dat
c:\inangie\Programs.folder.dat
c:\inangie\Purity.dat
c:\inangie\pv.com
c:\inangie\RCLink.dat
c:\inangie\RcVer00
c:\inangie\Recent.folder.dat
c:\inangie\REGDACL.sed
c:\inangie\RegDo.sed
c:\inangie\region.dat
c:\inangie\RegScan.cmd
c:\inangie\RegScan64.cmd
c:\inangie\REGT.cfxxe
c:\inangie\Resident.txt
c:\inangie\restore_pt.dat
c:\inangie\restore_pt.vbs
c:\inangie\Rkey.cmd
c:\inangie\rogues.dat
c:\inangie\ROUTE.cfxxe
c:\inangie\run.sed
c:\inangie\run2.sed
c:\inangie\Rust.str
c:\inangie\s0rt.cfxxe
c:\inangie\safeboot.dat
c:\inangie\safeboot.def.dat
c:\inangie\sed.cfxxe
c:\inangie\SendTo.folder.dat
c:\inangie\SetEnvmt.bat
c:\inangie\SetPath.bat
c:\inangie\setpath.cfxxe
c:\inangie\SF.exe
c:\inangie\sfx.cmd
c:\inangie\SnapShot.cmd
c:\inangie\SRestore.cmd
c:\inangie\srizbi.md5
c:\inangie\Start_dat
c:\inangie\StartMenu.folder.dat
c:\inangie\StartUp.folder.dat
c:\inangie\SuppScan.cmd
c:\inangie\svc_wht.dat
c:\inangie\SvcDrv.vbs
c:\inangie\svchost.dat
c:\inangie\SWREG.cfxxe
c:\inangie\swreg.exe
c:\inangie\swsc.cfxxe
c:\inangie\swxcacls.cfxxe
c:\inangie\SysPath.dat
c:\inangie\system_ini.dat
c:\inangie\tail.cfxxe
c:\inangie\Temp.dat
c:\inangie\Templates.folder.dat
c:\inangie\toolbar.sed
c:\inangie\unhand.dat
c:\inangie\Update-CF.cmd
c:\inangie\v_wht.dat
c:\inangie\VerCF.bat
c:\inangie\version.txt
c:\inangie\VikPev00
c:\inangie\Vikpev01
c:\inangie\VInfo
c:\inangie\VInfo2
c:\inangie\Vipev.dat
c:\inangie\ViPev00
c:\inangie\ViPev01
c:\inangie\Vista.krl
c:\inangie\Vista.mac
c:\inangie\vistaMcode.dat
c:\inangie\vistareg.dat
c:\inangie\vRun_DLL
c:\inangie\vun.dat
c:\inangie\vundonames.dat
c:\inangie\VwinTemp.dacl
c:\inangie\w_sock.dll
c:\inangie\w7Mcode.dat
c:\inangie\whiteAll.dat
c:\inangie\whitedir.dat
c:\inangie\whitedirCreated.dat
c:\inangie\Wmi_rem.vbs
c:\inangie\xpmcode.dat
c:\inangie\XPSBoot.reg
c:\inangie\zDomain.dat
c:\inangie\zhsvc.dat
c:\inangie\zip.cfxxe
c:\inangie\Zlob01
c:\windows\hellow.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CPUZ130
-------\Service_cpuz130
-------\Service_DFBCFDBA


((((((((((((((((((((((((( Files Created from 2010-09-16 to 2010-10-16 )))))))))))))))))))))))))))))))
.

2010-10-16 08:51 . 2010-10-16 11:05 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-10-16 08:51 . 2010-10-16 08:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-16 08:51 . 2010-10-16 08:51 -------- d-----w- c:\users\Angie\AppData\Local\temp
2010-10-15 15:14 . 2010-10-15 15:14 -------- d-----w- C:\_OTL
2010-10-14 18:56 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-10-14 18:55 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-14 18:51 . 2010-08-31 15:46 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-10-14 18:51 . 2010-08-31 15:46 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-10-14 18:41 . 2010-10-14 19:04 -------- d-----w- C:\TDSSKiller_Quarantine
2010-10-14 18:29 . 2010-10-14 18:35 -------- d-----w- C:\ComboFix
2010-10-14 18:20 . 2010-10-14 18:22 -------- d-----w- C:\hi
2010-10-14 16:22 . 2010-10-16 08:38 -------- d-----w- c:\windows\maxdrive
2010-10-13 11:23 . 2010-10-13 11:23 -------- d-----w- c:\users\Administrator\AppData\Local\Threat Expert
2010-10-12 22:27 . 2010-10-12 22:27 -------- d-----w- C:\inangie588i
2010-10-12 11:55 . 2010-10-12 11:56 -------- d-----w- C:\inangie21484i
2010-10-12 11:43 . 2010-10-12 11:45 -------- d-----w- C:\inangie4558i
2010-10-12 11:33 . 2010-10-12 11:34 -------- d-----w- C:\inangie25962i
2010-10-12 11:32 . 2010-10-12 11:32 -------- d-----w- C:\inangie32660i
2010-10-12 02:40 . 2010-10-12 02:42 -------- d-----w- C:\inangie3396i
2010-10-11 11:15 . 2010-10-11 11:15 -------- d-----w- c:\users\Administrator\AppData\Roaming\Tific
2010-10-10 08:27 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-10-10 08:27 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-10-10 08:27 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-10-10 08:27 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-10-10 08:23 . 2010-02-05 13:18 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-10-10 08:23 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-10-10 08:22 . 2010-03-10 15:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-10-10 08:22 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-10-10 08:22 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-10-10 08:21 . 2010-10-10 08:28 -------- d-----w- c:\program files\Spyware Doctor
2010-10-10 08:21 . 2010-10-10 08:23 -------- d-----w- c:\program files\Common Files\PC Tools
2010-10-10 08:21 . 2010-10-10 08:21 -------- d-----w- c:\programdata\PC Tools
2010-10-09 18:13 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-10-09 18:13 . 2010-10-09 18:13 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-09 18:08 . 2010-10-09 18:08 -------- d-----w- c:\users\Administrator\AppData\Local\Sunbelt Software
2010-10-09 18:06 . 2010-10-09 18:06 -------- d-----w- c:\program files\Lavasoft
2010-10-09 17:58 . 2010-10-09 18:07 -------- dc-h--w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-09 17:54 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-09 17:54 . 2010-10-15 15:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-09 17:54 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-08 05:55 . 2010-09-09 22:52 6084944 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ACBEA7B4-965F-4371-8237-866EEDA80593}\mpengine.dll
2010-10-08 02:12 . 2010-10-08 02:12 -------- d-----w- c:\users\Public\iPod Photo Cache
2010-09-28 22:42 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-24 06:03 . 2010-09-28 01:49 -------- d-----w- c:\windows\system32\drivers\NIS\1108000.005

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2007-07-31 21:33 1391640 ----a-w- c:\program files\Freecorder\tbFree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2007-07-31 1391640]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-18 166424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-06-18 18:01 141848 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2007-05-17 21:45 279912 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-06-18 18:01 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-01-13 03:36 827392 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2007-04-10 21:46 709992 ----a-w- c:\windows\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-10-09 1357464]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe [2010-02-26 126392]
R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2009-12-18 11336]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-05 24576]
R3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys [2008-05-16 89256]
R3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0016mdfl.sys [2008-05-16 15016]
R3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0016mdm.sys [2008-05-16 120744]
R3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0016mgmt.sys [2008-05-16 114216]
R3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\DRIVERS\s0016nd5.sys [2008-05-16 25512]
R3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0016obex.sys [2008-05-16 110632]
R3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\DRIVERS\s0016unic.sys [2008-05-16 115752]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
R4 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2009-10-29 1074568]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-05-19 721904]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-10 217032]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\SYMDS.SYS [2009-11-05 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [2010-08-31 692272]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101008.002\IDSvix86.sys [2010-09-15 353840]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1108000.005\SYMTDIV.SYS [2010-05-06 339504]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-22 112592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-10-16 c:\windows\Tasks\User_Feed_Synchronization-{97767A3F-D816-4CA0-ADF9-0C53DBF06862}.job
- c:\windows\system32\msfeedssync.exe [2008-09-11 07:33]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ijwv0jbo.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3347607031-721071281-896682233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3347607031-721071281-896682233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3347607031-721071281-896682233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*n*e*t*@*^yGYechV\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3347607031-721071281-896682233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*P*i*e*c*e*wmʌs\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3347607031-721071281-896682233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3347607031-721071281-896682233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice]
@Denied: (2) (Administrator)
"Progid"="txtfile"

[HKEY_USERS\S-1-5-21-3347607031-721071281-896682233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wps\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\winword.exe"

[HKEY_USERS\S-1-5-21-3347607031-721071281-896682233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3347607031-721071281-896682233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3347607031-721071281-896682233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-NW[U^#WW]N2m[]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3347607031-721071281-896682233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-NW[U^#WW]N2m[\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\conime.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-10-16 07:09:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-16 11:09
ComboFix2.txt 2010-10-14 19:34

Pre-Run: 19,093,323,776 bytes free
Post-Run: 18,895,716,352 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 57F9EE1C76E36ED01CFBA67C3D85EF8F
Upload was successful


And now I'm going to proceed to step 4.

#65 inangie

inangie

    New Member

  • Members
  • Pip
  • 44 posts

Posted 16 October 2010 - 06:28 AM

I finished step 4 and now should I go back to step 1 and run the file scan for cpuz_x32.sys?

#66 heir

heir

    True Member

  • Experts
  • PipPipPipPip
  • 295 posts

Posted 16 October 2010 - 06:32 AM

I finished step 4 and now should I go back to step 1 and run the file scan for cpuz_x32.sys?


Could you please Scan all the files again and if needed chose Rescan

And post the links in this topic

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#67 inangie

inangie

    New Member

  • Members
  • Pip
  • 44 posts

Posted 16 October 2010 - 07:10 AM

Could you please Scan all the files again and if needed chose Rescan

And post the links in this topic


This is the links of the file scan from step 1:

vbma92a1.sys
http://virscan.org/r...76e024b855.html

tsk0000.dta
http://virscan.org/r...f4d3d32a17.html


But an error message came up as I tried to upload cpuz_x32.sys to scan, the message is "ERROR: Can't find upload file!" And then I pressed the Browse button on virscan.org and see the location of the file, but when I located in C:\Users\Angie\AppData\Local\Temp\ , there is no file in the Temp folder, so I can't scan that file.

#68 heir

heir

    True Member

  • Experts
  • PipPipPipPip
  • 295 posts

Posted 18 October 2010 - 04:02 PM

Thanks!

Sorry about the delay.

Step 0.
Folders to delete:


Please delete these folders.

C:\ComboFix
C:\hi13234h
C:\inangie588i
C:\inangie21484i
C:\inangie4558i
C:\inangie25962i
C:\inangie32660i
C:\inangie3396i


Step 1.
Clean temp locations:

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step 2.
Scan with MBAM:

  • Launch Malwarebytes' Anti-Malware.
  • Update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Step 3.
Scan with Kaspersky Online Scanner:

Please do an online scan with Kaspersky Online Scanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Upgrading Java:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 22 .
  • Click the JDK 6 Update 22 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u22-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u22-windows-i586.exe and select "Run as an Administrator.")

Step 4.
Things I would like to see in your reply:

  • The content of the report from MBAM from Step 2.
  • The content of the report from Kaspersky Online Scanner from Step 3.
  • Information on how your computer is running.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#69 inangie

inangie

    New Member

  • Members
  • Pip
  • 44 posts

Posted 19 October 2010 - 05:19 AM

I ran the scan with MBAM but it didn't find any thing, this makes me feel weird, is this normal?
here is the log of MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4877

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

10/18/2010 11:38:09 PM
mbam-log-2010-10-18 (23-38-09).txt

Scan type: Quick scan
Objects scanned: 149330
Time elapsed: 9 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#70 inangie

inangie

    New Member

  • Members
  • Pip
  • 44 posts

Posted 19 October 2010 - 05:21 AM

Here is the scan log of Kaspersky Online Scanner:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, October 19, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, October 19, 2010 01:32:02
Records in database: 4185997
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 166541
Threats found: 3
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 03:33:14


File name / Threat / Threats count
C:\Qoobox\Quarantine\[4]-Submit_2010-10-16_04.38.44.zip Infected: Rootkit.Win32.Agent.bjqb 1
C:\SwSetup\HPGame\games\wheeloffortune-setup.exe Infected: Trojan-Mailfinder.Win32.Blen.ys 1
C:\TDSSKiller_Quarantine\14.10.2010_14.40.52\susp0000\svc0000\tsk0000.dta Infected: Rootkit.Win32.Agent.bjqb 1
C:\TDSSKiller_Quarantine\14.10.2010_14.40.52\susp0001\svc0000\tsk0000.dta Infected: Rootkit.Win32.Agent.bjqb 1
C:\TDSSKiller_Quarantine\14.10.2010_14.52.30\susp0000\svc0000\tsk0000.dta Infected: Rootkit.Win32.Agent.bjqb 1
C:\Users\Administrator\Desktop\Files_for_submission.zip Infected: Rootkit.Win32.Agent.bjqb 4
C:\Users\Administrator\Saved Games\Gang Garrison 2\Gang Garrison 2.exe Infected: Constructor.Win32.IDL.ev 1
C:\Windows\maxdrive\vbma92a1.sys Infected: Rootkit.Win32.Agent.bjqb 1

Selected area has been scanned.

#71 heir

heir

    True Member

  • Experts
  • PipPipPipPip
  • 295 posts

Posted 19 October 2010 - 06:30 AM

I ran the scan with MBAM but it didn't find any thing, this makes me feel weird, is this normal?

If you are running the latest updated then that's good.
There are never only one product tool that finds everything. We've run some tools here and they find different things. A good combination is whats needed.

Kaspersky found some.

C:\SwSetup\HPGame\games\wheeloffortune-setup.exe Infected: Trojan-Mailfinder.Win32.Blen.ys 1
C:\Users\Administrator\Saved Games\Gang Garrison 2\Gang Garrison 2.exe Infected: Constructor.Win32.IDL.ev 1

The rest is quarantined objects.

We'll remove those here.

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
    C:\SwSetup\HPGame\games\wheeloffortune-setup.exe
    C:\TDSSKiller_Quarantine
    C:\Users\Administrator\Desktop\Files_for_submission.zip
    C:\Users\Administrator\Saved Games\Gang Garrison 2\Gang Garrison 2.exe
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL fixlog



How is your computer running now ?

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#72 inangie

inangie

    New Member

  • Members
  • Pip
  • 44 posts

Posted 19 October 2010 - 06:56 AM

Here is the log of OTL:

========== FILES ==========
C:\SwSetup\HPGame\games\wheeloffortune-setup.exe moved successfully.
C:\TDSSKiller_Quarantine\14.10.2010_14.52.30\susp0000\svc0000 folder moved successfully.
C:\TDSSKiller_Quarantine\14.10.2010_14.52.30\susp0000 folder moved successfully.
C:\TDSSKiller_Quarantine\14.10.2010_14.52.30 folder moved successfully.
C:\TDSSKiller_Quarantine\14.10.2010_14.40.52\susp0001\svc0000 folder moved successfully.
C:\TDSSKiller_Quarantine\14.10.2010_14.40.52\susp0001 folder moved successfully.
C:\TDSSKiller_Quarantine\14.10.2010_14.40.52\susp0000\svc0000 folder moved successfully.
C:\TDSSKiller_Quarantine\14.10.2010_14.40.52\susp0000 folder moved successfully.
C:\TDSSKiller_Quarantine\14.10.2010_14.40.52 folder moved successfully.
C:\TDSSKiller_Quarantine folder moved successfully.
C:\Users\Administrator\Desktop\Files_for_submission.zip moved successfully.
C:\Users\Administrator\Saved Games\Gang Garrison 2\Gang Garrison 2.exe moved successfully.

OTL by OldTimer - Version 3.2.15.2 log created on 10192010_073733


I think my computer is running ok now, there is no more false warning from fake Antivirus 2010. But I restart the AVG Anti-virus and to attempted to run a whole computer scan, but it will not scan anything. Should I try to reinstall it or try to uninstall and look for another antivirus program to scan my computer and get protected?

#73 heir

heir

    True Member

  • Experts
  • PipPipPipPip
  • 295 posts

Posted 19 October 2010 - 07:36 AM

I think my computer is running ok now, there is no more false warning from fake Antivirus 2010. But I restart the AVG Anti-virus and to attempted to run a whole computer scan, but it will not scan anything. Should I try to reinstall it or try to uninstall and look for another antivirus program to scan my computer and get protected?

Thats your decision.

This can be used in case you have problems removing/reinstalling AVG




Hey there, inangie !

OK! Well done, your log is clean again! :) :)

Time for some housekeeping.

Step 1.
Clean up:

First:
We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.


  • Click START then RUN
  • Now type maxlook -cleanup in the runbox and click OK. Note the space between the k and the -c, it needs to be there.
    Posted Image

Delete maxlook.exe from your desktop
Delete Rootkit Unhooker and its logs from your desktop

  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    Posted Image



Double-click OTL.exe to start it.
Click the Clean up button
Click Yes to the reboot.

Now delete any tools/logs that is left over after you ran OTL Clean up.


Step 2.
Prevention:

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

First:
Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.

Please go to the link below to download an update.

http://www.adobe.com.../readstep2.html

Remove the older versions and install the latest,


Second:
One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.


Third:
Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.


Fourth:
Next lets look at Firewalls. These help to prevent unauthorized access both to and from the Internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls
Fifth:
On to personal Anti Virus programs.

One AV is a must have! But never more than one, as this can and will cause conflicts and false readings. I have listed three free AV's below which are as good as any paid subscription AV, as long as you allow them to update themselves.

Anti Virus Programs
Sixth:
Nearly done! If you like to use chat, MSN and Yahoo have vulnerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers
Lastly:
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.


I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#74 inangie

inangie

    New Member

  • Members
  • Pip
  • 44 posts

Posted 19 October 2010 - 02:09 PM

Thank you so much! :) Also thanks for your recommendations on the antispyware and antivirus programs above.
I still have a question though. In step 1, when I executed the Run program and typed "maxlook -cleanup" or "Combofix /Uninstall", there was an error message came up and said, "Windows cannot find 'maxlook (or ComboFix)'. Make sure you typed the name correctly, and then try again." Is it alright?

#75 heir

heir

    True Member

  • Experts
  • PipPipPipPip
  • 295 posts

Posted 19 October 2010 - 02:17 PM

No that's not alright.

use these two line instead

"%userprofile%\Desktop\maxlook" -cleanup

"%userprofile%\Desktop\hi.exe" /Uninstall


Note! it is important that those steps inside step 1 are done in order.
If you've done OTL Cleanup, you won't be able to do Combofix /Uninstall

Let me know if the two above lines worked.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#76 inangie

inangie

    New Member

  • Members
  • Pip
  • 44 posts

Posted 19 October 2010 - 02:31 PM

Ok, both of them worked, and maxlook created a window and said it's cleaned up, also Combofix said it's uninstalled. So now im going to progress to the rest. Thank you. :)

#77 inangie

inangie

    New Member

  • Members
  • Pip
  • 44 posts

Posted 19 October 2010 - 02:38 PM

Alright, I have finished step 1. And I will consider your recommendations in step 2. Thank you for helping me that much. I really appreciate that. :)

#78 heir

heir

    True Member

  • Experts
  • PipPipPipPip
  • 295 posts

Posted 25 October 2010 - 12:59 AM

You're welcome!

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#79 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 25 October 2010 - 07:04 AM

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users