Jump to content

I've been hijacked please help


Recommended Posts

Hello,

I did something very foolish the other night. I downloaded what I thought was an .mp3 that i found through a google mp3 search. The file was "compressed" with an irar format. So the file i downloaded was artist name - song title.mp3.irar. I then googled around a bit, and found what was disguised as an irar decompression utility called "irar.jar". As soon as I went to open that download, AVG Free 8.0 went nuts, and alerted me that I had like 8 viruses and trojans. It looked as if it quarentined them all and I performed a few full scans w/ AVG and i thought my problems were solved. But i still noticed some strange behavior (sites taking long to load. Sites with ajax components were not submitted data properly). So i tried to download MalwareBytes, and spybot to do some more scans. Neither one would open or install at first. I finally got both of them to install in safe mode, but then neither program would open. I found a link to a batch utility on this forum that changed the filename of the Malwarebytes.exe and that allowed me to open the program, however, when i tried to update the definitions, the download would work, tell me it was going to restart MWB and install the latest definitions, and then nothing would happen. So, I did a full-scan with the old definitons. The MWB log is posted below. Also below, you'll find my Hijack this log. I also followed some advice from this forum, and downloaded Avira Anti-virus which solved 5 or 6 problems.

ps. Sorry i don't have the scan log from AVG or Avira. I had to uninstall AVG and Avira when I tried to use the trial version of Kapersky (which I've now uninstalled and reverted back to AVG).

I hope you guys can help me! Thanks in advance!

==========================================

Logfile of HijackThis v1.99.1

Scan saved at 7:09:19 PM, on 3/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\218164740218.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\Iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: (no name) - {E6259B45-C2FC-4C2D-8B3C-9CF57890A826} - c:\windows\system32\ushxkpm.dll (file missing)

O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PlayOn] C:\Program Files\MediaMall\PlayOn.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: EventGhost.lnk = C:\Program Files\EventGhost\EventGhost.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [java_sun] Java (Sun)

O16 - DPF: {5d86ddb5-bdf9-441b-9e9e-d4730f4ee499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DE3261FB-FF0E-4EC1-8387-199183A15128}: NameServer = 68.87.73.242,68.87.71.226

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: tdgzvhui - ushxkpm.dll (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\system32\svchost.exe (file missing)

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (javaquickstarterservice) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - %fystemroot%\system32\svchost.exe (file missing)

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe

==========================================

Malwarebytes' Anti-Malware 1.31

Database version: 1456

Windows 5.1.2600 Service Pack 3

3/12/2009 7:55:08 PM

mbam-log-2009-03-12 (19-55-03).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 222494

Time elapsed: 1 hour(s), 3 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Downloader) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

So here is some more information about my hijack including a few more symptoms. Periodically while I'm running scans, a dialogue pops up saying that Google Installer (sometimes it's google updater) has encoutered a problem, and it asks me if I want to send an error report.

Also, When I was installing both kapersky and AVG, both installations said I had to shutdown different websites that were open (even though both times I didn't have a browser open).

I just reinstalled Avira Anti-Vir, as described in this thread, and here is that log:

Avira AntiVir Personal

Report file date: Thursday, March 12, 2009 21:43

Scanning for 1295836 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 3) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: REEDIE-DEN

Version information:

BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00

AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 13:21:26

AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 12:56:40

LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 17:44:19

LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 12:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:30:36

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 01:28:12

ANTIVIR2.VDF : 7.1.2.152 749568 Bytes 3/11/2009 01:28:20

ANTIVIR3.VDF : 7.1.2.163 39424 Bytes 3/12/2009 01:28:21

Engineversion : 8.2.0.114

AEVDF.DLL : 8.1.1.0 106868 Bytes 3/13/2009 01:28:53

AESCRIPT.DLL : 8.1.1.63 364923 Bytes 3/13/2009 01:28:52

AESCN.DLL : 8.1.1.8 127346 Bytes 3/13/2009 01:28:50

AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 18:58:38

AEPACK.DLL : 8.1.3.10 397686 Bytes 3/13/2009 01:28:45

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 3/13/2009 01:28:40

AEHEUR.DLL : 8.1.0.104 1634679 Bytes 3/13/2009 01:28:38

AEHELP.DLL : 8.1.2.2 119158 Bytes 3/13/2009 01:28:31

AEGEN.DLL : 8.1.1.28 336244 Bytes 3/13/2009 01:28:26

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 15:05:56

AECORE.DLL : 8.1.6.6 176501 Bytes 3/13/2009 01:28:24

AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 15:05:56

AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 13:40:05

AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 14:28:01

AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 17:02:15

AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 16:26:40

AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 13:29:23

AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 17:27:49

SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 22:28:02

SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 17:49:40

NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 17:05:10

RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 18:48:07

RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 18:34:37

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: repair

Secondary action.................: rename

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:, D:,

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: on

Scan all files...................: All files

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: Thursday, March 12, 2009 21:43

Starting search for hidden objects.

C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20090312-214336-1BDAE3F7\AVSCAN-00000004.dll

[0] Archive type: HIDDEN

[iNFO] The file is not visible.

--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20090312-214336-1BDAE3F7\AVSCAN-00000004.dll

[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit

C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20090312-214336-1BDAE3F7\AVSCAN-00000008.dll

[0] Archive type: HIDDEN

[iNFO] The file is not visible.

--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20090312-214336-1BDAE3F7\AVSCAN-00000008.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20090312-214336-1BDAE3F7\AVSCAN-0000000A.dll

[0] Archive type: HIDDEN

[iNFO] The file is not visible.

--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20090312-214336-1BDAE3F7\AVSCAN-0000000A.dll

[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit

C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20090312-214336-1BDAE3F7\AVSCAN-0000000C.sys

[0] Archive type: HIDDEN

[iNFO] The file is not visible.

--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20090312-214336-1BDAE3F7\AVSCAN-0000000C.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

The repair of rootkits is only in interactive mode possible!

c:\windows\system32\uacoxtuijwq.dll

[DETECTION]

c:\windows\system32\drivers\uacikkbprrn.sys

[DETECTION]

c:\windows\temp\uac8d61.tmp

[iNFO] The file is not visible.

c:\windows\temp\uacf4cc.tmp

[iNFO] The file is not visible.

c:\windows\system32\uacalmlhlnq.dll

[DETECTION]

[iNFO] No SpecVir entry was found!

c:\windows\system32\uacbavbowaf.dat

[iNFO] The file is not visible.

c:\windows\system32\uacinit.dll

[iNFO] The file is not visible.

c:\windows\system32\uackjppmbco.dll

[iNFO] The file is not visible.

c:\windows\system32\uacrtwswrtg.log

[iNFO] The file is not visible.

c:\windows\system32\uacsworoyig.dll

[DETECTION]

[iNFO] No SpecVir entry was found!

c:\windows\system32\uactepnyswr.dll

[iNFO] The file is not visible.

c:\documents and settings\administrator\local settings\temp\uac5f99.tmp

[iNFO] The file is not visible.

c:\documents and settings\all users\application data\sectaskman\uackjppmbco.dll.q_1bb50_q.ini

[iNFO] The file is not visible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\764e1fa9\imagepath

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\764e1fa9\type

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\764e1fa9\start

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\764e1fa9\errorcontrol

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\modules

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\start

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\type

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\imagepath

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\group

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\764e1fa9\imagepath

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\764e1fa9\type

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\764e1fa9\start

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\764e1fa9\errorcontrol

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\modules

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\start

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\type

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\imagepath

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\group

[iNFO] The registry entry is invisible.

'44652' objects were checked, '31' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'iexplore.exe' - '1' Module(s) have been scanned

Scan process 'chrome.exe' - '1' Module(s) have been scanned

Scan process 'chrome.exe' - '1' Module(s) have been scanned

Scan process 'chrome.exe' - '1' Module(s) have been scanned

Scan process 'chrome.exe' - '1' Module(s) have been scanned

Scan process 'chrome.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'X10nets.exe' - '1' Module(s) have been scanned

Scan process 'EventGhost.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'avgcsrvx.exe' - '1' Module(s) have been scanned

Scan process 'avgnsx.exe' - '1' Module(s) have been scanned

Scan process 'avgemc.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'avgwdsvc.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

36 processes with 36 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Starting to scan the registry.

The registry was scanned ( '55' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\WINDOWS\system32\drivers\764e1fa9.sys

[WARNING] The file could not be opened!

End of the scan: Thursday, March 12, 2009 23:18

Used time: 1:35:03 Hour(s)

The scan has been done completely.

18855 Scanning directories

548968 Files were scanned

6 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

0 files were deleted

0 files were repaired

2 files were moved to quarantine

2 files were renamed

2 Files cannot be scanned

548960 Files not concerned

3746 Archives were scanned

3 Warnings

2 Notes

44652 Objects were scanned with rootkit scan

31 Hidden objects were found

Link to post
Share on other sites

So I downloaded the Avira Rescue CD and booted my system from it.

It found:

11 records

0 suspect files

96 warnings

I rebooted my system to windows and I was finally able to open MWB and download the update! Progress at last.

Avira Anti-Vir alerted me about 7 malwares being found while the MWB quick scan was going on. Also, the MWB scan found 7 problems that I removed.

=========================================

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'

detected in file 'C:\WINDOWS\system32\UACoxtuijwq.dll.VIR.

Action performed: Delete file

Virus or unwanted program 'RKIT/TDss.eyj.65 [trojan]'

detected in file 'C:\WINDOWS\system32\UACalmlhlnq.dll.VIR.

Action performed: Delete file

Virus or unwanted program 'TR/Rootkit.Gen [trojan]'

detected in file 'C:\WINDOWS\system32\drivers\UACikkbprrn.sys.XXX.

Action performed: Delete file

Virus or unwanted program 'TR/Rootkit.Gen [trojan]'

detected in file 'C:\WINDOWS\system32\drivers\764e1fa9.sys.XXX.

Action performed: Delete file

Virus or unwanted program 'RKIT/TDss.eyj.66 [trojan]'

detected in file 'C:\WINDOWS\system32\UACsworoyig.dll.XXX.

Action performed: Delete file

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'

detected in file 'C:\WINDOWS\system32\UACoxtuijwq.dll.XXX.

Action performed: Rename file

Virus or unwanted program 'RKIT/TDss.eyj.65 [trojan]'

detected in file 'C:\WINDOWS\system32\UACalmlhlnq.dll.XXX.

Action performed: Rename file

===========================================

Malwarebytes' Anti-Malware 1.34

Database version: 1846

Windows 5.1.2600 Service Pack 3

3/13/2009 11:45:58 PM

mbam-log-2009-03-13 (23-45-58).txt

Scan type: Quick Scan

Objects scanned: 68355

Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\UACalmlhlnq.dll.VIR (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACoxtuijwq.dll.VIR (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\UAC5f99.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACbavbowaf.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACrtwswrtg.log (Trojan.Agent) -> Quarantined and deleted successfully.

===============================================================

I am now going to follow the next step of advice from here and try combofix

Link to post
Share on other sites

Here is my combofix log:

ComboFix 09-03-13.02 - Administrator 2009-03-14 0:32:26.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.751.429 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\SystemsHook.dll

c:\windows\system32\ushxkpm.dll

c:\windows\Tasks\At1.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_omfpmebz

-------\Service_omfpmebz

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))

.

2009-03-13 23:24 . 2009-03-13 23:25 <DIR> d--h----- C:\$AVG8.VAULT$

2009-03-12 20:44 . 2009-03-12 20:44 <DIR> d-------- c:\program files\CCleaner

2009-03-12 20:41 . 2009-03-13 20:19 <DIR> d-------- c:\windows\system32\drivers\Avg

2009-03-12 20:41 . 2009-03-14 00:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-03-12 20:41 . 2009-03-12 21:14 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys

2009-03-12 20:41 . 2009-03-12 21:14 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys

2009-03-12 20:41 . 2009-03-12 21:14 10,520 --a------ c:\windows\system32\avgrsstx.dll

2009-03-12 20:33 . 2009-03-12 20:33 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live

2009-03-12 18:30 . 2009-03-12 18:30 <DIR> d-------- c:\program files\Kaspersky Lab

2009-03-12 18:22 . 2009-03-12 18:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-03-12 18:14 . 2009-03-12 18:14 410,984 --a------ c:\windows\system32\deploytk.dll

2009-03-12 16:48 . 2009-03-12 16:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-03-12 09:16 . 2009-03-13 23:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-12 09:16 . 2009-03-12 09:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-12 09:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-12 09:16 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-12 00:40 . 2009-03-12 00:40 <DIR> d-------- c:\windows\BDOSCAN8

2009-03-11 23:56 . 2009-03-12 20:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan

2009-03-11 23:17 . 2009-03-12 21:15 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-03-11 23:17 . 2009-03-12 21:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-09 00:23 . 2009-03-09 00:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\LimeWire

2009-03-09 00:04 . 2009-03-09 00:05 2 --a------ C:\680318798

2009-03-08 19:18 . 2009-03-08 19:21 <DIR> d-------- c:\program files\TagRename

2009-03-08 16:37 . 2009-01-16 18:34 499,712 --a------ c:\windows\system32\msvcp71.dll

2009-03-08 16:36 . 2009-03-08 16:37 <DIR> d-------- c:\windows\system32\Adobe

2009-02-14 15:50 . 2009-02-14 15:50 <DIR> d-------- c:\program files\thrix

2009-02-14 01:48 . 1996-08-27 03:12 2,037,248 -ra------ c:\windows\QTINSTAL.EXE

2009-02-14 01:48 . 1996-08-27 03:12 93,504 -ra------ c:\windows\QTW16DEL.EXE

2009-02-14 01:48 . 2009-02-14 01:48 190 --a------ c:\windows\QTW.INI

2009-02-14 01:47 . 2009-02-14 01:48 30 --a------ c:\windows\RESULT.QTW

2009-02-14 01:45 . 2009-02-14 01:45 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS

2009-02-14 01:45 . 1996-01-09 11:38 283,648 --a------ c:\windows\uninst.exe

2009-02-14 00:00 . 2009-03-08 17:08 <DIR> d-------- c:\program files\XAimer

2009-02-14 00:00 . 2004-12-06 07:10 192,512 --a------ c:\windows\system32\ssresources.dll

2009-02-14 00:00 . 2006-05-08 20:59 49,152 --a------ c:\windows\system32\AIMDL.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-12 22:14 --------- d-----w c:\program files\Java

2009-03-12 20:48 --------- d-----w c:\documents and settings\Administrator\Application Data\SmartFTP

2009-03-09 23:42 --------- d-----w c:\documents and settings\Administrator\Application Data\XBMC

2009-03-09 06:58 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent

2009-02-04 13:42 --------- d-----w c:\program files\Microsoft ActiveSync

2009-01-30 15:26 --------- d-----w c:\program files\OpenOffice.org 3

2009-01-30 15:16 --------- d-----w c:\program files\microsoft frontpage

2009-01-30 15:16 --------- d-----w c:\documents and settings\Administrator\Application Data\Microsoft Web Folders

2009-01-28 14:29 --------- d-----w c:\documents and settings\Administrator\Application Data\KompoZer

2009-01-28 14:22 --------- d-----w c:\documents and settings\Administrator\Application Data\OpenOffice.org

2009-01-28 14:10 --------- d-----w c:\program files\Common Files\Java

2009-01-28 13:54 --------- d-----w c:\program files\Common Files\Adobe

2009-01-28 13:51 --------- d-----w c:\program files\Common Files\Adobe Systems Shared

2009-01-28 13:51 --------- d-----w c:\documents and settings\All Users\Application Data\Adobe Systems

2009-01-15 04:43 --------- d-----w c:\program files\SmartFTP

2009-01-15 04:42 --------- d-----w c:\program files\SmartFTP Client Setup Files

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

EventGhost.lnk - c:\program files\EventGhost\EventGhost.exe [2008-12-29 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-03-12 21:14 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

--a------ 2009-03-12 21:14 1601304 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2009-03-12 18:15 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-12 325128]

R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-12 107272]

S1 764e1fa9;764e1fa9;c:\windows\system32\drivers\764e1fa9.sys --> c:\windows\system32\drivers\764e1fa9.sys [?]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-12 903960]

S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-12 298264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6927d942-d370-11dd-9d7a-806d6172696f}]

\Shell\AutoRun\command - E:\autorun.exe

\Shell\launch\command - E:\autorun.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1757981266-725345543-500.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-27 01:55]

.

- - - - ORPHANS REMOVED - - - -

BHO-{E6259B45-C2FC-4C2D-8B3C-9CF57890A826} - c:\windows\system32\ushxkpm.dll

MSConfigStartUp-PlayOn - c:\program files\MediaMall\PlayOn.exe

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

TCP: {DE3261FB-FF0E-4EC1-8387-199183A15128} = 68.87.73.242,68.87.71.226

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\icb6oz4x.default\

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npWebLaunch.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-14 00:36:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG8\avgrsx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\COMMON~1\SNAPST~1\Common\X10nets.exe

.

**************************************************************************

.

Completion time: 2009-03-14 0:39:21 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-14 04:39:09

Pre-Run: 3,997,835,264 bytes free

Post-Run: 5,703,323,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

173 --- E O F --- 2009-02-26 03:01:58

Link to post
Share on other sites

Things seem to be running a bit smoother thanks to all your great advice in other threads. I'm sure there is something fishy going on in the logs above that the admins will be able to spot that I won't. Please advise when you have a chance.

In the meantime, I have upgraded my protection by installing spywareblaster, spybot, and online armor personal firewall.

Is it advisable to run Avira Anti-vir, and Avg8 at the same time or is that overkill?

Link to post
Share on other sites

  • Root Admin

No, you should NEVER install and run 2 Anti-Virus applications at the same time. They will conflict with each other.

Please run the following.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

I updated and here is the latest scan:

Malwarebytes' Anti-Malware 1.34

Database version: 1856

Windows 5.1.2600 Service Pack 3

3/16/2009 8:20:12 PM

mbam-log-2009-03-16 (20-20-12).txt

Scan type: Quick Scan

Objects scanned: 68410

Time elapsed: 6 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:23:22 PM, on 3/16/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Tall Emu\Online Armor\oacat.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\EventGhost\EventGhost.exe

C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Tall Emu\Online Armor\oaui.exe

C:\Program Files\Tall Emu\Online Armor\oahlp.exe

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: EventGhost.lnk = C:\Program Files\EventGhost\EventGhost.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [java_sun] Java (Sun)

O16 - DPF: {5d86ddb5-bdf9-441b-9e9e-d4730f4ee499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DE3261FB-FF0E-4EC1-8387-199183A15128}: NameServer = 68.87.73.242,68.87.71.226

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe

O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe

--

End of file - 5578 bytes

DDS.txt:

DDS (Ver_09-03-16.01) - NTFSx86

Run by Administrator at 20:25:34.54 on Mon 03/16/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.751.226 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

FW: Online Armor Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Tall Emu\Online Armor\oacat.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\EventGhost\EventGhost.exe

C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min

mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\eventg~1.lnk - c:\program files\eventghost\EventGhost.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {5d86ddb5-bdf9-441b-9e9e-d4730f4ee499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab

DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {cafeefac-0016-0000-0012-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

TCP: {DE3261FB-FF0E-4EC1-8387-199183A15128} = 68.87.73.242,68.87.71.226

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\icb6oz4x.default\

FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npWebLaunch.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-3-14 11840]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-3-14 178376]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-3-14 30920]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-3-14 28872]

R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-14 68865]

R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-14 151297]

R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-3-14 1402568]

R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-3-14 52032]

S1 764e1fa9;764e1fa9;c:\windows\system32\drivers\764e1fa9.sys --> c:\windows\system32\drivers\764e1fa9.sys [?]

S2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-3-14 3321032]

=============== Created Last 30 ================

2009-03-14 15:51 <DIR> --d----- c:\program files\Full Tilt Poker

2009-03-14 10:17 <DIR> --d----- c:\program files\VS Revo Group

2009-03-14 01:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor

2009-03-14 01:21 <DIR> --d----- c:\docume~1\admini~1\applic~1\OnlineArmor

2009-03-14 01:20 178,376 a------- c:\windows\system32\drivers\OADriver.sys

2009-03-14 01:20 30,920 a------- c:\windows\system32\drivers\OAmon.sys

2009-03-14 01:20 28,872 a------- c:\windows\system32\drivers\OAnet.sys

2009-03-14 01:20 <DIR> --d----- c:\program files\Tall Emu

2009-03-14 01:05 <DIR> --d----- c:\program files\Avira

2009-03-14 01:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira

2009-03-14 00:57 <DIR> --d----- c:\program files\Trend Micro

2009-03-14 00:49 <DIR> --d----- c:\program files\SpywareBlaster

2009-03-14 00:31 <DIR> a-dshr-- C:\cmdcons

2009-03-14 00:29 161,792 a------- c:\windows\SWREG.exe

2009-03-14 00:29 98,816 a------- c:\windows\sed.exe

2009-03-13 23:24 <DIR> --d-h--- C:\$AVG8.VAULT$

2009-03-12 20:44 <DIR> --d----- c:\program files\CCleaner

2009-03-12 20:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

2009-03-12 20:33 <DIR> --d----- c:\program files\Microsoft Windows OneCare Live

2009-03-12 18:30 <DIR> --d----- c:\program files\Kaspersky Lab

2009-03-12 18:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files

2009-03-12 18:14 410,984 a------- c:\windows\system32\deploytk.dll

2009-03-12 16:48 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes

2009-03-12 09:16 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-03-12 09:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-12 09:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-03-12 09:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-03-11 23:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan

2009-03-11 23:17 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-03-11 23:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-03-09 00:23 <DIR> --d----- c:\docume~1\admini~1\applic~1\LimeWire

2009-03-09 00:04 2 a------- C:\680318798

2009-03-08 19:18 <DIR> --d----- c:\program files\TagRename

2009-03-08 16:37 499,712 a------- c:\windows\system32\msvcp71.dll

2009-03-08 16:36 <DIR> --d----- c:\windows\system32\Adobe

==================== Find3M ====================

2008-12-31 20:17 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

2008-12-27 00:02 22,720 a------- c:\windows\system32\emptyregdb.dat

2008-12-20 19:15 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 20:25:59.64 ===============

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 12/26/2008 11:06:58 PM

System Uptime: 3/16/2009 2:06:41 PM (6 hours ago)

Motherboard: | |

Processor: Intel® Celeron® CPU 2.80GHz | J2E1 | 2792/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 4.766 GiB free.

D: is FIXED (FAT32) - 186 GiB total, 27.254 GiB free.

E: is CDROM (UDF)

F: is CDROM ()

G: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Wireless-G PCI Adapter

Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_00141737&REV_03\4&2E98101C&0&00F0

Manufacturer: Linksys

Name: Wireless-G PCI Adapter

PNP Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_00141737&REV_03\4&2E98101C&0&00F0

Service: BCM43XX

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}

Description: ATI 3D RAGE LT PRO

Device ID: PCI\VEN_1002&DEV_4C49&SUBSYS_00000000&REV_DC\4&2E98101C&0&08F0

Manufacturer: ATI Technologies, Inc.

Name: ATI 3D RAGE LT PRO

PNP Device ID: PCI\VEN_1002&DEV_4C49&SUBSYS_00000000&REV_DC\4&2E98101C&0&08F0

Service: atimpab

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: PCI Simple Communications Controller

Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200014F1&REV_00\4&2E98101C&0&10F0

Manufacturer:

Name: PCI Simple Communications Controller

PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200014F1&REV_00\4&2E98101C&0&10F0

Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Intel® PRO/100 VE Network Connection

Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_304A8086&REV_02\4&2E98101C&0&40F0

Manufacturer: Intel

Name: Intel® PRO/100 VE Network Connection

PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_304A8086&REV_02\4&2E98101C&0&40F0

Service: E100B

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Link to post
Share on other sites

utorrent is uninstalled, java6 update 7, and java6 update 12 are gone too.

I manually set those two DNS servers in my router configuration to point to comcast.

I searched the file paths described above, and did not find any java folders to remove. Here is the JavaRa log:

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Mar 17 23:51:32 2009

------------------------------------

Finished reporting.

Link to post
Share on other sites

  • Staff

Hi,

AdvancedSetup is busy with other stuff, so I'm going to take over this thread...

Go to start > run and copy and paste next command in the field:

sc delete 764e1fa9

Hit enter

Then, I also see that your BITS and wuauserv (automatic updates) services got corrupted, so we need to restore them as well.

The malware has locked and changed these services, so to restore it, download and run the following fix:

http://users.telenet.be/marcvn/tools/WUS_Fix.exe

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Reboot and post a new HijackThislog in your next reply.

Link to post
Share on other sites

Thanks for your response.

I ran "sc delete 764e1fa9," WUS_Fix.exe, and unistalled combofix. Then I rebooted, ran HJT, and here is the log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:15:59 AM, on 3/21/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Tall Emu\Online Armor\oacat.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Tall Emu\Online Armor\oaui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\EventGhost\EventGhost.exe

C:\Program Files\Tall Emu\Online Armor\oahlp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: EventGhost.lnk = C:\Program Files\EventGhost\EventGhost.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5d86ddb5-bdf9-441b-9e9e-d4730f4ee499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DE3261FB-FF0E-4EC1-8387-199183A15128}: NameServer = 68.87.73.242,68.87.71.226

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe

O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe

--

End of file - 4563 bytes

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again. How are things now?

Just being curious.. How does the combination Avira + Online Armor work for you? Don't you have any problems with it like system freezes? This because I've tried this combination already a couple of times, but for some reason, Online Armor doesn't like Avira & vice versa.. :(

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.