Jticks
-
Posts
14 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by Jticks
-
thanks again for all your help.. I implimented most of your suggestions.. However I wasn't able to complete your first reccomendation. I tried the run with and without a space... no luck. Yes thanksgiving was nice and hope you have a strong finish to 2009. take care, JP
-
thanks again hope you had a nice Thanksgiving... I ran the removal program as instructed and the log is below... JP All processes killed ========== PROCESSES ========== No active process named explorer.exe was found! ========== FILES ========== File/Folder C:\WINDOWS\system32\mswunjernm.dll not found. C:\Program Files\Common Files\wkkz\wkkzd folder moved successfully. C:\Program Files\Common Files\wkkz folder moved successfully. File/Folder C:\Documents and Settings\HelpAssistant.JONATHANWG1.001\Local Settings\Temp\Av-test.txt not found. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temporary Internet Files folder emptied: 0 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: ellen ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: HelpAssistant ->Java cache emptied: 0 bytes ->FireFox cache emptied: 0 bytes User: HelpAssistant.JONATHANWG1 ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 0 bytes User: HelpAssistant.JONATHANWG1.000 ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 0 bytes User: HelpAssistant.JONATHANWG1.001 ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 0 bytes User: Jonathan ->Temp folder emptied: 6219962 bytes ->Temporary Internet Files folder emptied: 9731845 bytes ->Java cache emptied: 13898531 bytes ->FireFox cache emptied: 95902703 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes Windows Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes RecycleBin emptied: 11632624 bytes Total Files Cleaned = 131.05 mb OTM by OldTimer - Version 3.1.2.0 log created on 11292009_094137 Files moved on Reboot... Registry entries deleted on Reboot...
-
It appears to be running fine to me.... I think the virus has been elimanated thanks to you. I sure appreciate it. I noticed in the log that there were a lot of processes running. Is that normal? thanks again and don't eat too much turkey! JP
-
thanks again- I removed all the items as instructed except Java 6 update 13. I got this error message each time that I tried it (4X) "Error 1606. Could not access network location" Then installed the current java with the link..
-
Thanks again for the continued help- Have a great Thanksgiving. JP The 2 longs are below-- Logfile of random's system information tool 1.06 (written by random/random) Run by Jonathan at 2009-11-25 17:20:17 Microsoft Windows XP Professional Service Pack 2 System drive C: has 82 GB (72%) free of 114 GB Total RAM: 1023 MB (62% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:20:21 PM, on 11/25/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16876) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Jonathan\My Documents\Downloads\RSIT.exe C:\Program Files\Trend Micro\HijackThis\Jonathan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.rbc.org/odb/odb.shtml R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://espn.go.com/motion/detect.html O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{570E0C3D-F910-4546-B892-A911C90EDDEA}: NameServer = 83.149.115.182 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: WLANKEEPER - Intel
-
thanks again for your help and staying with me on this problem.. C:\Documents and Settings\HelpAssistant.JONATHANWG1.001\Local Settings\Temp\Av-test.txt Eicar test file C:\Program Files\Common Files\wkkz\wkkzd\vocabulary Win32/TrojanDownloader.TSUpdate.J trojan C:\Qoobox\Quarantine\C\WINDOWS\Sm9uYXRoYW4gUGFnZQ\mA6RsrlCsqb0o3IBtk.vbs.vir Win32/Adware.ISearch application C:\Qoobox\Quarantine\C\WINDOWS\system32\kozeyizu.dll.tmp.vir a variant of Win32/Adware.Virtumonde.NDN application C:\Qoobox\Quarantine\C\WINDOWS\system32\sawuzowu(2).dll.vir a variant of Win32/Kryptik.AYZ trojan C:\Qoobox\Quarantine\C\WINDOWS\system32\tinuhagu.dll.tmp.vir a variant of Win32/Adware.Virtumonde.NDN application C:\Qoobox\Quarantine\C\WINDOWS\system32\vogekomu.dll.tmp.vir a variant of Win32/Adware.SuperJuan.J application C:\Qoobox\Quarantine\C\WINDOWS\system32\worayewu.dll.tmp.vir a variant of Win32/Adware.SuperJuan.J application C:\Qoobox\Quarantine\C\WINDOWS\system32\wotunivo.dll.tmp.vir a variant of Win32/Adware.Virtumonde.NDN application C:\Qoobox\Quarantine\C\WINDOWS\system32\yapafeju.dll.tmp.vir a variant of Win32/Adware.SuperJuan.J application C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.OF virus C:\Qoobox\Quarantine\C\WINDOWS\system32\ki3\RI2ES6i.exe.vir Win32/Agent.ASJZ trojan C:\System Volume Information\_restore{D848CFCE-F935-4410-8A16-D10F24ED38D7}\RP1\A0001199.vbs Win32/Adware.ISearch application C:\WINDOWS\system32\mswunjernm.dll probably a variant of Win32/Spy.KeyLogger trojan
-
thanks again - I ran the RR and bleow is the log.. JP ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/11/23 09:38 Program Version: Version 1.3.5.0 Windows Version: Windows XP Media Center Edition SP2 ================================================== Drivers ------------------- Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF6C69000 Size: 49152 File Visible: No Signed: - Status: - ==EOF==
-
thanks again for your help.. below is the log-- Running from: C:\Documents and Settings\Jonathan\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\Jonathan\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished!
-
thanks again for your patience and help. I followed both your instructions and ran MB. MB didn't detect any virus. I then tried to open a Gmail account thru Firefox and got 404 not found message. (internet has always worked fine) I then tried to use the restore feature in tools and got frozen out from picking ANY restore dates - (non were available however I used 2 earlier dates less than 12 hours ago) When I first got the MB virus found and undeleteable I then tired to restore to an earlier date and got the "adminstrator block restore function message" I have posted the log from MB. Is there any other suggestion that you could offer... thanks. JP Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 5.1.2600 Service Pack 2 11/22/2009 6:06:06 PM mbam-log-2009-11-22 (18-06-06).txt Scan type: Quick Scan Objects scanned: 126929 Time elapsed: 6 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
-
Sorry for my ineptness-- thanks again for staying with/helping me. I followed the directions per your last post and here are the to logs.. --------- ComboFix 09-11-22.02 - Jonathan 11/22/2009 16:29.6.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.550 [GMT -6:00] Running from: c:\documents and settings\Jonathan\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Jonathan\Desktop\CFScript.txt FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Jonathan\Application Data\IObit c:\documents and settings\Jonathan\Application Data\IObit\Advanced SystemCare\Fav.ico c:\documents and settings\Jonathan\Application Data\IObit\Advanced SystemCare\Ignore.ini c:\documents and settings\Jonathan\Application Data\IObit\Advanced SystemCare\Main.ini c:\windows\Sm9uYXRoYW4gUGFnZQ c:\windows\Sm9uYXRoYW4gUGFnZQ\command.exe c:\windows\Sm9uYXRoYW4gUGFnZQ\mA6RsrlCsqb0o3IBtk.vbs . ((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 ))))))))))))))))))))))))))))))) . 2009-11-22 22:29 . 2004-08-10 11:00 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys 2009-11-22 22:29 . 2004-08-10 11:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys 2009-11-22 14:26 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-22 14:26 . 2009-11-22 14:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-22 14:26 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-21 05:43 . 2009-11-21 05:43 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.001\Temp 2009-11-21 05:38 . 2009-10-26 12:26 72080 ----a-w- c:\documents and settings\HelpAssistant.JONATHANWG1.001\g2mdlhlpx.exe 2009-11-21 05:38 . 2009-11-21 05:38 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.001\Dr Delete 2009-11-21 05:38 . 2009-11-21 05:38 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.001\DoctorWeb 2009-11-21 05:34 . 2009-11-22 12:28 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.001\.housecall6.6 2009-11-21 05:34 . 2009-11-22 22:23 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.001 2009-11-21 05:31 . 2009-11-21 05:31 -------- d-----w- c:\windows\system32\wbem\Repository 2009-11-20 20:26 . 2009-11-22 12:32 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.000\UserData 2009-11-20 20:26 . 2009-11-20 20:26 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.000\Temp 2009-11-20 20:22 . 2009-11-20 20:22 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.000\Dr Delete 2009-11-20 20:22 . 2009-11-20 20:22 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.000\DoctorWeb 2009-11-20 20:19 . 2009-11-22 12:29 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.000\.housecall6.6 2009-11-20 20:19 . 2009-11-22 12:32 -------- d-s---w- c:\documents and settings\HelpAssistant.JONATHANWG1.000 2009-11-20 19:15 . 2009-11-22 12:32 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1\UserData 2009-11-20 19:15 . 2009-11-20 19:15 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1\Temp 2009-11-20 19:07 . 2009-11-20 19:07 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1\Dr Delete 2009-11-20 19:07 . 2009-11-20 19:07 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1\DoctorWeb 2009-11-20 19:03 . 2009-11-22 12:31 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1\.housecall6.6 2009-11-20 19:03 . 2009-11-22 12:32 -------- d-s---w- c:\documents and settings\HelpAssistant.JONATHANWG1 2009-11-20 19:00 . 2009-11-22 12:31 -------- d-----w- c:\documents and settings\HelpAssistant\My Documents(2) 2009-11-20 18:56 . 2009-11-20 18:56 -------- d-----w- c:\documents and settings\HelpAssistant\Dr Delete 2009-11-20 18:56 . 2009-11-20 18:56 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb 2009-11-20 18:51 . 2009-11-22 12:31 -------- d-----w- c:\documents and settings\HelpAssistant\.housecall6.6 2009-11-20 18:51 . 2009-11-22 12:32 -------- d-s---w- c:\documents and settings\HelpAssistant . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-22 21:39 . 2009-05-29 11:55 -------- d-----w- c:\program files\TweakNow RegCleaner 2009-11-22 12:39 . 2009-11-22 11:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-11-22 12:30 . 2009-09-17 11:18 -------- d-----w- c:\program files\ffdshow 2009-11-22 12:27 . 2007-01-25 02:46 -------- d-----w- c:\program files\Microsoft ActiveSync 2009-11-22 12:07 . 2009-11-22 12:07 -------- d-----w- c:\program files\IObit 2009-11-21 05:53 . 2008-10-20 18:16 -------- d-----w- c:\program files\Common Files\Apple 2009-10-30 20:26 . 2007-09-09 04:16 38400 ----a-w- c:\windows\system32\hpz3l054.dll 2009-10-26 12:26 . 2007-05-06 11:03 72080 ----a-w- c:\documents and settings\Jonathan\g2mdlhlpx.exe 2009-10-08 12:52 . 2008-07-08 21:48 -------- d-----w- c:\documents and settings\Jonathan\Application Data\Skype 2009-10-08 12:47 . 2008-07-08 21:49 -------- d-----w- c:\documents and settings\Jonathan\Application Data\skypePM 2009-10-06 02:39 . 2009-10-06 02:39 -------- d-----w- c:\program files\CCleaner 2009-09-02 20:38 . 2009-09-02 20:37 1924440 ----a-w- c:\documents and settings\Jonathan\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe 2009-08-31 13:41 . 2009-08-31 13:41 152576 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\jre1.6.0_15\lzma.dll . ((((((((((((((((((((((((((((( SnapShot@2009-11-22_18.56.57 ))))))))))))))))))))))))))))))))))))))))) . + 2009-11-22 22:23 . 2009-11-22 22:23 16384 c:\windows\Temp\Perflib_Perfdata_884.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940] "forsinit"="c:\windows\sprscore.exe" [2007-04-22 724992] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-23 185872] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2005-07-23 06:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\eSignal\\winros.exe"= "c:\\Program Files\\OEC\\Trader\\Trader.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:Remote Desktop S1 drmkaudd;drmkaudd;c:\windows\system32\drivers\drmkaudd.sys --> c:\windows\system32\drivers\drmkaudd.sys [?] S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [6/23/2007 8:21 AM 27392] S3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [6/23/2007 8:21 AM 41728] S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [6/23/2007 8:21 AM 39808] S3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [6/23/2007 8:21 AM 5888] --- Other Services/Drivers In Memory --- *Deregistered* - CLASSPNP_2 . Contents of the 'Scheduled Tasks' folder 2009-11-22 c:\windows\Tasks\User_Feed_Synchronization-{B697CC3E-95F1-4D18-9EF7-E05701EF1D2D}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 19:58] . . ------- Supplementary Scan ------- . uStart Page = www.rbc.org/odb/odb.shtml mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet uInternet Connection Wizard,ShellNext = hxxp://espn.go.com/motion/detect.html uInternet Settings,ProxyOverride = *.local IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: {570E0C3D-F910-4546-B892-A911C90EDDEA} = 83.149.115.182 DPF: {43F25BA2-C4AB-4327-924C-1ED6AF4A6BA1} - hxxp://www.webacall.com/activePhone.ocx FF - ProfilePath - c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\8jesdy4y.default\ FF - prefs.js: browser.search.selectedEngine - fefoo search FF - prefs.js: browser.startup.homepage - hxxp://www.rbc.org/odb/odb.shtml FF - plugin: c:\progra~1\MEADCO~1\npmeadax.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\QuickTime\Plugins\npatgpc.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . - - - - ORPHANS REMOVED - - - - WebBrowser-{6EDCCE69-14A2-4E9F-826B-DC523B82167E} - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-22 16:39 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8690BF30]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf76bffc3 \Driver\ACPI -> ACPI.sys @ 0xf7532cb8 \Driver\atapi -> 0x8690bf30 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578c34 ParseProcedure -> ntkrnlpa.exe @ 0x80577896 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578c34 ParseProcedure -> ntkrnlpa.exe @ 0x80577896 NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x86948480 PacketIndicateHandler -> NDIS.sys @ 0xf737eb21 SendHandler -> NDIS.sys @ 0xf735c87b Warning: possible MBR rootkit infection ! copy of MBR has been found in sector 0x0DF8F900 malicious code @ sector 0x0DF8F903 ! PE file found in sector at 0x0DF8F919 ! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix. ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(692) c:\windows\system32\Ati2evxx.dll c:\program files\Intel\Wireless\Bin\LgNotify.dll . Completion time: 2009-11-22 16:41 ComboFix-quarantined-files.txt 2009-11-22 22:41 ComboFix2.txt 2009-11-22 21:18 ComboFix3.txt 2009-11-22 19:15 Pre-Run: 85,170,229,248 bytes free Post-Run: 85,131,788,288 bytes free - - End Of File - - 409898529B825C3E2474B09196BF4FA6 --------------------- MBR log Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully detected MBR rootkit hooks: \Driver\atapi -> 0x868fdf30 NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x8693a480 Warning: possible MBR rootkit infection ! copy of MBR has been found in sector 0x0DF8F900 malicious code @ sector 0x0DF8F903 ! PE file found in sector at 0x0DF8F919 ! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix. Thanks again
-
-
Thank you again for your help... Below is the log file after running combofix 2 times. After the first time I could not locate the log file and it appeared to hang up after 30 min of preparing the log file. The text below is from the 2nd run. Again thanks for your kind assistance. JP ----------------------------------------- ComboFix 09-11-21.03 - Jonathan 11/22/2009 13:07.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.609 [GMT -6:00] Running from: E:\ComboFix.exe FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\documents and settings\HelpAssistant.JONATHANWG1.001\ntuser.dll c:\documents and settings\Jonathan\ntuser.dll c:\documents and settings\Jonathan\Start Menu\Programs\Startup\scandisk.dll c:\documents and settings\Jonathan\Start Menu\Programs\Startup\scandisk.lnk c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt c:\documents and settings\NetworkService\ntuser.dll c:\temp\1cb\syscheck.log c:\temp\DIV55\xDb.log c:\windows\kb913800.exe c:\windows\system32\C\MTK63G.exe c:\windows\system32\calc.dll c:\windows\system32\config\systemprofile\ntuser.dll c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk c:\windows\system32\Ijl11.dll c:\windows\system32\ki3\RI2ES6i.exe c:\windows\system32\kozeyizu.dll.tmp c:\windows\system32\sawuzowu(2).dll c:\windows\system32\tinuhagu.dll.tmp c:\windows\system32\vogekomu.dll.tmp c:\windows\system32\worayewu.dll.tmp c:\windows\system32\wotunivo.dll.tmp c:\windows\system32\yapafeju.dll.tmp c:\windows\Temp\2958525059.exe c:\windows\Temp\3909931309.exe Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected Restored copy from - Kitty ate it . ((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 ))))))))))))))))))))))))))))))) . 2009-11-22 19:07 . 2004-08-10 11:00 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys 2009-11-22 19:07 . 2004-08-10 11:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys 2009-11-22 14:26 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-22 14:26 . 2009-11-22 14:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-22 14:26 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-22 12:33 . 2009-11-22 12:33 -------- d-----w- c:\documents and settings\Jonathan\Application Data\IObit 2009-11-21 05:43 . 2009-11-21 05:43 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.001\Temp 2009-11-21 05:38 . 2009-10-26 12:26 72080 ----a-w- c:\documents and settings\HelpAssistant.JONATHANWG1.001\g2mdlhlpx.exe 2009-11-21 05:38 . 2009-11-21 05:38 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.001\Dr Delete 2009-11-21 05:38 . 2009-11-21 05:38 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.001\DoctorWeb 2009-11-21 05:34 . 2009-11-22 12:28 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.001\.housecall6.6 2009-11-21 05:34 . 2009-11-22 18:57 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.001 2009-11-21 05:31 . 2009-11-21 05:31 -------- d-----w- c:\windows\system32\wbem\Repository 2009-11-20 20:26 . 2009-11-22 12:32 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.000\UserData 2009-11-20 20:26 . 2009-11-20 20:26 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.000\Temp 2009-11-20 20:22 . 2009-11-20 20:22 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.000\Dr Delete 2009-11-20 20:22 . 2009-11-20 20:22 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.000\DoctorWeb 2009-11-20 20:19 . 2009-11-22 12:29 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1.000\.housecall6.6 2009-11-20 20:19 . 2009-11-22 12:32 -------- d-s---w- c:\documents and settings\HelpAssistant.JONATHANWG1.000 2009-11-20 19:15 . 2009-11-22 12:32 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1\UserData 2009-11-20 19:15 . 2009-11-20 19:15 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1\Temp 2009-11-20 19:07 . 2009-11-20 19:07 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1\Dr Delete 2009-11-20 19:07 . 2009-11-20 19:07 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1\DoctorWeb 2009-11-20 19:03 . 2009-11-22 12:31 -------- d-----w- c:\documents and settings\HelpAssistant.JONATHANWG1\.housecall6.6 2009-11-20 19:03 . 2009-11-22 12:32 -------- d-s---w- c:\documents and settings\HelpAssistant.JONATHANWG1 2009-11-20 19:00 . 2009-11-22 12:31 -------- d-----w- c:\documents and settings\HelpAssistant\My Documents(2) 2009-11-20 18:56 . 2009-11-20 18:56 -------- d-----w- c:\documents and settings\HelpAssistant\Dr Delete 2009-11-20 18:56 . 2009-11-20 18:56 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb 2009-11-20 18:51 . 2009-11-22 12:31 -------- d-----w- c:\documents and settings\HelpAssistant\.housecall6.6 2009-11-20 18:51 . 2009-11-22 12:32 -------- d-s---w- c:\documents and settings\HelpAssistant . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-22 12:39 . 2009-11-22 11:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-11-22 12:30 . 2009-09-17 11:18 -------- d-----w- c:\program files\ffdshow 2009-11-22 12:27 . 2007-01-25 02:46 -------- d-----w- c:\program files\Microsoft ActiveSync 2009-11-22 12:07 . 2009-11-22 12:07 -------- d-----w- c:\program files\IObit 2009-11-21 05:53 . 2008-10-20 18:16 -------- d-----w- c:\program files\Common Files\Apple 2009-11-21 05:38 . 2009-11-20 20:23 4904 ----a-w- c:\windows\system32\PerfStringBackup.TMP 2009-10-30 20:26 . 2007-09-09 04:16 38400 ----a-w- c:\windows\system32\hpz3l054.dll 2009-10-26 12:26 . 2007-05-06 11:03 72080 ----a-w- c:\documents and settings\Jonathan\g2mdlhlpx.exe 2009-10-08 12:52 . 2008-07-08 21:48 -------- d-----w- c:\documents and settings\Jonathan\Application Data\Skype 2009-10-08 12:47 . 2008-07-08 21:49 -------- d-----w- c:\documents and settings\Jonathan\Application Data\skypePM 2009-10-06 02:39 . 2009-10-06 02:39 -------- d-----w- c:\program files\CCleaner 2009-09-02 20:38 . 2009-09-02 20:37 1924440 ----a-w- c:\documents and settings\Jonathan\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe 2009-08-31 13:41 . 2009-08-31 13:41 152576 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2005-08-02 22:58 . 2008-12-08 23:52 293888 --sha-r- c:\windows\Sm9uYXRoYW4gUGFnZQ\command.exe 2005-07-29 22:24 . 2008-12-08 23:52 472 --sha-r- c:\windows\Sm9uYXRoYW4gUGFnZQ\mA6RsrlCsqb0o3IBtk.vbs . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{6EDCCE69-14A2-4E9F-826B-DC523B82167E}"= "c:\program files\JetBrains\Omea Reader\IexploreOmeaW.dll" [2007-02-02 591360] [HKEY_CLASSES_ROOT\clsid\{6edcce69-14a2-4e9f-826b-dc523b82167e}] [HKEY_CLASSES_ROOT\IexploreOmea.Band.1] [HKEY_CLASSES_ROOT\TypeLib\{633820F7-C04E-4152-B64F-1147B881F998}] [HKEY_CLASSES_ROOT\IexploreOmea.Band] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940] "forsinit"="c:\windows\sprscore.exe" [2007-04-22 724992] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-23 185872] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2005-07-23 06:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\eSignal\\winros.exe"= "c:\\Program Files\\OEC\\Trader\\Trader.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:Remote Desktop S1 drmkaudd;drmkaudd;c:\windows\system32\drivers\drmkaudd.sys --> c:\windows\system32\drivers\drmkaudd.sys [?] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/22/2009 8:26 AM 38224] S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [6/23/2007 8:21 AM 27392] S3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [6/23/2007 8:21 AM 41728] S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [6/23/2007 8:21 AM 39808] S3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [6/23/2007 8:21 AM 5888] --- Other Services/Drivers In Memory --- *NewlyCreated* - CLASSPNP_2 *Deregistered* - CLASSPNP_2 . Contents of the 'Scheduled Tasks' folder 2009-11-22 c:\windows\Tasks\User_Feed_Synchronization-{B697CC3E-95F1-4D18-9EF7-E05701EF1D2D}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 19:58] . . ------- Supplementary Scan ------- . uStart Page = www.rbc.org/odb/odb.shtml mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet uInternet Connection Wizard,ShellNext = hxxp://espn.go.com/motion/detect.html uInternet Settings,ProxyOverride = *.local IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Clip and Edit - c:\program files\JetBrains\Omea Reader\IexploreOmeaW.dll/1000 IE: Clip and Save - c:\program files\JetBrains\Omea Reader\IexploreOmeaW.dll/1001 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Subscribe to Feed - c:\program files\JetBrains\Omea Reader\IexploreOmeaW.dll/1002 TCP: {570E0C3D-F910-4546-B892-A911C90EDDEA} = 83.149.115.182 DPF: {43F25BA2-C4AB-4327-924C-1ED6AF4A6BA1} - hxxp://www.webacall.com/activePhone.ocx FF - ProfilePath - c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\8jesdy4y.default\ FF - prefs.js: browser.search.selectedEngine - fefoo search FF - prefs.js: browser.startup.homepage - hxxp://www.rbc.org/odb/odb.shtml FF - plugin: c:\progra~1\MEADCO~1\npmeadax.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\QuickTime\Plugins\npatgpc.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . - - - - ORPHANS REMOVED - - - - SharedTaskScheduler-{dd5f4041-9792-4931-887a-8e50946ef28b} - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-22 13:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x868FDF30]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf76cafc3 \Driver\ACPI -> ACPI.sys @ 0xf753dcb8 \Driver\atapi -> 0x868fdf30 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578c34 ParseProcedure -> ntkrnlpa.exe @ 0x80577896 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578c34 ParseProcedure -> ntkrnlpa.exe @ 0x80577896 NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x8693a480 PacketIndicateHandler -> NDIS.sys @ 0xf739bb21 SendHandler -> NDIS.sys @ 0xf737987b Warning: possible MBR rootkit infection ! copy of MBR has been found in sector 0x0DF8F900 malicious code @ sector 0x0DF8F903 ! PE file found in sector at 0x0DF8F919 ! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix. ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(700) c:\windows\system32\Ati2evxx.dll c:\program files\Intel\Wireless\Bin\LgNotify.dll - - - - - - - > 'explorer.exe'(2632) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-11-22 13:15 ComboFix-quarantined-files.txt 2009-11-22 19:15 Pre-Run: 85,255,626,752 bytes free Post-Run: 85,215,498,240 bytes free - - End Of File - - F0347C78AE9BA426F528EEF7D5E254A9
-
thanks for the reply and help... I cannot REMOVE the items. Once clicked it freezes..
-
Thank you in advance for any help- I am stuck and in desperate need of any advice. I am Running a Dell Inspiron 9300 laptop with XP. I tried to restore to earlier date and virus locked me out with administator message. I tried safe mode and would not let me. I am not a techie but would appreciate any other suggestion to kill the virus located by Mbam.. below is my log. thanks JP Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 5.1.2600 Service Pack 2 11/22/2009 8:49:34 AM mbam-log-2009-11-22 (08-49-26).txt Scan type: Quick Scan Objects scanned: 127174 Time elapsed: 4 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Temp\csrss.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken. C:\Documents and Settings\Jonathan\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken. C:\WINDOWS\Temp\taskmgr.exe (Trojan.Downloader) -> No action taken.