Jump to content

Antispy Pro 2010


Recommended Posts

I posted this in the general forum...I have read everything, but I cannot run HijackThis or malwarbytes.

I believe I caught this last night on a website, as I was surfing, but I am not sure, because my mail is not being av scanned anymore either.

I use AVG and sygate as a firewall.

I have spent all day reading everything I could find, but I am no closer to solving the problem. I have downloaded and installed mbam-setup several times...both under its own name, and with a fakename.exe. It installs, but I cannot run it, nor can I do a HijackThis scan. I have also downloaded and installed some other programs which promised relief, but I cannot install/run them either.

Malwarebytes seems to install ok, but when I click on "scan", it simply disappears.

Would very much appreciate someone helping me....Thanks in advance

Link to post
Share on other sites

Many thanks for your help JSntgRvr..plse see the log below:

Running from: C:\Documents and Settings\Liz\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Liz\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5ED.tmp\ZAP5ED.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

[1] 2006-02-28 08:00:00 743936 C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe ()

[1] 2006-02-28 08:00:00 743936 C:\WINDOWS\system32\dllcache\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2006-02-28 08:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2006-02-28 08:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2006-02-28 08:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

Hi, atwitsend99 :)

Please follow these steps:

Step 1

Open a command prompt. (Start->Run, type CMD and click OK) At the prompt copy and paste the following commands and press Enter after each line:

Copy C:\WINDOWS\system32\dllcache\eventlog.dll C:\

Exit

Step 2

Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here in your next reply.

"C:\Documents and Settings\Liz\Desktop\Win32kDiag.exe" -f -r

Step 3

1. Please download The Avenger by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

Link to post
Share on other sites

Ahh the annoying pop-ups and unwanted installations are gone.....THANKS millions

here come the logs:

Running from: C:\Documents and Settings\Liz\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Liz\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5ED.tmp\ZAP5ED.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5ED.tmp\ZAP5ED.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Minidump\Minidump

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2006-02-28 08:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2006-02-28 08:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2006-02-28 08:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Temp

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Finished!

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Malwarebytes' Anti-Malware 1.41

Database version: 2822

Windows 5.1.2600 Service Pack 2

9/18/2009 9:01:09 PM

mbam-log-2009-09-18 (21-01-09).txt

Scan type: Quick Scan

Objects scanned: 95666

Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 9

Registry Data Items Infected: 6

Folders Infected: 4

Files Infected: 28

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antiviruspro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus pro 2010 (Rogue.AntivirusPro) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\host (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\id (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Services\del (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RList (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\data (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Liz\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe (Rogue.AntivirusPro) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wisdstr.exe (Rogue.AntivirusPro) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.

C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\AVEngn.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\htmlayout.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\pthreadVC2.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\Uninstall.exe (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\wscui.cpl (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\data\daily.cvd (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Liz\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Liz\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Liz\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.

C:\Documents and Settings\Liz\Cookies\ozutemuxi.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Liz\Desktop\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Liz\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

This has been one miserable experience....one I do not wish to repeat. If I could ask you for one more favor plse....how do I make sure this does not happen again ? I feel really bad that AVG did not prevent this...and I still do not know where exactly this nasty came from. Even tho AVG is not scanning my mail, I do not believe that the mail was the source. since I opened no attachments. You have truly been a life-saver ....and I am more than willing to buy malwarebytes :) but would like to prevent this (what I believe it was) on-the-fly installation of malware

Link to post
Share on other sites

This has been one miserable experience....one I do not wish to repeat. If I could ask you for one more favor plse....how do I make sure this does not happen again ? I feel really bad that AVG did not prevent this...and I still do not know where exactly this nasty came from. Even tho AVG is not scanning my mail, I do not believe that the mail was the source. since I opened no attachments. You have truly been a life-saver ....and I am more than willing to buy malwarebytes smile.gif but would like to prevent this (what I believe it was) on-the-fly installation of malware

The dropper usually comes bundled with other software, or you are directed to click a link that will drop the the initial install file. AVG wont protect you. Malwarebytes (Full version) and AVAST will provide you a better protection. Take in consideration that there is no defense against new variants.

You failed to post the report for step 5. Were you able to run Combofix?

Link to post
Share on other sites

So sorry...forgot to post that last one

ComboFix 09-09-18.02 - Liz 09/18/2009 21:34.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1424 [GMT -4:00]

Running from: c:\documents and settings\Liz\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\afyfyleju.bin

c:\documents and settings\All Users\Application Data\cazy._dl

c:\documents and settings\All Users\Application Data\cifyd.bat

c:\documents and settings\All Users\Application Data\eqis.sys

c:\documents and settings\All Users\Application Data\muvino.com

c:\documents and settings\All Users\Application Data\pacylybema.bat

c:\documents and settings\All Users\Application Data\sevinopuf._dl

c:\documents and settings\All Users\Application Data\ujenojo.sys

c:\documents and settings\All Users\Application Data\ylyved.inf

c:\documents and settings\All Users\Documents\enybiciba.reg

c:\documents and settings\All Users\Documents\gype.inf

c:\documents and settings\All Users\Documents\idajosekur.inf

c:\documents and settings\All Users\Documents\imehyred.exe

c:\documents and settings\All Users\Documents\koqewawaju.com

c:\documents and settings\All Users\Documents\ogexodidyz.exe

c:\documents and settings\All Users\Documents\ohaboviha.pif

c:\documents and settings\All Users\Documents\oloq.reg

c:\documents and settings\All Users\Documents\orumopod.scr

c:\documents and settings\All Users\Documents\qebicyhisu.ban

c:\documents and settings\All Users\Documents\sycyf.bin

c:\documents and settings\All Users\Documents\ulijox.reg

c:\documents and settings\All Users\Documents\utoxuhajum.sys

c:\documents and settings\All Users\Documents\yroguci.inf

c:\documents and settings\Liz\Application Data\avetub.dl

c:\documents and settings\Liz\Application Data\bahyp.exe

c:\documents and settings\Liz\Application Data\bexubo._dl

c:\documents and settings\Liz\Application Data\equm.scr

c:\documents and settings\Liz\Application Data\gamepitir.lib

c:\documents and settings\Liz\Application Data\ijiquf.dll

c:\documents and settings\Liz\Application Data\ilil.bin

c:\documents and settings\Liz\Application Data\iwutaqicy.bat

c:\documents and settings\Liz\Application Data\izysylyjas.dl

c:\documents and settings\Liz\Application Data\revemuh._sy

c:\documents and settings\Liz\Application Data\ubuwoja.vbs

c:\documents and settings\Liz\Application Data\vusokygi._sy

c:\documents and settings\Liz\Application Data\ydas.bin

c:\documents and settings\Liz\Application Data\zyca.ban

c:\documents and settings\Liz\Cookies\edyqo.com

c:\documents and settings\Liz\Cookies\jaju.bin

c:\documents and settings\Liz\Cookies\jiqaqyx.pif

c:\documents and settings\Liz\Cookies\kucygoqat.pif

c:\documents and settings\Liz\Cookies\linybof.dat

c:\documents and settings\Liz\Cookies\ojabyj.dl

c:\documents and settings\Liz\Cookies\pajinaqyt.reg

c:\documents and settings\Liz\Cookies\todi.dll

c:\documents and settings\Liz\Cookies\uzugu.inf

c:\documents and settings\Liz\Cookies\wehen.bin

c:\documents and settings\Liz\Cookies\xily.ban

c:\documents and settings\Liz\Cookies\xuqinyruz.bin

c:\documents and settings\Liz\Cookies\zowe.lib

c:\documents and settings\Liz\Local Settings\Application Data\befos.dl

c:\documents and settings\Liz\Local Settings\Application Data\caxyf.vbs

c:\documents and settings\Liz\Local Settings\Application Data\gaqo.reg

c:\documents and settings\Liz\Local Settings\Application Data\imofovukif.com

c:\documents and settings\Liz\Local Settings\Application Data\kacemulo._sy

c:\documents and settings\Liz\Local Settings\Application Data\korud.dl

c:\documents and settings\Liz\Local Settings\Application Data\kufux.com

c:\documents and settings\Liz\Local Settings\Application Data\povunopoke.reg

c:\documents and settings\Liz\Local Settings\Application Data\vyli.vbs

c:\documents and settings\Liz\Local Settings\Application Data\ygir.exe

c:\documents and settings\Liz\Local Settings\Application Data\zyxegenyno.ban

c:\program files\Common Files\gytuwozibi.ban

c:\program files\Common Files\momi.vbs

c:\program files\Common Files\umefe.inf

c:\program files\Common Files\unibace.vbs

c:\program files\Common Files\yfykubyp.dll

c:\program files\WinPCap

c:\program files\WinPCap\rpcapd.exe

c:\windows\Alcmtr.exe

c:\windows\aziqar.inf

c:\windows\azywiga.bat

c:\windows\ecyqyq.vbs

c:\windows\esupaza.dll

c:\windows\imafoji.inf

c:\windows\kywarizus.vbs

c:\windows\opewe._dl

c:\windows\qyqyj._dl

c:\windows\system32\adacihina.vbs

c:\windows\system32\alog.bat

c:\windows\system32\drivers\npf.sys

c:\windows\system32\ebuqoj.inf

c:\windows\system32\fyfylomizo.sys

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\tufepa.ban

c:\windows\system32\uqexifahi.exe

c:\windows\system32\WanPacket.dll

c:\windows\system32\wbem\proquota.exe

c:\windows\system32\wpcap.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\unatybocin.bat

c:\windows\xusyju.exe

c:\windows\ybohyraro.bin

c:\windows\ysokafuk.inf

P:\Autorun.inf

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Service_npf

((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))

.

2009-09-19 01:19 . 2006-02-28 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys

2009-09-19 01:19 . 2006-02-28 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys

2009-09-19 00:53 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-19 00:53 . 2009-09-19 00:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-19 00:53 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-18 16:14 . 2009-09-18 16:14 12538 ----a-w- c:\documents and settings\Liz\Local Settings\Application Data\hawes.dat

2009-09-18 16:05 . 2009-09-18 16:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-18 15:04 . 2009-09-18 15:04 -------- d-----w- c:\documents and settings\Liz\Application Data\Malwarebytes

2009-09-18 15:04 . 2009-09-18 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-18 14:29 . 2009-09-18 14:29 19740 ----a-w- c:\program files\Common Files\akag.dat

2009-09-18 14:29 . 2009-09-18 14:29 10084 ----a-w- c:\windows\ucipazyjan.dat

2009-09-18 06:01 . 2009-09-18 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE

2009-09-18 05:54 . 2009-09-18 05:54 19282 ----a-w- c:\program files\Common Files\afuquwo.dat

2009-09-18 05:26 . 2009-09-18 05:26 13260 ----a-w- c:\windows\system32\oruly.com

2009-09-18 05:21 . 2009-09-18 05:21 103424 ----a-w- C:\ZZL8.exe

2009-09-12 15:46 . 2009-09-17 15:12 -------- d-----w- c:\temp\clit-temp

2009-08-24 05:33 . 2009-08-24 05:33 -------- d-----w- c:\program files\Trend Micro

2009-08-24 04:58 . 2009-08-24 05:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-24 04:45 . 2009-08-24 05:57 -------- d-----w- C:\Spyware Cleaner 2009

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-18 17:50 . 2009-09-18 17:50 16807 ----a-w- c:\program files\Common Files\opeqome.lib

2009-09-18 14:29 . 2009-09-18 14:29 19933 ----a-w- c:\program files\Common Files\xulofoleqa.lib

2009-09-18 05:26 . 2009-09-18 05:26 19891 ----a-w- c:\program files\Common Files\wijyji._sy

2009-09-17 22:44 . 2008-10-29 23:46 -------- d-----w- c:\documents and settings\Liz\Application Data\uTorrent

2009-09-17 21:15 . 2008-10-29 19:57 65 ----a-w- c:\windows\popcinfo.dat

2009-09-17 02:13 . 2008-11-06 16:18 69632 ----a-w- c:\windows\system32\realbap1.dll

2009-09-16 17:20 . 2008-11-06 16:51 -------- d-----w- c:\program files\ICQ

2009-09-15 04:39 . 2008-10-29 19:53 -------- d-----w- c:\documents and settings\Liz\Application Data\mIRC

2009-09-15 00:06 . 2008-10-29 19:53 -------- d---a-w- c:\program files\mIRC

2009-09-14 15:31 . 2008-11-06 16:43 -------- d-----w- c:\documents and settings\Liz\Application Data\Skype

2009-09-08 14:52 . 2008-10-29 19:51 -------- d-----w- c:\program files\Monkey's Audio

2009-09-05 16:13 . 2009-07-10 16:42 -------- d-----w- c:\documents and settings\Liz\Application Data\dvdcss

2009-09-01 05:14 . 2008-11-09 18:45 -------- d-----w- c:\program files\palmOne

2009-08-25 10:02 . 2009-03-17 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\BOC427

2009-08-17 13:07 . 2008-10-29 11:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-17 13:07 . 2008-10-29 11:10 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-17 13:07 . 2008-10-29 11:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-16 18:52 . 2009-06-09 21:42 -------- d-----w- c:\documents and settings\Liz\Application Data\calibre

2009-08-06 16:01 . 2008-11-06 16:20 69632 ----a-w- c:\windows\realbap1.dll

2009-07-18 16:39 . 2009-07-10 14:16 1989008 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-07-10 16:19 . 2008-10-29 01:53 17856 ----a-w- c:\documents and settings\Liz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-05-16 430080]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-06 136600]

"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-08-14 2532576]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-02-12 1620480]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]

"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-02-12 1050112]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]

"BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-17 2007832]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]

c:\documents and settings\Liz\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-17 13:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\uTorrent\\utorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/29/2008 7:10 AM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/29/2008 7:10 AM 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/29/2008 7:10 AM 297752]

R2 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCore.exe [3/17/2009 3:01 AM 73464]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 6:12 PM 102400]

R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [9/2/2008 8:33 AM 100352]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [4/7/2009 7:34 PM 11520]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/29/2008 7:10 AM 908056]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://www.sygate.com/swat/support/spf50_reg.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: MasterCook: Select Image - c:\program files\MasterCook 9\Web\MCIEContext.hta

Trusted Zone: aol.com\free

TCP: {7EB5D41B-9A63-430D-B471-96F9CBA271B9} = 192.168.254.254

FF - ProfilePath - c:\documents and settings\Liz\Application Data\Mozilla\Firefox\Profiles\hmyiklhz.default\

FF - prefs.js: browser.startup.homepage - about:blank

.

.

------- File Associations -------

.

txtfile=c:\windows\NOTEPAD.EXE %1

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-18 21:39

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2412)

c:\windows\system32\SSSensor.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Sygate\SPF\Smc.exe

c:\program files\Nero\Nero 7\InCD\InCDsrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Sandboxie\SbieSvc.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

c:\windows\system32\wdfmgr.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe

.

**************************************************************************

.

Completion time: 2009-09-19 21:41 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-19 01:41

Pre-Run: 39,547,064,320 bytes free

Post-Run: 39,455,739,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

266

Once I know the pc is really clean, I will install AVAST and also the full version of malwarebytes. Thanks once more for your help!!

Oh I meant to mention that it asked me to supply the XP install cd, because some of the files had been altered.

Link to post
Share on other sites

Oh I meant to mention that it asked me to supply the XP install cd, because some of the files had been altered.

Which files?

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::

c:\documents and settings\Liz\Local Settings\Application Data\hawes.dat

c:\program files\Common Files\akag.dat

c:\windows\ucipazyjan.dat

c:\program files\Common Files\afuquwo.dat

C:\ZZL8.exe

c:\program files\Common Files\opeqome.lib

c:\program files\Common Files\xulofoleqa.lib

c:\program files\Common Files\wijyji._sy

Folder::

C:\Spyware Cleaner 2009

c:\temp\clit-temp

CFScriptB-4.gif

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Please run the F-Secure Online Scanner

Note: You must use Internet Explorer for this scan!

  • Accept the License Agreement.
  • Once the ActiveX installs click Full System Scan
  • Once the download completes, the scan will begin automatically.
  • The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy and paste the entire report in your next reply.

Link to post
Share on other sites

And here is the second ComboFix scan:

ComboFix 09-09-18.02 - Liz 09/19/2009 1:14.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1373 [GMT -4:00]

Running from: c:\documents and settings\Liz\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Liz\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\documents and settings\Liz\Local Settings\Application Data\hawes.dat"

"c:\program files\Common Files\afuquwo.dat"

"c:\program files\Common Files\akag.dat"

"c:\program files\Common Files\opeqome.lib"

"c:\program files\Common Files\wijyji._sy"

"c:\program files\Common Files\xulofoleqa.lib"

"c:\windows\ucipazyjan.dat"

"C:\ZZL8.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Liz\Local Settings\Application Data\hawes.dat

c:\program files\Common Files\afuquwo.dat

c:\program files\Common Files\akag.dat

c:\program files\Common Files\opeqome.lib

c:\program files\Common Files\wijyji._sy

c:\program files\Common Files\xulofoleqa.lib

C:\Spyware Cleaner 2009

c:\spyware cleaner 2009\RnMenu.dll

c:\spyware cleaner 2009\UP\up.rn

c:\temp\clit-temp

c:\temp\clit-temp\~export~_files\image001.jpg

c:\temp\clit-temp\~export~_files\image002.gif

c:\temp\clit-temp\~export~_files\image002.jpg

c:\temp\clit-temp\~export~_files\image003.jpg

c:\temp\clit-temp\~export~_files\image004.jpg

c:\temp\clit-temp\content\good_9781101109007_oeb_ack_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c01_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c02_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c03_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c04_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c05_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c06_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c07_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c08_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c09_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c10_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c11_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c12_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c13_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c14_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c15_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c16_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c17_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c18_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c19_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c20_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c21_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c22_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c23_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c24_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c25_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c26_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c27_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c28_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c29_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c30_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c31_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c32_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c33_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c34_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c35_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c36_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c37_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c38_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c39_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c40_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c41_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c42_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c43_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c44_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c45_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c46_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c47_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c48_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c49_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c50_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c51_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c52_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c53_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c54_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c55_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c56_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c57_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c58_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c59_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c60_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c61_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_c62_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_cop_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_cover_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_ded_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_toc_r1.xhtml

c:\temp\clit-temp\content\good_9781101109007_oeb_tp_r1.xhtml

c:\temp\clit-temp\content\resources\_cover_.jpg

c:\temp\clit-temp\content\resources\good_9781101109007_msr_cvi_r1_2.jpg

c:\temp\clit-temp\content\resources\good_9781101109007_oeb_001_r1_7.jpg

c:\temp\clit-temp\external\fearless.jpg

c:\temp\clit-temp\external\fmap.jpg

c:\windows\ucipazyjan.dat

C:\ZZL8.exe

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))

.

2009-09-19 01:19 . 2006-02-28 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys

2009-09-19 01:19 . 2006-02-28 12:00 4224 ------w- c:\windows\system32\drivers\beep.sys

2009-09-19 00:53 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-19 00:53 . 2009-09-19 00:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-19 00:53 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-18 16:05 . 2009-09-18 16:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-18 15:04 . 2009-09-18 15:04 -------- d-----w- c:\documents and settings\Liz\Application Data\Malwarebytes

2009-09-18 15:04 . 2009-09-18 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-18 06:01 . 2009-09-18 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE

2009-09-18 05:26 . 2009-09-18 05:26 13260 ----a-w- c:\windows\system32\oruly.com

2009-08-24 05:33 . 2009-08-24 05:33 -------- d-----w- c:\program files\Trend Micro

2009-08-24 04:58 . 2009-08-24 05:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-19 03:06 . 2008-10-29 11:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-17 22:44 . 2008-10-29 23:46 -------- d-----w- c:\documents and settings\Liz\Application Data\uTorrent

2009-09-17 21:15 . 2008-10-29 19:57 65 ----a-w- c:\windows\popcinfo.dat

2009-09-17 02:13 . 2008-11-06 16:18 69632 ----a-w- c:\windows\system32\realbap1.dll

2009-09-16 17:20 . 2008-11-06 16:51 -------- d-----w- c:\program files\ICQ

2009-09-15 04:39 . 2008-10-29 19:53 -------- d-----w- c:\documents and settings\Liz\Application Data\mIRC

2009-09-15 00:06 . 2008-10-29 19:53 -------- d---a-w- c:\program files\mIRC

2009-09-14 15:31 . 2008-11-06 16:43 -------- d-----w- c:\documents and settings\Liz\Application Data\Skype

2009-09-08 14:52 . 2008-10-29 19:51 -------- d-----w- c:\program files\Monkey's Audio

2009-09-05 16:13 . 2009-07-10 16:42 -------- d-----w- c:\documents and settings\Liz\Application Data\dvdcss

2009-09-01 05:14 . 2008-11-09 18:45 -------- d-----w- c:\program files\palmOne

2009-08-25 10:02 . 2009-03-17 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\BOC427

2009-08-17 13:07 . 2008-10-29 11:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-17 13:07 . 2008-10-29 11:10 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-17 13:07 . 2008-10-29 11:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-16 18:52 . 2009-06-09 21:42 -------- d-----w- c:\documents and settings\Liz\Application Data\calibre

2009-08-06 16:01 . 2008-11-06 16:20 69632 ----a-w- c:\windows\realbap1.dll

2009-07-18 16:39 . 2009-07-10 14:16 1989008 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-07-10 16:19 . 2008-10-29 01:53 17856 ----a-w- c:\documents and settings\Liz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-05-16 430080]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-06 136600]

"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-08-14 2532576]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-02-12 1620480]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]

"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-02-12 1050112]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]

"BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-17 2007832]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2006-02-28 158208]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]

c:\documents and settings\Liz\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-17 13:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\uTorrent\\utorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/29/2008 7:10 AM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/29/2008 7:10 AM 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/29/2008 7:10 AM 297752]

R2 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCore.exe [3/17/2009 3:01 AM 73464]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 6:12 PM 102400]

R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [9/2/2008 8:33 AM 100352]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [4/7/2009 7:34 PM 11520]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/29/2008 7:10 AM 908056]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://www.sygate.com/swat/support/spf50_reg.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: MasterCook: Select Image - c:\program files\MasterCook 9\Web\MCIEContext.hta

Trusted Zone: aol.com\free

TCP: {7EB5D41B-9A63-430D-B471-96F9CBA271B9} = 192.168.254.254

FF - ProfilePath - c:\documents and settings\Liz\Application Data\Mozilla\Firefox\Profiles\hmyiklhz.default\

FF - prefs.js: browser.startup.homepage - about:blank

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-19 01:16

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

Completion time: 2009-09-19 1:17

ComboFix-quarantined-files.txt 2009-09-19 05:17

ComboFix2.txt 2009-09-19 01:41

Pre-Run: 39,416,324,096 bytes free

Post-Run: 39,417,692,160 bytes free

223

And the F-Secure Scan results:

Scanning Report

Saturday, September 19, 2009 01:34:54 - 01:39:22

Computer name: LACEY

Scanning type: Quick scan

Target: System

1 malware found

TrackingCookie.2o7 (spyware)

* System (Disinfected)

Statistics

Scanned:

* Files: 3730

* System: 3730

* Not scanned: 0

Actions:

* Disinfected: 1

* Renamed: 0

* Deleted: 0

* Not cleaned: 0

* Submitted: 0

Options

Scanning engines:

Copyright

Link to post
Share on other sites

Hi, atwitsend99 :)

Here is the definition:

PROQUOTA.EXE (Profile Quota Manager). An application for limiting the size of user profiles.

Is not a critical component but it shouldn't be disabled.

There is no copies of the file in the computer. You may have to extract a copy from the XP CD. Here is how.

  1. Insert the XP Installation CD and cancel any autorun.
  2. Note the letter assigned to your CD_ROM.
  3. Open a Command prompt (Start -> Run, type CMD abd click OK)
  4. At the Command prompt copy and paste the following commands and press Enter after each line:
    Expand -r X:\i386\Proquota.ex_ C:\Windows\System32\Proquota.exe
    Expand -r X:\i386\Proquota.ex_ C:\Windows\System32\dllcache\Proquota.exe
    Exit
  5. Note: Replace the X with the letter assigned to your CD_ROM

Here are other ways:

http://support.microsoft.com/kb/888017

How is the computer doing?

Link to post
Share on other sites

Hi JSntgRvr :)

This is the log of trying to get that file back:

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Liz>Expand -r O:\i386\Proquota.ex_ C:\Windows\System32

\Proquota.exe

Microsoft ® File Expansion Utility Version 5.1.2600.0

Copyright © Microsoft Corp 1990-1999. All rights reserved.

Expanding o:\i386\proquota.ex_ to o:\i386\proquota.exe.

Can't open output file: o:\i386\proquota.exe.

Can't open input file: c:\windows\system32\proquota.exe.

C:\Documents and Settings\Liz>Expand -r O:\i386\Proquota.ex_ C:\Windows\System32

\dllcache\Proquota.exe

Microsoft ® File Expansion Utility Version 5.1.2600.0

Copyright © Microsoft Corp 1990-1999. All rights reserved.

Expanding o:\i386\proquota.ex_ to o:\i386\proquota.exe.

Can't open output file: o:\i386\proquota.exe.

Can't open input file: c:\windows\system32\dllcache\proquota.exe.

C:\Documents and Settings\Liz>

the proquota.ex file is present but I dont seem to be able to get it into the pc

It seems the comp is a bit slow, and at this time running without a mail scanner, since I cannot figure out how to reestablish that with AVG...and quite frankly I don't want to. When I know that the comp is clean, I will install avast and the malwarebytes paid version.

Thanks once more .....Liz

Link to post
Share on other sites

Hi JSntgRvr

Ahhhh but this time it worked :)

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Liz>Expand O:\i386\Proquota.ex_ C:\Windows\System32

Microsoft ® File Expansion Utility Version 5.1.2600.0

Copyright © Microsoft Corp 1990-1999. All rights reserved.

Expanding o:\i386\proquota.ex_ to c:\windows\system32\proquota.ex_.

o:\i386\proquota.ex_: 26379 bytes expanded to 50176 bytes, 90% increase.

C:\Documents and Settings\Liz>Expand O:\i386\Proquota.ex_ C:\Windows\System32\dl

lcache

Microsoft ® File Expansion Utility Version 5.1.2600.0

Copyright © Microsoft Corp 1990-1999. All rights reserved.

Expanding o:\i386\proquota.ex_ to c:\windows\system32\dllcache\proquota.ex_.

o:\i386\proquota.ex_: 26379 bytes expanded to 50176 bytes, 90% increase.

C:\Documents and Settings\Liz>

I did remove AVG before installing Avast, but forgot about BoClean (Comodo), but Avast installed fine, and I finally could get my mail....now if I just could find where to schedule scanning, all would be well :) (I don't think that my version of BoClean was working anymore, but I removed it belatedly)......Liz

Link to post
Share on other sites

Hi, atwitsend99 :)

The file was not renamed while being expanded. Lets do some housekeeping.

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as RenFix.bat
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Once saved, double click on the RenFix.bat file. It will self destroyed once ran.

@Echo Off

Ren C:\Windows\System32\proquota.ex_ proquota.exe

Ren C:\Windows\System32\dllcache\proquota.ex_ proquota.exe

Del %0

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix

  • Click START then RUN
  • Now copy and paste "c:\documents and settings\Liz\Desktop\Combo-Fix.exe" /u in the runbox (including the quotation marks) and click OK. Note the space between the " and the /u, it needs to be there.

Create a Restore point (If the above process fails to do so):

  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

How is the computer doing?

Link to post
Share on other sites

Hi JSntgRvr :)

I think the comp is ok, it is running ok and also seems to boot faster.

I'm sorry I was too tired to follow your instructions last night, but did so today. I ran the RenFix, have a new restore point and ComboFix is gone, but I still have Win32Diag and Avenger on my desktop....how can I delete those ?

Thanks yet once more :) Liz

Link to post
Share on other sites

Hi JSntgRvr :)

I think the comp is ok, it is running ok and also seems to boot faster.

I'm sorry I was too tired to follow your instructions last night, but did so today. I ran the RenFix, have a new restore point and ComboFix is gone, but I still have Win32Diag and Avenger on my desktop....how can I delete those ?

Thanks yet once more :) Liz

Yes. Other than Malwarebutes, all other tools should be removed.

The following is a list of free tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  1. Spybot Search & Destroy - A useful tool which can search and annhilate bad files that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills bad files that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. SpywareBlaster - Great prevention tool to keep bad files from installing on your system.
  4. ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  5. ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those bad files that like to reside in the temp folders.
  6. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  7. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  8. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  9. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  10. Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! wavey.gif

Link to post
Share on other sites

Hi JSntgRvr :)

I know you must hear this every day, several times :), but you really have been a lifesaver. You instructions have been extremely clear and easy to follow, even by this uninformed user.

Also much appreciated are your closing remarks, since I will do my best not to get into this situation again...even though, I still don't know how I got the darn thing. I was not surfing "questionable" sites, or doing anything which should have left me exposed to this attack, but hopefully AVAST and Malwarebytes will keep me out of trouble in the future.

The Recovery Console was installed by ComboFix as a pre-requisite to the scan and I left it in place.

It is rare nowadays to find such helpful and thorough advice and support and I was very lucky to find it.

Thank YOU !!!!

Liz

Link to post
Share on other sites

So sorry I have to get back into this thread :-(.

It seems that after the clean-up of my pc, my search function is not working properly anymore, with the drives searched in random order and searched again and again.

This is what is happening when I try to search:

I go to start>search>"filexyz".....(parameter given are all the harddrives, starting with "C")

It will find "filexyz" on D drive, on Q drive and on F drive, then again on D and Q and F....it never stops...it seems to be in a loop, finding the same files over and over, but not in the order of the drives given (i.e. C,D,E,F). The filexyz found are the correct files I was looking for.

So, it actually works, but does not quit working and does not give me the results in the correct alpahbetical harddisk order.

The only thing I did since Sunday was to register malwarebytes and scheduled scanning, requested file extensions which seemed to have disappeared during the clean-up and scanned with AVAST.

Link to post
Share on other sites

I have noticed that some of my programs are subtly affected also.

Here is a HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:29:14 PM, on 9/23/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Sandboxie\SbieSvc.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Nero\Nero 7\InCD\InCD.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Sandboxie\SbieCtrl.exe

C:\Program Files\palmOne\HOTSYNC.EXE

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sygate.com/swat/support/spf50_reg.htm

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [inCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"

O4 - S-1-5-18 Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE (User 'SYSTEM')

O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE (User 'Default user')

O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1243963776417

O17 - HKLM\System\CCS\Services\Tcpip\..\{7EB5D41B-9A63-430D-B471-96F9CBA271B9}: NameServer = 192.168.254.254

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--

End of file - 7113 bytes

and a mbam log:

Malwarebytes' Anti-Malware 1.41

Database version: 2822

Windows 5.1.2600 Service Pack 2

9/23/2009 8:35:01 PM

mbam-log-2009-09-23 (20-35-01).txt

Scan type: Quick Scan

Objects scanned: 95615

Time elapsed: 2 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

If someone would be so kind as to look at these, and hopefully help me get my search back and my progs in order, I would muchly appreciate that. Liz

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.