bootanuts Posted December 24, 2009 ID:174753 Share Posted December 24, 2009 When I boot up I get a window that says my computer has avirus , this is before I get a desktop on my screen. I have too close the window before I get a desktop . MalwareBytes will not open I looked in the Program Files folder and in the Malwarebytes folder the mbam.exe file is not there I uninstalled and reinstalled Malwarebytes but at the end it said it could not find the mbam.exe file. I tried to rename the setup file still no luck.I ran Alvira yesterday but it did not remove the virusI ran Hijackthis ,below is the file it generated.Thanks for any helpTim aka... bootanutsLogfile of Trend Micro HijackThis v2.0.2Scan saved at 9:28:59 PM, on 12/23/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16945)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\winupdate86.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\QuickTime\qttask.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\palmOne\Hotsync.exeC:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exeC:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dllO3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [semanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exeO4 - HKLM\..\Run: [rewugokol] Rundll32.exe "c:\windows\system32\ruziveki.dll",aO4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silentO4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdS7_0_0O4 - HKCU\..\Run: [28863567115271023172430148157078] C:\Program Files\Antivirus 2009\av2009.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exeO4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dllO9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnkO9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnkO9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exeO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\timo\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\timo\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\timo\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{6C87D285-3BF7-494D-914E-415E7D865DDA}: NameServer = 193.104.110.38,4.2.2.1O17 - HKLM\System\CCS\Services\Tcpip\..\{BD225C1D-C142-43E5-8B4B-EF3D3D22E534}: NameServer = 193.104.110.38,4.2.2.1,192.168.0.1O18 - Filter hijack: text/html - (no CLSID) - (no file)O20 - AppInit_DLLs: nogezote.dll c:\windows\system32\ruziveki.dllO21 - SSODL: robalovug - {84ac32bc-7ad4-4c49-93f0-ddd04ffee5cc} - c:\windows\system32\ruziveki.dllO22 - SharedTaskScheduler: jugezatag - {84ac32bc-7ad4-4c49-93f0-ddd04ffee5cc} - c:\windows\system32\ruziveki.dllO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: Google Update Service (gupdate1c95c38217184e0) (gupdate1c95c38217184e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe--End of file - 9346 bytes Link to post Share on other sites More sharing options...
Staff miekiemoes Posted December 24, 2009 Staff ID:174791 Share Posted December 24, 2009 Hi,To run malwarebytes when you get the error code 2 during install, or mbam.exe gets deleted, please see here:http://www.malwarebytes.org/forums/index.php?showtopic=29028Once malwarebytes opens, click the "Update" tab, click "Check for Updates" in order to download the updates.Then run the scan, let mbam quarantine/delete what it found and reboot afterwards.After reboot, post the malwarebytes log together with a new HijackThislog. Link to post Share on other sites More sharing options...
bootanuts Posted December 25, 2009 Author ID:174982 Share Posted December 25, 2009 Hello the program would not download, error code 707 (3,0) would pop up. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted December 25, 2009 Staff ID:175012 Share Posted December 25, 2009 Hi,Have you placed the renamed file in the C:\Program Files\Malwarebytes Antimalware folder? Because it looks like you didn't, which explains that error. Link to post Share on other sites More sharing options...
bootanuts Posted December 26, 2009 Author ID:175253 Share Posted December 26, 2009 Thank you for your time MiekeI put it, wwXBz4JB9.exe the renamed file in the C/ Program Files / Malwarebytes' Anti-Malware , folder and tried to run it. It did not work. I got an error message , well 2 actually. The first one was in a small window , titledvbAccelerator SGrid ll ControlRun-time error '0'2nd error message was a Malwarebytes titled windowerror code '440':I then tried renaming the file to "explorer.exe" in the Malwarebytes folder and I got the same2 error messages as above.Again thanks for your time and patience Tim Link to post Share on other sites More sharing options...
Staff miekiemoes Posted December 26, 2009 Staff ID:175267 Share Posted December 26, 2009 Hi,Looks like the malware already damaged too much here.Do the following instead..* Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPost the log from ComboFix in your next reply.Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how. Link to post Share on other sites More sharing options...
bootanuts Posted January 2, 2010 Author ID:178434 Share Posted January 2, 2010 Hi, I didn't mean to take so long but with the holidays and all. I ran ComboFix and will attache the log file. After running ComboFix the screen with the note infected computer is gone and the screne is back to normal. TimComboFix 09-12-31.A1 - timo 01/01/2010 17:27:37.1.1 - x86Running from: c:\documents and settings\timo\Desktop\ComboFix.exeAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}AV: AVG 7.5.560 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}. ADS - svchost.exe: deleted 39936 bytes in 1 streams. ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\DFR16F.tmpc:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.datc:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.datC:\oqnqso.exec:\program files\Need2Findc:\program files\Need2Find\bar\History\searchc:\recycler\S-1-5-21-1763111270-1850054518-1897187023-1183c:\recycler\S-1-5-21-2127521184-1604012920-1887927527-2439749c:\recycler\S-1-5-21-3900364688-2233193267-973688402-1008C:\uwlwfa.exeC:\waxfhosk.exec:\windows\system32\6to4v32.dllc:\windows\system32\AVR10.exec:\windows\system32\badarizo.exec:\windows\system32\balineko.dllc:\windows\system32\balomane.dllc:\windows\system32\bebewute.dllc:\windows\system32\behubaza.dllc:\windows\system32\bojivira.exec:\windows\system32\BtwSrv.dllc:\windows\system32\bugeyumo.dllc:\windows\system32\Cachec:\windows\system32\certstore.datc:\windows\system32\critical_warning.htmlc:\windows\system32\dagitufa.dllc:\windows\system32\dakimuyu.dllc:\windows\system32\difasadi.exec:\windows\system32\diposeli.dllc:\windows\system32\divitawu.dllc:\windows\system32\duhepigi.dllc:\windows\system32\f6e2n486.dllc:\windows\system32\farakire.dllc:\windows\system32\FastNetSrv.exec:\windows\system32\FInstall.sysc:\windows\system32\flags.inic:\windows\system32\fopelene.dllc:\windows\system32\forefiyu.dllc:\windows\system32\fulupufa.dllc:\windows\system32\gekeyego.dllc:\windows\system32\gudadamu.dllc:\windows\system32\hewipali.dllc:\windows\system32\hinikafo.dllc:\windows\system32\hitusoli.dllc:\windows\system32\i14fh.dllc:\windows\system32\Iasv32.dllc:\windows\system32\Install.txtc:\windows\system32\jaralaze.dllc:\windows\system32\jegowibo.dllc:\windows\system32\jerosefo.dllc:\windows\system32\jifafusu.exec:\windows\system32\jisaleyu.dllc:\windows\system32\jutizowi.dllc:\windows\system32\kiganopo.dllc:\windows\system32\kikububu.dllc:\windows\system32\kiloruho.dllc:\windows\system32\kipogewu.dllc:\windows\system32\kiyituhe.dllc:\windows\system32\kumeweva.exec:\windows\system32\kunobesi.dllc:\windows\system32\kuvihube.exec:\windows\system32\lahesumo.dllc:\windows\system32\livediti.dllc:\windows\system32\liyayeki.dllc:\windows\system32\lowsecc:\windows\system32\lowsec\local.dsc:\windows\system32\lowsec\user.dsc:\windows\system32\lsm32.sysc:\windows\system32\midogiru.dllc:\windows\system32\mofanedo.exec:\windows\system32\nasijuye.dllc:\windows\system32\nidofeza.dllc:\windows\system32\nifesuro.dllc:\windows\system32\nozigita.dllc:\windows\system32\opeia.exec:\windows\system32\pibahoju.dllc:\windows\system32\raboloho.dllc:\windows\system32\robovoji.dllc:\windows\system32\rotirufe.dllc:\windows\system32\ruginefo.dllc:\windows\system32\ruwiraje.exec:\windows\system32\sdra64.exec:\windows\system32\sshnas.dllc:\windows\system32\supekede.dllc:\windows\system32\tasasifu.dllc:\windows\system32\turejaka.exec:\windows\system32\tuvikize.dllc:\windows\system32\uses32.datc:\windows\system32\viweyeju.dllc:\windows\system32\wapetose.dllc:\windows\system32\winhelper86.dllc:\windows\system32\winlogon86.exec:\windows\system32\winsts.sysc:\windows\system32\winupdate86.exec:\windows\system32\wivevevi.dllc:\windows\system32\wmdtc.exec:\windows\system32\wn33q1f53.dllc:\windows\system32\wudagodo.dllc:\windows\system32\yelahihi.dllc:\windows\system32\zekuboli.exec:\windows\system32\zutiguhi.dllc:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.jobc:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.jobc:\windows\Tasks\akumaanj.jobc:\windows\Temp\1121644512.exec:\windows\Temp\242142352.exec:\windows\Temp\2567263264.exec:\windows\Temp\2763101296.exec:\windows\Temp\2815325216.exec:\windows\Temp\2941029440.exec:\windows\Temp\3214021984.exec:\windows\Temp\3663424624.exec:\windows\Temp\3967410560.exec:\windows\Temp\566056944.exec:\windows\Temp\lsass.exec:\windows\TEMP\mta13187.dllc:\windows\TEMP\x1c40101.dll----- BITS: Possible infected sites -----hxxp://82.98.235.29hxxp://82.98.231.102Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected Restored copy from - Kitty ate it .((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_BTWSRV-------\Legacy_FASTNETSRV-------\Legacy_FCI-------\Legacy_IAS-------\Legacy_SSHNAS-------\Legacy_WINSTS-------\Service_BtwSrv-------\Service_fastnetsrv-------\Service_FCI-------\Service_Ias-------\Service_SSHNAS-------\Service_winsts((((((((((((((((((((((((( Files Created from 2009-12-02 to 2010-01-02 ))))))))))))))))))))))))))))))).2010-01-01 11:08 . 2010-01-01 11:08 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData2010-01-01 08:28 . 2010-01-01 23:43 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe2009-12-31 04:12 . 2010-01-02 02:05 773120 ----a-w- c:\windows\system32\drivers\niduly.sys2009-12-30 23:55 . 2009-12-30 23:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData2009-12-26 13:45 . 2009-12-26 13:45 5838 --sh--w- c:\windows\system32\latesuti.dll2009-12-24 04:27 . 2009-12-24 04:27 -------- d-----w- c:\program files\Trend Micro.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-01-01 23:17 . 2006-12-19 03:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg72010-01-01 14:34 . 2008-12-09 00:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater2010-01-01 04:43 . 2008-10-23 09:00 -------- d-----w- c:\program files\PlayersOnly Poker2009-12-26 03:24 . 2009-08-24 18:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-12-25 02:15 . 2004-08-04 12:00 14336 ----a-w- c:\windows\system32\svchost.exe2009-12-20 04:55 . 2004-05-24 02:16 -------- d-----w- c:\program files\Google2009-12-15 01:59 . 2009-12-15 01:59 185240 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\atgpcext.dll2009-12-15 01:59 . 2009-12-15 01:59 28488 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\atgpcdec.dll2009-12-15 01:59 . 2009-12-15 01:59 61848 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\npatgpc.dll2009-12-15 01:58 . 2007-12-31 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat2009-12-08 03:54 . 2009-03-30 23:29 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-11-28 18:20 . 2009-11-27 14:38 79488 ----a-w- c:\documents and settings\timo\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll2009-11-22 22:51 . 2007-07-26 06:04 -------- d-----w- c:\program files\PokerStars2009-11-19 18:48 . 2009-11-26 11:33 872960 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll2009-11-19 18:48 . 2009-11-26 11:33 43008 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll2009-11-19 18:48 . 2009-11-26 11:33 340480 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll2009-11-19 18:48 . 2009-11-26 11:33 346624 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll2009-11-11 05:30 . 2007-12-09 20:42 -------- d-----w- c:\program files\UltimateBet2009-10-29 07:46 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll2009-10-29 07:46 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll2009-10-29 07:46 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll2009-10-21 06:00 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll2009-10-21 06:00 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll2009-10-20 14:58 . 2004-08-04 12:00 263552 ----a-w- c:\windows\system32\drivers\http.sys2009-10-13 10:53 . 2004-08-04 12:00 266752 ----a-w- c:\windows\system32\oakley.dll2009-10-12 13:54 . 2004-08-04 12:00 69632 ----a-w- c:\windows\system32\raschap.dll2009-10-12 13:54 . 2004-08-04 12:00 112128 ----a-w- c:\windows\system32\rastls.dll1601-01-01 00:03 . 1601-01-01 00:03 61440 --sha-w- c:\windows\SYSTEM32\fijiveni.dll.------- Sigcheck -------[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DLLCACHE\tcpip.sys[-] 2008-06-20 . 0B788EE2A876D7B31DF840C13F08CD2B . 360320 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DRIVERS\tcpip.sys[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys[7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys[7] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys[7] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys[7] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys[7] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-09 26112]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-18 98304]"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2009-02-25 590848]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-22 136600][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 219136]c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]Wireless-G Notebook Adapter Utility.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2006-1-6 24576][HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoSetActiveDesktop"= 1 (0x1)"NoActiveDesktopChanges"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="c:\\Program Files\\CarbonPoker\\client.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Grisoft\\AVG Free\\avgw.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]"AllowInboundTimestampRequest"= 1 (0x1)"AllowInboundMaskRequest"= 1 (0x1)"AllowInboundRouterRequest"= 1 (0x1)"AllowOutboundDestinationUnreachable"= 1 (0x1)"AllowOutboundSourceQuench"= 1 (0x1)"AllowOutboundParameterProblem"= 1 (0x1)"AllowOutboundTimeExceeded"= 1 (0x1)"AllowRedirect"= 1 (0x1)"AllowOutboundPacketTooBig"= 1 (0x1)R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/30/2009 4:29 PM 108289]S2 gupdate1c95c38217184e0;Google Update Service (gupdate1c95c38217184e0);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 2:00 AM 133104]S3 ndisdrv;ndisdrv;c:\windows\SYSTEM32\ndisdrv.sys [8/4/2004 5:00 AM 2304]S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\SYSTEM32\DRIVERS\TNET1130x.sys [1/6/2006 10:53 PM 385536]--- Other Services/Drivers In Memory ---*Deregistered* - niduly.Contents of the 'Scheduled Tasks' folder2010-01-02 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-24 05:52]2010-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 12:37]2010-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 12:37]..------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.htmlmWindow Title = uInternet Connection Wizard,ShellNext = iexploreuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.htmlIE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnkTrusted Zone: earthlink.netTrusted Zone: microsoft.com\wwwTCP: {6C87D285-3BF7-494D-914E-415E7D865DDA} = 193.104.110.38,4.2.2.1TCP: {BD225C1D-C142-43E5-8B4B-EF3D3D22E534} = 193.104.110.38,4.2.2.1,192.168.0.1FF - ProfilePath - c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\FF - prefs.js: network.proxy.type - 4FF - component: c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dllFF - plugin: c:\documents and settings\timo\Application Data\Mozilla\plugins\npatgpc.dllFF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dllFF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dllFF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll.- - - - ORPHANS REMOVED - - - -BHO-{1b7d82a7-d304-446d-8c7a-68e365aa7856} - pibahoju.dllHKCU-Run-Sonic RecordNow! - (no file)HKLM-Run-rewugokol - c:\windows\system32\zahariho.dllHKLM-Run-vikavarese - kunobesi.dllSharedTaskScheduler-{cca47350-b8bd-4348-b8fb-5c4738a8e0d3} - c:\windows\system32\zahariho.dllSSODL-wijidelek-{cca47350-b8bd-4348-b8fb-5c4738a8e0d3} - c:\windows\system32\zahariho.dllAddRemove-AltnetDM - c:\program files\Altnet\Download Manager\AltnetUninstall.exeAddRemove-AOLAntivirus - c:\program files\mcafee.com\antivirus\uninst.exeAddRemove-A-18 CSF Demo - c:\i-magic\iF18Demo\Uninst.isuAddRemove-Return Fire II 3Dfx Demo - c:\program files\Prolific PublishingAddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-01-01 19:03Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\niduly].--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1252)c:\program files\Funk Software\Odyssey Client\odLogin.dll- - - - - - - > 'explorer.exe'(956)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\mshtml.dll.------------------------ Other Running Processes ------------------------.c:\windows\System32\SCardSvr.exec:\program files\Avira\AntiVir Desktop\avguard.exec:\progra~1\Grisoft\AVGFRE~1\avgamsvr.exec:\progra~1\Grisoft\AVGFRE~1\avgupsvc.exec:\progra~1\Grisoft\AVGFRE~1\avgemc.exec:\program files\Java\jre6\bin\jqs.exec:\windows\system32\wdfmgr.exec:\windows\system32\wscntfy.exec:\program files\Linksys\Wireless-G Notebook Adapter\OdHost.exec:\program files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe.**************************************************************************.Completion time: 2010-01-01 19:16:05 - machine was rebootedComboFix-quarantined-files.txt 2010-01-02 02:16Pre-Run: 11,336,708,096 bytes freePost-Run: 11,965,775,872 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin- - End Of File - - 05B490A34DD57511CEFB5F75680452E9 Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 2, 2010 Staff ID:178531 Share Posted January 2, 2010 Hi,I notice from your log that there's more than 1 Antivirus installed. AVG and AviraNever install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously! The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time. Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown. So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.Then reboot after uninstalling.* Open notepad - don't use any other texteditor than notepad or the script will fail.Copy/paste the text in the quotebox below into notepad:Collect::[8]c:\windows\system32\latesuti.dllc:\windows\SYSTEM32\fijiveni.dllc:\windows\system32\drivers\niduly.sysDriver::nidulySave this as txtfile CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply. Link to post Share on other sites More sharing options...
bootanuts Posted January 3, 2010 Author ID:178876 Share Posted January 3, 2010 Hello, I uninstalled AVG, run ComboFix and here is the log file. TimComboFix 10-01-02.01 - timo 01/02/2010 17:35:29.2.1 - x86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.289 [GMT -7:00]Running from: c:\documents and settings\timo\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\timo\Desktop\CFScript.txtAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}file zipped: c:\windows\system32\drivers\niduly.sysfile zipped: c:\windows\SYSTEM32\fijiveni.dllfile zipped: c:\windows\system32\latesuti.dll.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\Install.txtc:\windows\system32\drivers\niduly.sysc:\windows\system32\fijiveni.dllc:\windows\system32\latesuti.dll.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_NIDULY-------\Service_niduly((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 ))))))))))))))))))))))))))))))).2010-01-01 11:08 . 2010-01-01 11:08 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData2010-01-01 08:31 . 2010-01-01 08:31 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\AdobeUM2010-01-01 08:28 . 2010-01-01 23:43 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe2009-12-30 23:55 . 2009-12-30 23:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData2009-12-24 04:27 . 2009-12-24 04:27 -------- d-----w- c:\program files\Trend Micro2009-12-15 01:59 . 2009-12-15 01:59 185240 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\atgpcext.dll2009-12-15 01:59 . 2009-12-15 01:59 28488 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\atgpcdec.dll2009-12-15 01:59 . 2009-12-15 01:59 61848 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\npatgpc.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-01-02 23:41 . 2008-12-09 00:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater2010-01-02 11:43 . 2008-10-23 09:00 -------- d-----w- c:\program files\PlayersOnly Poker2009-12-26 03:24 . 2009-08-24 18:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-12-25 02:15 . 2004-08-04 12:00 14336 ------w- c:\windows\system32\svchost.exe2009-12-20 04:55 . 2004-05-24 02:16 -------- d-----w- c:\program files\Google2009-12-15 01:58 . 2007-12-31 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat2009-12-08 03:54 . 2009-03-30 23:29 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-11-28 18:20 . 2009-11-27 14:38 79488 ----a-w- c:\documents and settings\timo\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll2009-11-22 22:51 . 2007-07-26 06:04 -------- d-----w- c:\program files\PokerStars2009-11-19 18:48 . 2009-11-26 11:33 872960 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll2009-11-19 18:48 . 2009-11-26 11:33 43008 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll2009-11-19 18:48 . 2009-11-26 11:33 340480 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll2009-11-19 18:48 . 2009-11-26 11:33 346624 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll2009-11-11 05:30 . 2007-12-09 20:42 -------- d-----w- c:\program files\UltimateBet2009-10-29 07:46 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll2009-10-29 07:46 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll2009-10-29 07:46 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll2009-10-21 06:00 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll2009-10-21 06:00 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll2009-10-20 14:58 . 2004-08-04 12:00 263552 ----a-w- c:\windows\system32\drivers\http.sys2009-10-13 10:53 . 2004-08-04 12:00 266752 ----a-w- c:\windows\system32\oakley.dll2009-10-12 13:54 . 2004-08-04 12:00 69632 ----a-w- c:\windows\system32\raschap.dll2009-10-12 13:54 . 2004-08-04 12:00 112128 ----a-w- c:\windows\system32\rastls.dll.------- Sigcheck -------[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DLLCACHE\tcpip.sys[-] 2008-06-20 . 0B788EE2A876D7B31DF840C13F08CD2B . 360320 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DRIVERS\tcpip.sys[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys[7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys[7] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys[7] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys[7] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys[7] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-09 26112]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-18 98304]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-22 136600]c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]Wireless-G Notebook Adapter Utility.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2006-1-6 24576][HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoSetActiveDesktop"= 1 (0x1)"NoActiveDesktopChanges"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\CarbonPoker\\client.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]"AllowInboundTimestampRequest"= 1 (0x1)"AllowInboundMaskRequest"= 1 (0x1)"AllowInboundRouterRequest"= 1 (0x1)"AllowOutboundDestinationUnreachable"= 1 (0x1)"AllowOutboundSourceQuench"= 1 (0x1)"AllowOutboundParameterProblem"= 1 (0x1)"AllowOutboundTimeExceeded"= 1 (0x1)"AllowRedirect"= 1 (0x1)"AllowOutboundPacketTooBig"= 1 (0x1)R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/30/2009 4:29 PM 108289]S2 gupdate1c95c38217184e0;Google Update Service (gupdate1c95c38217184e0);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 2:00 AM 133104]S3 ndisdrv;ndisdrv;c:\windows\SYSTEM32\ndisdrv.sys [8/4/2004 5:00 AM 2304]S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\SYSTEM32\DRIVERS\TNET1130x.sys [1/6/2006 10:53 PM 385536].Contents of the 'Scheduled Tasks' folder2010-01-03 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-24 05:52]2010-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 12:37]2010-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 12:37]..------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.htmlmWindow Title = uInternet Connection Wizard,ShellNext = iexploreuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.htmlIE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnkTrusted Zone: earthlink.netTrusted Zone: microsoft.com\wwwTCP: {6C87D285-3BF7-494D-914E-415E7D865DDA} = 193.104.110.38,4.2.2.1TCP: {BD225C1D-C142-43E5-8B4B-EF3D3D22E534} = 193.104.110.38,4.2.2.1,192.168.0.1FF - ProfilePath - c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\FF - prefs.js: network.proxy.type - 4FF - component: c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-01-02 17:50Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(764)c:\program files\Funk Software\Odyssey Client\odLogin.dll- - - - - - - > 'explorer.exe'(2220)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\mshtml.dll.------------------------ Other Running Processes ------------------------.c:\windows\System32\SCardSvr.exec:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Java\jre6\bin\jqs.exec:\windows\system32\wdfmgr.exec:\windows\system32\wscntfy.exec:\program files\Linksys\Wireless-G Notebook Adapter\OdHost.exec:\program files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe.**************************************************************************.Completion time: 2010-01-02 17:59:52 - machine was rebootedComboFix-quarantined-files.txt 2010-01-03 00:59ComboFix2.txt 2010-01-02 02:16Pre-Run: 12,273,922,048 bytes freePost-Run: 12,250,456,064 bytes free- - End Of File - - 7166774F5CC564B7743F18A9AD12605F Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 3, 2010 Staff ID:178999 Share Posted January 3, 2010 Hi,* Go to start > run and copy and paste next command in the field:ComboFix /UninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.Then, * Go here to run an online scannner from ESET.Note: You will need to use Internet explorer for this scanTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the activex control to installClick StartCheck next options: Remove found threats and Scan unwanted applications.Click ScanWait for the scan to finishUse notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log in your next reply and also let me know how things are now. Link to post Share on other sites More sharing options...
bootanuts Posted January 4, 2010 Author ID:179477 Share Posted January 4, 2010 Hello MiekiemoesI was not able to follow your instructions in your last post. My computer seemed to be running better, I was on the internet for a couple hours , So I had shut it down for the nite, but when I booted up the next day, I got that same Antivirus message, that I got originaly on my screen before I got a desktop (it had went away, the antivirus message ), when I finnally did get a desktop I could not get an internet connection. I tried to reboot it (sometimes that works when I can't get an internet connection ), but now I just get a blue screen that says;Page_Fault_In_Nonpaged_areaSTOP: 0x0000007E (0xC0000005,0x81B64113 ,0xF899AB0, 0xF899A4AC )I have tried to reboot in Safemode and safemode with networking but I get the same blue screen.Page_fault_in_nonpaged_areaI am at a loss as to what happened or where to go from here. I do appreciate your helpthanksBootanuts Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 4, 2010 Staff ID:179478 Share Posted January 4, 2010 Hi,Looks like the malware already caused too much damage in a meanwhile unfortunately. Cleaning the malware doesn't repair the damage.After all, your computer was SEVERLY infected. I'm actually suprised it was still able to boot.What I suggest here is a Windows repair install and see if that solves it. A Windows repair install won't delete your data:http://michaelstevenstech.com/XPrepairinstall.htm Link to post Share on other sites More sharing options...
bootanuts Posted January 8, 2010 Author ID:181370 Share Posted January 8, 2010 Hello, I ran the diagnostics program from the boot menu, it passed. My computer booted, desk top came back with the infected computer note and a internet security 2010 anti-virus program. The name of the virus is worm. win32.netsky. I ran hijackthis again and here's the log file. I did not run recovery council.TimToolbar\GoogleToolbar_32.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dllO3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exeO4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdS7_0_0O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exeO4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exeO8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dllO9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnkO9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnkO9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exeO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\timo\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\timo\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\timo\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dllO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{6C87D285-3BF7-494D-914E-415E7D865DDA}: NameServer = 193.104.110.38,4.2.2.1O17 - HKLM\System\CCS\Services\Tcpip\..\{BD225C1D-C142-43E5-8B4B-EF3D3D22E534}: NameServer = 193.104.110.38,4.2.2.1,192.168.0.1O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: Google Update Service (gupdate1c95c38217184e0) (gupdate1c95c38217184e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe--End of file - 7897 bytes Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 8, 2010 Staff ID:181404 Share Posted January 8, 2010 Hi,Please install Malwarebytes, (newest version), but before you install, rename the mbam-setup.exe to firefox.exeThen install.Once installed, navigate to the C:\Program Files\Malwarebytes' anti-malware folder and locate mbam.exe in there. Rename it to firefox.exe as well and launch it in order to run the scan.Post the malwarebytes log in your next reply together with a new HijackThislog. Link to post Share on other sites More sharing options...
bootanuts Posted January 13, 2010 Author ID:183468 Share Posted January 13, 2010 Hello,I ran malware, my computer tried to reboot after malware was finished but the blue screen came back. Everytime I tried to boot up blue screen. Ran tests from the boot menu dianostics page and my desktop came back without the infected computer message. Here's the logs from malware and hijackthis.TimMalwarebytes' Anti-Malware 1.44Database version: 3510Windows 5.1.2600 Service Pack 2Internet Explorer 7.0.5730.131/10/2010 8:21:10 AMmbam-log-2010-01-10 (08-21-10).txtScan type: Full Scan (C:\|)Objects scanned: 258400Time elapsed: 7 hour(s), 40 minute(s), 34 second(s)Memory Processes Infected: 2Memory Modules Infected: 1Registry Keys Infected: 1Registry Values Infected: 6Registry Data Items Infected: 12Folders Infected: 1Files Infected: 87Memory Processes Infected:C:\WINDOWS\SYSTEM32\winupdate86.exe (Trojan.FakeAlert) -> Unloaded process successfully.C:\Program Files\InternetSecurity2010\IS2010.exe (Trojan.FakeAlert) -> Unloaded process successfully.Memory Modules Infected:C:\WINDOWS\SYSTEM32\winhelper86.dll (Trojan.FakeAlert) -> Delete on reboot.Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon86.exe -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon86.exe -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\winlogon86.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6c87d285-3bf7-494d-914e-415e7d865dda}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd225c1d-c142-43e5-8b4b-ef3d3d22e534}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,192.168.0.1 -> Quarantined and deleted successfully.Folders Infected:C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.Files Infected:C:\WINDOWS\SYSTEM32\winhelper86.dll (Trojan.FakeAlert) -> Delete on reboot.C:\WINDOWS\SYSTEM32\winupdate86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Program Files\InternetSecurity2010\IS2010.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Documents and Settings\timo\Local Settings\temp\pdfupd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Documents and Settings\timo\Local Settings\Temporary Internet Files\Content.IE5\6LS9YWJM\update[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\uwlwfa.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\waxfhosk.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\6to4v32.dll.vir (Backdoor.Bot) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\AVR10.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\balineko.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\balomane.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bebewute.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\behubaza.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\BtwSrv.dll.vir (Backdoor.Bot) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bugeyumo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dagitufa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\difasadi.exe.vir (Rogue.Antivirus.Plus) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\diposeli.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\divitawu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\f6e2n486.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\FastNetSrv.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fijiveni.dll.vir (Malware.Trace) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fopelene.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\forefiyu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fulupufa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gudadamu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hinikafo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hitusoli.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\i14fh.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\Iasv32.dll.vir (Backdoor.Bot) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jisaleyu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kiganopo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kiloruho.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kumeweva.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kunobesi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kuvihube.exe.vir (Rogue.Antivirus.Plus) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lahesumo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\latesuti.dll.vir (Malware.Trace) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lsm32.sys.vir (Backdoor.Bot) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\midogiru.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gekeyego.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jegowibo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kiyituhe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nasijuye.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nifesuro.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nozigita.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\opeia.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pibahoju.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\robovoji.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rotirufe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ruginefo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ruwiraje.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sshnas.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\supekede.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tasasifu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\turejaka.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tuvikize.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\viweyeju.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winlogon86.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winsts.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winupdate86.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wmdtc.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wn33q1f53.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\yelahihi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\zekuboli.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\niduly.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000025.dll (Malware.Trace) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000026.dll (Malware.Trace) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000035.sys (Rootkit.Agent) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000180.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000125.sys (Malware.Trace) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000168.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000170.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000178.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0001178.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0001180.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0002178.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\FastNetSrv.exex (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\ndisdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\bwsb.gio (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\winlogon86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Documents and Settings\timo\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.C:\Documents and Settings\timo\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\Prefetch\SVCHOST.EXE (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:45:49 PM, on 1/12/2010Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16945)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\palmOne\Hotsync.exeC:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exeC:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wuauclt.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dllO3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdS7_0_0O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exeO4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exeO8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dllO9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnkO9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnkO9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exeO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\timo\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\timo\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\timo\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cabO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: Google Update Service (gupdate1c95c38217184e0) (gupdate1c95c38217184e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe--End of file - 7115 bytes Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 13, 2010 Staff ID:183533 Share Posted January 13, 2010 Hi,Can you also rescan with Combofix and post the log here?I still have a bad feeling about this, because some malware you were dealing with comes with Virut, which is a file infector and latest variant is badly detected. Link to post Share on other sites More sharing options...
bootanuts Posted January 16, 2010 Author ID:184675 Share Posted January 16, 2010 Hello,I ran combofix, here's the log file.Tim ComboFix 10-01-15.01 - timo 01/15/2010 23:31:19.3.1 - x86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.295 [GMT -7:00]Running from: c:\documents and settings\timo\Desktop\ComboFix.exeAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\timo\Desktop\Internet Security 2010.lnkc:\windows\system32\10291.exec:\windows\system32\10383.exec:\windows\system32\11020.exec:\windows\system32\11323.exec:\windows\system32\11337.exec:\windows\system32\11478.exec:\windows\system32\1150.exec:\windows\system32\11538.exec:\windows\system32\11840.exec:\windows\system32\11942.exec:\windows\system32\12052.exec:\windows\system32\12287.exec:\windows\system32\12316.exec:\windows\system32\12382.exec:\windows\system32\12623.exec:\windows\system32\12859.exec:\windows\system32\13030.exec:\windows\system32\13290.exec:\windows\system32\13931.exec:\windows\system32\13966.exec:\windows\system32\13977.exec:\windows\system32\14604.exec:\windows\system32\14771.exec:\windows\system32\14893.exec:\windows\system32\14945.exec:\windows\system32\15006.exec:\windows\system32\15141.exec:\windows\system32\153.exec:\windows\system32\15350.exec:\windows\system32\15457.exec:\windows\system32\15573.exec:\windows\system32\15574.exec:\windows\system32\15724.exec:\windows\system32\15890.exec:\windows\system32\16118.exec:\windows\system32\16413.exec:\windows\system32\16512.exec:\windows\system32\16541.exec:\windows\system32\1655.exec:\windows\system32\16827.exec:\windows\system32\16941.exec:\windows\system32\16944.exec:\windows\system32\17035.exec:\windows\system32\17410.exec:\windows\system32\17421.exec:\windows\system32\17673.exec:\windows\system32\18007.exec:\windows\system32\18127.exec:\windows\system32\1842.exec:\windows\system32\18467.exec:\windows\system32\18588.exec:\windows\system32\18636.exec:\windows\system32\1869.exec:\windows\system32\18716.exec:\windows\system32\18756.exec:\windows\system32\18762.exec:\windows\system32\19072.exec:\windows\system32\19169.exec:\windows\system32\19264.exec:\windows\system32\19629.exec:\windows\system32\19668.exec:\windows\system32\19718.exec:\windows\system32\19895.exec:\windows\system32\19912.exec:\windows\system32\19954.exec:\windows\system32\1999.exec:\windows\system32\20037.exec:\windows\system32\20537.exec:\windows\system32\2082.exec:\windows\system32\21538.exec:\windows\system32\21548.exec:\windows\system32\21724.exec:\windows\system32\21726.exec:\windows\system32\22190.exec:\windows\system32\22355.exec:\windows\system32\22386.exec:\windows\system32\22648.exec:\windows\system32\22704.exec:\windows\system32\22929.exec:\windows\system32\2306.exec:\windows\system32\23199.exec:\windows\system32\23281.exec:\windows\system32\23655.exec:\windows\system32\23805.exec:\windows\system32\23811.exec:\windows\system32\23986.exec:\windows\system32\24021.exec:\windows\system32\24084.exec:\windows\system32\24221.exec:\windows\system32\24350.exec:\windows\system32\24393.exec:\windows\system32\24464.exec:\windows\system32\24484.exec:\windows\system32\24626.exec:\windows\system32\24767.exec:\windows\system32\24946.exec:\windows\system32\25547.exec:\windows\system32\25667.exec:\windows\system32\26299.exec:\windows\system32\26308.exec:\windows\system32\26418.exec:\windows\system32\26500.exec:\windows\system32\26777.exec:\windows\system32\26924.exec:\windows\system32\26962.exec:\windows\system32\27348.exec:\windows\system32\27350.exec:\windows\system32\27446.exec:\windows\system32\27506.exec:\windows\system32\27529.exec:\windows\system32\27595.exec:\windows\system32\27624.exec:\windows\system32\27644.exec:\windows\system32\27753.exec:\windows\system32\27938.exec:\windows\system32\28145.exec:\windows\system32\28253.exec:\windows\system32\28703.exec:\windows\system32\28745.exec:\windows\system32\288.exec:\windows\system32\29168.exec:\windows\system32\292.exec:\windows\system32\29358.exec:\windows\system32\29658.exec:\windows\system32\2995.exec:\windows\system32\30106.exec:\windows\system32\30191.exec:\windows\system32\30333.exec:\windows\system32\3035.exec:\windows\system32\30836.exec:\windows\system32\31101.exec:\windows\system32\31107.exec:\windows\system32\31115.exec:\windows\system32\31322.exec:\windows\system32\31673.exec:\windows\system32\32209.exec:\windows\system32\32391.exec:\windows\system32\32439.exec:\windows\system32\32591.exec:\windows\system32\32662.exec:\windows\system32\32757.exec:\windows\system32\3430.exec:\windows\system32\3548.exec:\windows\system32\3602.exec:\windows\system32\3728.exec:\windows\system32\3788.exec:\windows\system32\3902.exec:\windows\system32\4031.exec:\windows\system32\4041.exec:\windows\system32\4596.exec:\windows\system32\4639.exec:\windows\system32\4664.exec:\windows\system32\467.exec:\windows\system32\4734.exec:\windows\system32\4827.exec:\windows\system32\4833.exec:\windows\system32\491.exec:\windows\system32\4966.exec:\windows\system32\5021.exec:\windows\system32\5097.exec:\windows\system32\53.exec:\windows\system32\5436.exec:\windows\system32\5447.exec:\windows\system32\5537.exec:\windows\system32\5705.exec:\windows\system32\5829.exec:\windows\system32\6270.exec:\windows\system32\6334.exec:\windows\system32\6359.exec:\windows\system32\6422.exec:\windows\system32\6483.exec:\windows\system32\6868.exec:\windows\system32\6900.exec:\windows\system32\7376.exec:\windows\system32\7711.exec:\windows\system32\778.exec:\windows\system32\8281.exec:\windows\system32\8723.exec:\windows\system32\8909.exec:\windows\system32\8942.exec:\windows\system32\900.exec:\windows\system32\9040.exec:\windows\system32\9161.exec:\windows\system32\9374.exec:\windows\system32\9741.exec:\windows\system32\9758.exec:\windows\system32\9894.exec:\windows\system32\9930.exec:\windows\system32\9961.exeInfected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected Restored copy from - Kitty ate it .((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 ))))))))))))))))))))))))))))))).2010-01-10 06:48 . 2010-01-10 06:48 -------- d-----w- c:\documents and settings\timo\Application Data\Malwarebytes2010-01-10 06:48 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-01-10 06:48 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2010-01-10 06:48 . 2010-01-10 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-01-03 03:05 . 2010-01-03 03:05 -------- d-----w- C:\spoolerlogs2010-01-01 11:08 . 2010-01-01 11:08 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData2010-01-01 08:31 . 2010-01-01 08:31 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\AdobeUM2010-01-01 08:28 . 2010-01-01 23:43 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe2009-12-30 23:55 . 2009-12-30 23:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData2009-12-24 04:27 . 2009-12-24 04:27 -------- d-----w- c:\program files\Trend Micro.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-01-16 03:37 . 2008-12-09 00:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater2010-01-16 03:17 . 2008-10-23 09:00 -------- d-----w- c:\program files\PlayersOnly Poker2010-01-10 14:28 . 2004-08-04 12:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys2010-01-10 01:15 . 2007-12-31 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat2010-01-04 03:22 . 2006-01-04 13:12 90112 ----a-w- c:\windows\DUMP5461.tmp2009-12-25 02:15 . 2004-08-04 12:00 14336 ------w- c:\windows\system32\svchost.exe2009-12-20 04:55 . 2004-05-24 02:16 -------- d-----w- c:\program files\Google2009-12-15 01:59 . 2009-12-15 01:59 185240 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\atgpcext.dll2009-12-15 01:59 . 2009-12-15 01:59 28488 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\atgpcdec.dll2009-12-15 01:59 . 2009-12-15 01:59 61848 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\npatgpc.dll2009-12-08 03:54 . 2009-03-30 23:29 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-11-28 18:20 . 2009-11-27 14:38 79488 ----a-w- c:\documents and settings\timo\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll2009-11-22 22:51 . 2007-07-26 06:04 -------- d-----w- c:\program files\PokerStars2009-11-19 18:48 . 2009-11-26 11:33 872960 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll2009-11-19 18:48 . 2009-11-26 11:33 43008 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll2009-11-19 18:48 . 2009-11-26 11:33 340480 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll2009-11-19 18:48 . 2009-11-26 11:33 346624 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll2009-10-29 07:46 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll2009-10-29 07:46 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll2009-10-29 07:46 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll2009-10-21 06:00 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll2009-10-21 06:00 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll2009-10-20 14:58 . 2004-08-04 12:00 263552 ----a-w- c:\windows\system32\drivers\http.sys.------- Sigcheck -------[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DLLCACHE\tcpip.sys[-] 2008-06-20 . 0B788EE2A876D7B31DF840C13F08CD2B . 360320 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DRIVERS\tcpip.sys[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys[7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys[7] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys[7] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys[7] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys[7] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-09 26112]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-18 98304]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-22 136600]c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]Wireless-G Notebook Adapter Utility.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2006-1-6 24576][HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoSetActiveDesktop"= 1 (0x1)"NoActiveDesktopChanges"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\CarbonPoker\\client.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]"AllowInboundTimestampRequest"= 1 (0x1)"AllowInboundMaskRequest"= 1 (0x1)"AllowInboundRouterRequest"= 1 (0x1)"AllowOutboundDestinationUnreachable"= 1 (0x1)"AllowOutboundSourceQuench"= 1 (0x1)"AllowOutboundParameterProblem"= 1 (0x1)"AllowOutboundTimeExceeded"= 1 (0x1)"AllowRedirect"= 1 (0x1)"AllowOutboundPacketTooBig"= 1 (0x1)R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/30/2009 4:29 PM 108289]S0 dexn;dexn;c:\windows\system32\drivers\rbyqgm.sys --> c:\windows\system32\drivers\rbyqgm.sys [?]S2 gupdate1c95c38217184e0;Google Update Service (gupdate1c95c38217184e0);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 2:00 AM 133104]S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\SYSTEM32\DRIVERS\TNET1130x.sys [1/6/2006 10:53 PM 385536].Contents of the 'Scheduled Tasks' folder2010-01-16 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-24 05:52]2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 12:37]2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 12:37]..------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.htmlmWindow Title = uInternet Connection Wizard,ShellNext = iexploreuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.htmlIE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnkTrusted Zone: earthlink.netTrusted Zone: microsoft.com\wwwFF - ProfilePath - c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\FF - prefs.js: network.proxy.type - 4FF - component: c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dllFF - plugin: c:\documents and settings\timo\Application Data\Mozilla\plugins\npatgpc.dllFF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dllFF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dllFF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-01-15 23:48Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1244)c:\program files\Funk Software\Odyssey Client\odLogin.dll- - - - - - - > 'explorer.exe'(992)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\mshtml.dll.------------------------ Other Running Processes ------------------------.c:\windows\System32\SCardSvr.exec:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Java\jre6\bin\jqs.exec:\windows\system32\wdfmgr.exec:\windows\system32\wscntfy.exec:\program files\Linksys\Wireless-G Notebook Adapter\OdHost.exec:\program files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe.**************************************************************************.Completion time: 2010-01-15 23:58:43 - machine was rebootedComboFix-quarantined-files.txt 2010-01-16 06:58ComboFix2.txt 2010-01-03 00:59ComboFix3.txt 2010-01-02 02:16Pre-Run: 12,004,196,352 bytes freePost-Run: 11,980,881,920 bytes free- - End Of File - - 288400034CCF1D505B1C5EF3D64FDF72 Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 16, 2010 Staff ID:184681 Share Posted January 16, 2010 Hi,Go to start > run and copy and paste next command in the field:sc delete dexnHit enterThen, * Go to start > run and copy and paste next command in the field:ComboFix /UninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.Let me know in your next reply how things are now. Link to post Share on other sites More sharing options...
bootanuts Posted January 18, 2010 Author ID:185807 Share Posted January 18, 2010 Hello,Every thing seems to be working fine now, the 2010 anti-virus icon is gone from my desk top. Tim Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 18, 2010 Staff ID:185818 Share Posted January 18, 2010 Good to hear. Please read my Prevention page with lots of info and tips how to prevent this in the future.And if you want to improve speed/system performance after malware removal, take a look here.Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.Happy Surfing again! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 20, 2010 Staff ID:186666 Share Posted January 20, 2010 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts