Options
too many problems to list in a title
Ok, my problems started on wednesday, when i think i was infected with zlob. my clock changed to VIRUS ALERT, along with my windows key. my C: drive dissapeared from my computer as well as all programs, control panel, my network places, and my computer from the start menu. however, after a helpful IT techy friend of mine gave my problem so attention i downloaded smit fraud fix, ran that and it seemed to fix my problem, i copied some starting config files which restored everything that had gone missing, and i found where the VIRUS ALERT thing was coming from in the registry, removing that problem as well. then i noticed that mozilla firefox was being very weird. at the moment...
i cant get into my hotmail inbox, i click the link and nothing happens (doesnt do this with other sites)
some sites will load, then go blank
sometimes when i open a site for the first time it says that the document was blank, then retrying allows it to load properly
if i have more than one tab open loading a page, it crashes
its generally very slow
occasionally new windows will popup telling me that i need to do stuff with my antivirus
when i click on a link from a search in google, it opens a new tab, with a random page in it
for a while it would only let me type backwards in firefox, the letters would move to the right while the cursor stayed still. this stopped today though
i tried uninstalling firefox and reinstalling but it didnt help
internet explorer is just as bad, if not worse
i had trouble booting up this morning, however i dont know whether this is to do with the virus or to do with a known problem with my PSU
other problems- my antivirus (AVG) is being blocked from updating, as were the spyware removers listed on http://icrontic.com/forum/showthread.php?t=43902
when i tried to download the spyware removers from the links provided, it would say the page couldnt be found (on all of them, and alternative pages i searched for). in the end i had friends download them for me, and send them to me. after being sent the installation file for spybot search and destroy, it tried to install. when it tried to connect to the file server to download other files, it couldnt, so that hasnt been installed.
when i tried to use the online scans, the pages "couldnt be found" and so i cant provide you with these logs, however i managed to get a friend to send me hijackthis, and it gave me the following log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:44:21, on 15/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Razer\Habu\razerhid.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\xfire\xfire.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\matt\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Habu] C:\Program Files\Razer\Habu\razerhid.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [\Win70.exe] C:\Windows\system32\Win70.exe
O4 - HKLM\..\Run: [\Win71.exe] C:\Windows\system32\Win71.exe
O4 - HKLM\..\Run: [\Win72.exe] C:\Windows\system32\Win72.exe
O4 - HKLM\..\Run: [\Win73.exe] C:\Windows\system32\Win73.exe
O4 - HKLM\..\Run: [\Win74.exe] C:\Windows\system32\Win74.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [24642eac] rundll32.exe "C:\WINDOWS\system32\beuaphaa.dll",b
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [\Win70.exe] C:\Windows\system32\Win70.exe
O4 - HKCU\..\Run: [\Win71.exe] C:\Windows\system32\Win71.exe
O4 - HKCU\..\Run: [\Win72.exe] C:\Windows\system32\Win72.exe
O4 - HKCU\..\Run: [\Win73.exe] C:\Windows\system32\Win73.exe
O4 - HKCU\..\Run: [\Win74.exe] C:\Windows\system32\Win74.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: Xfire.lnk = C:\Program Files\xfire\xfire.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\CLUE Classic\Images\stg_drm.ocx
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly Here and Now\Images\armhelper.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F941F2BB-73B6-4262-803C-A7DED46B1393}: NameServer = 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS5\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
thank you to the experts in advance
i cant get into my hotmail inbox, i click the link and nothing happens (doesnt do this with other sites)
some sites will load, then go blank
sometimes when i open a site for the first time it says that the document was blank, then retrying allows it to load properly
if i have more than one tab open loading a page, it crashes
its generally very slow
occasionally new windows will popup telling me that i need to do stuff with my antivirus
when i click on a link from a search in google, it opens a new tab, with a random page in it
for a while it would only let me type backwards in firefox, the letters would move to the right while the cursor stayed still. this stopped today though
i tried uninstalling firefox and reinstalling but it didnt help
internet explorer is just as bad, if not worse
i had trouble booting up this morning, however i dont know whether this is to do with the virus or to do with a known problem with my PSU
other problems- my antivirus (AVG) is being blocked from updating, as were the spyware removers listed on http://icrontic.com/forum/showthread.php?t=43902
when i tried to download the spyware removers from the links provided, it would say the page couldnt be found (on all of them, and alternative pages i searched for). in the end i had friends download them for me, and send them to me. after being sent the installation file for spybot search and destroy, it tried to install. when it tried to connect to the file server to download other files, it couldnt, so that hasnt been installed.
when i tried to use the online scans, the pages "couldnt be found" and so i cant provide you with these logs, however i managed to get a friend to send me hijackthis, and it gave me the following log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:44:21, on 15/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Razer\Habu\razerhid.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\xfire\xfire.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\matt\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Habu] C:\Program Files\Razer\Habu\razerhid.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [\Win70.exe] C:\Windows\system32\Win70.exe
O4 - HKLM\..\Run: [\Win71.exe] C:\Windows\system32\Win71.exe
O4 - HKLM\..\Run: [\Win72.exe] C:\Windows\system32\Win72.exe
O4 - HKLM\..\Run: [\Win73.exe] C:\Windows\system32\Win73.exe
O4 - HKLM\..\Run: [\Win74.exe] C:\Windows\system32\Win74.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [24642eac] rundll32.exe "C:\WINDOWS\system32\beuaphaa.dll",b
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [\Win70.exe] C:\Windows\system32\Win70.exe
O4 - HKCU\..\Run: [\Win71.exe] C:\Windows\system32\Win71.exe
O4 - HKCU\..\Run: [\Win72.exe] C:\Windows\system32\Win72.exe
O4 - HKCU\..\Run: [\Win73.exe] C:\Windows\system32\Win73.exe
O4 - HKCU\..\Run: [\Win74.exe] C:\Windows\system32\Win74.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: Xfire.lnk = C:\Program Files\xfire\xfire.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\CLUE Classic\Images\stg_drm.ocx
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly Here and Now\Images\armhelper.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F941F2BB-73B6-4262-803C-A7DED46B1393}: NameServer = 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS5\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
thank you to the experts in advance
0
Comments
You may need another computer to download the tools and transfer to this computer.
Please do the following...
1. I need a file scanned...
- Go to VirusTotal
- Copy and paste the following file path into the Search Box in the middle of the page:
- C:\Windows\system32\Win70.exe
- Now, click on the Send File button
- Save a copy of the Anti-Virus results only. Post the results in your next reply.
2. Please visit this webpage for download links, and instructions for running ComboFix.exel:http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.Please include the following reports for further review, and so we may continue cleansing the system:
VirusTotal result
C:\ComboFix.txt
New HijackThis log.
1. cant find win70.exe in system32. its there, it says so in the logs of one of the scans, and ive turned on hidden files and folders, still cant see it
the other logs-
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My
C:\Documents and Settings\matt\Application Data\Adobe\crc.dat
C:\Documents and Settings\matt\Application Data\macromedia\Flash Player\#SharedObjects\Y825R8M9\interclick.com
C:\Documents and Settings\matt\Application Data\macromedia\Flash Player\#SharedObjects\Y825R8M9\interclick.com\ud.sol
C:\Documents and Settings\matt\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\matt\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My
C:\WINDOWS\BM27571d30.txt
C:\WINDOWS\BM27571d30.xml
C:\WINDOWS\edlb.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aasvtpwq.dll
C:\WINDOWS\system32\bvbluwjj.dll
C:\WINDOWS\system32\ddcCSijH.dll
C:\WINDOWS\system32\fgMUFfhk.ini
C:\WINDOWS\system32\fgMUFfhk.ini2
C:\WINDOWS\system32\gudrtbkt.dll
C:\WINDOWS\system32\HQpsDfhk.ini
C:\WINDOWS\system32\HQpsDfhk.ini2
C:\WINDOWS\system32\jbvpgs.dll
C:\WINDOWS\system32\jkkKEtRK.dll
C:\WINDOWS\system32\khfDspQH.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\niuleylu.dll
C:\WINDOWS\system32\nlkyxo.dll
C:\WINDOWS\system32\ppvoibrh.dll
C:\WINDOWS\system32\qwptvsaa.ini
C:\WINDOWS\system32\rybkdicv.ini
C:\WINDOWS\system32\sljmwd.dll
C:\WINDOWS\system32\ssuDcccf.ini
C:\WINDOWS\system32\ssuDcccf.ini2
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\vcidkbyr.dll
C:\WINDOWS\system32\yaxecwrp.ini
C:\WINDOWS\system32\zmwjsu.dll
C:\WINDOWS\xml2u32h.dll
.
((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
.
2008-08-17 14:12 . 2008-08-17 14:12 <DIR> dr-h
C:\Documents and Settings\matt\Application Data\SecuROM
2008-08-17 05:07 . 2008-08-17 05:07 <DIR> d
C:\new
2008-08-16 18:05 . 2008-08-17 13:38 54,156 --ah
C:\WINDOWS\QTFont.qfn
2008-08-16 18:05 . 2008-08-16 18:05 1,409 --a
C:\WINDOWS\QTFont.for
2008-08-16 16:54 . 2008-08-16 16:54 <DIR> d
C:\WINDOWS\ShellNew
2008-08-16 16:54 . 2008-08-16 16:54 <DIR> d
C:\Program Files\AutoHotkey
2008-08-15 14:25 . 2008-08-15 14:25 <DIR> d
C:\Program Files\SpywareBlaster
2008-08-15 14:25 . 2005-08-25 19:18 118,784 --a
C:\WINDOWS\system32\MSSTDFMT.DLL
2008-08-15 13:24 . 2008-08-15 13:24 <DIR> d
C:\Program Files\Lavasoft
2008-08-15 13:24 . 2008-08-15 13:25 <DIR> d
C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-15 12:24 . 2008-08-17 12:56 826 --ahs---- C:\WINDOWS\system32\aahpaueb.ini
2008-08-12 20:04 . 2008-08-12 20:39 2,328 --a
C:\WINDOWS\system32\tmp.reg
2008-08-12 20:03 . 2007-09-06 00:22 289,144 --a
C:\WINDOWS\system32\VCCLSID.exe
2008-08-12 20:03 . 2006-04-27 17:49 288,417 --a
C:\WINDOWS\system32\SrchSTS.exe
2008-08-12 20:03 . 2008-05-29 09:35 86,528 --a
C:\WINDOWS\system32\VACFix.exe
2008-08-12 20:03 . 2008-05-18 21:40 82,944 --a
C:\WINDOWS\system32\IEDFix.exe
2008-08-12 20:03 . 2008-08-11 18:07 82,432 --a
C:\WINDOWS\system32\IEDFix.C.exe
2008-08-12 20:03 . 2008-08-09 15:37 82,432 --a
C:\WINDOWS\system32\404Fix.exe
2008-08-12 20:03 . 2003-06-05 21:13 53,248 --a
C:\WINDOWS\system32\Process.exe
2008-08-12 20:03 . 2004-07-31 18:50 51,200 --a
C:\WINDOWS\system32\dumphive.exe
2008-08-12 20:03 . 2007-10-04 00:36 25,600 --a
C:\WINDOWS\system32\WS2Fix.exe
2008-08-09 23:35 . 2008-08-17 11:33 <DIR> d
C:\Program Files\Uplink
2008-08-09 22:01 . 2008-08-09 22:01 <DIR> d
C:\Uplink.Hacker.Elite[PC.Game]ISO-ZaXaZ
2008-08-06 01:26 . 2008-08-06 01:26 42,320 --a
C:\WINDOWS\system32\xfcodec.dll
2008-08-04 20:58 . 2008-08-04 20:58 <DIR> d
C:\Program Files\Hamachi
2008-07-29 21:28 . 2008-07-29 21:28 <DIR> d
C:\WINDOWS\CLUE Classic
2008-07-29 21:28 . 2008-07-29 21:28 <DIR> d
C:\Program Files\CLUE Classic
2008-07-29 12:16 . 2008-07-29 13:24 <DIR> d
C:\cluedo Classic
2008-07-28 14:57 . 2008-07-28 15:08 <DIR> d
C:\Program Files\The Butler Did It! Shareware
2008-07-28 13:53 . 2008-07-28 13:53 <DIR> d
C:\Documents and Settings\matt\Application Data\GamesCafe
2008-07-28 13:53 . 2008-07-28 13:53 4,096 --a
C:\WINDOWS\d3dx.dat
2008-07-28 13:52 . 2008-07-28 13:52 <DIR> d
C:\Program Files\ReflexiveArcade
2008-07-25 22:21 . 2008-08-02 21:46 <DIR> d
C:\manly books
2008-07-20 12:50 . 2008-07-21 22:22 <DIR> d
C:\WINDOWS\system32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-17 13:23
d
w C:\Program Files\Steam
2008-08-17 13:23
d
w C:\Program Files\BOINC
2008-08-17 13:23
d
w C:\Documents and Settings\matt\Application Data\uTorrent
2008-08-17 13:23
d
w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-08-17 09:52
d
w C:\Documents and Settings\matt\Application Data\Xfire
2008-08-16 23:37
d
w C:\Documents and Settings\All Users\Application Data\TrackMania
2008-08-16 20:14 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-08-16 17:35
d--h--w C:\Program Files\InstallShield Installation Information
2008-08-16 12:17 136,888 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-08-16 12:17 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-08-15 12:24
d
w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-13 20:27
d
w C:\Program Files\xfire
2008-08-12 18:04
d
w C:\Documents and Settings\All Users\Application Data\avg7
2008-08-12 10:50
d
w C:\Program Files\Diablo II
2008-08-06 21:46
d
w C:\Documents and Settings\matt\Application Data\Hamachi
2008-08-04 19:58 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-07-30 07:10 5,578 ----a-w C:\WINDOWS\system32\ealregsnapshot1.reg
2008-07-29 11:03
d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-28 22:50
d
w C:\Documents and Settings\matt\Application Data\OpenOffice.org2
2008-07-03 14:55
d
w C:\Program Files\SpeedFan
2008-06-30 12:37
d
w C:\Program Files\uTorrent
2008-06-26 22:39
d
w C:\Program Files\city of heroes
2008-06-25 20:35
d
w C:\Documents and Settings\matt\Application Data\SPORE Creature Creator
2008-06-25 20:33 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-25 20:32
d
w C:\Program Files\Electronic Arts
2008-06-18 18:17
d
w C:\Program Files\LimeWire
2008-06-18 15:42 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2008-06-18 15:42 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2008-06-18 15:42 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2008-05-21 15:29 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-05-21 15:29 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2007-12-29 12:15 22,328 ----a-w C:\Documents and Settings\matt\Application Data\PnkBstrK.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-28 12:06 1271032]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2007-10-05 20:02 219952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Habu"="C:\Program Files\Razer\Habu\razerhid.exe" [2007-05-11 12:58 176128]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 17:32 579584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 11:48 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-15 12:30 219136]
C:\Documents and Settings\matt\Start Menu\Programs\Startup\
BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2007-08-23 17:53:46 4141056]
Xfire.lnk - C:\Program Files\xfire\xfire.exe [2008-08-06 01:26:38 3065168]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=nlkyxo.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll
[HKLM\~\startupfolder\C:^Documents and Settings^matt^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=C:\Documents and Settings\matt\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.2.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
--a
2008-01-25 11:08 1032376 C:\Program Files\Kontiki\KHost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a
2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a
2007-09-18 15:16 171464 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a
2007-12-11 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a
2006-10-22 12:22 7700480 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a
2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a
2007-09-11 20:17 77824 C:\Program Files\Java\jre1.6.0\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a
2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars Beta 2\\etqw.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Steam\\steamapps\\teh_thackzor\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\xfire\\xfire.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars Demo\\etqw.exe"=
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars Demo\\etqwded.exe"=
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
R3 HabuFltr;Habu Mouse;C:\WINDOWS\system32\drivers\habu.sys [2006-10-23 13:09]
S3 FXDRV;FXDRV;D:\Fxdrv.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e69eb2cf-4805-11dc-928f-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2008-08-08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -
BHO-{D69AEB55-F018-4A3E-A645-95F9C4A55091} - C:\WINDOWS\system32\fcccDuss.dll
BHO-{DA001244-ABAD-4897-9591-123A30AD55E6} - C:\WINDOWS\system32\khfFUMgf.dll
HKCU-Run-\Win70.exe - C:\Windows\system32\Win70.exe
HKCU-Run-\Win71.exe - C:\Windows\system32\Win71.exe
HKCU-Run-\Win72.exe - C:\Windows\system32\Win72.exe
HKCU-Run-\Win73.exe - C:\Windows\system32\Win73.exe
HKCU-Run-\Win74.exe - C:\Windows\system32\Win74.exe
HKLM-Run-\Win70.exe - C:\Windows\system32\Win70.exe
HKLM-Run-\Win71.exe - C:\Windows\system32\Win71.exe
HKLM-Run-\Win72.exe - C:\Windows\system32\Win72.exe
HKLM-Run-\Win73.exe - C:\Windows\system32\Win73.exe
HKLM-Run-\Win74.exe - C:\Windows\system32\Win74.exe
HKLM-Run-24642eac - C:\WINDOWS\system32\aasvtpwq.dll
Notify-opnnmMeD - opnnmMeD.dll
Notify-winhab32 - winhab32.dll
MSConfigStartUp-BM27571d30 - C:\WINDOWS\system32\txlhwjdg.dll
MSConfigStartUp-MSDisp32 - C:\WINDOWS\system32\drvzuv.dll
MSConfigStartUp-Run - C:\Documents and Settings\matt\Application Data\Adobe\Manager.exe
.
Supplementary Scan
.
FireFox -: Profile - C:\Documents and Settings\matt\Application Data\Mozilla\Firefox\Profiles\f6mhtdwx.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava11.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava12.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava13.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava14.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava32.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npoji610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npBBCPlugin.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-17 14:23:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\Win70.exe"="C:\\Windows\\system32\\Win70.exe"
"\\Win71.exe"="C:\\Windows\\system32\\Win71.exe"
"\\Win72.exe"="C:\\Windows\\system32\\Win72.exe"
"\\Win73.exe"="C:\\Windows\\system32\\Win73.exe"
"\\Win74.exe"="C:\\Windows\\system32\\Win74.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\Win70.exe"="C:\\Windows\\system32\\Win70.exe"
"\\Win71.exe"="C:\\Windows\\system32\\Win71.exe"
"\\Win72.exe"="C:\\Windows\\system32\\Win72.exe"
"\\Win73.exe"="C:\\Windows\\system32\\Win73.exe"
"\\Win74.exe"="C:\\Windows\\system32\\Win74.exe"
.
Other Running Processes
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\Razer\Habu\razerofa.exe
.
**************************************************************************
.
Completion time: 2008-08-17 14:30:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-17 13:30:27
Pre-Run: 7,624,728,576 bytes free
Post-Run: 8,162,758,656 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
302
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:42:38, on 17/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Razer\Habu\razerhid.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\xfire\xfire.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\matt\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Habu] C:\Program Files\Razer\Habu\razerhid.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: Xfire.lnk = C:\Program Files\xfire\xfire.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\CLUE Classic\Images\stg_drm.ocx
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly Here and Now\Images\armhelper.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F941F2BB-73B6-4262-803C-A7DED46B1393}: NameServer = 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS5\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: nlkyxo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
thanks
Good to hear the computer is running normally, but there is a little work to do to make sure the computer clean...
Please do the following...
1. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
O20 - AppInit_DLLs: nlkyxo.dll
- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
2. Run HijackThis again and click on Open the Misc Tools section.
Click on Delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:
C:\WINDOWS\system32\nlkyxo.dll
When you are asked "Do you want to restart your computer now?", click OK.
Your PC MUST reboot to delete the file!
3. Please download Malwarebytes' Anti-Malware to your desktop.
4. I need to see another log from HijackThis.
5. Please post the following...
Uninstall list
MalwareBytes log
New HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:15:12, on 17/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Razer\Habu\razerhid.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\xfire\xfire.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\matt\Desktop\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Habu] C:\Program Files\Razer\Habu\razerhid.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: Xfire.lnk = C:\Program Files\xfire\xfire.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\CLUE Classic\Images\stg_drm.ocx
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly Here and Now\Images\armhelper.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F941F2BB-73B6-4262-803C-A7DED46B1393}: NameServer = 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O17 - HKLM\System\CS5\Services\Tcpip\..\{03202A59-ABB8-4A0D-B4BC-053AEA1FB774}: NameServer = 192.168.1.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
uninstall list-
3DMark06
4oD
7-Zip 4.57
AC3Filter (remove only)
Ad-Aware
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.0
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Aliens vs. Predator 2
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
Audacity 1.2.6
Audiosurf Demo
AutoHotkey 1.0.47.06
AVG 7.5
Battlefield 2(TM)
BBC iPlayer Download Manager
BOINC
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
CLUE Classic
Collab
Command & Conquer 3
Company of Heroes
Dawn of War - Soulstorm
Dawn of War - Soulstorm Demo
DawnOfWar
Diablo II
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
EA Download Manager
Enemy Territory - QUAKE Wars(TM)
Enemy Territory - QUAKE Wars(TM) 1.1 Patch
Enemy Territory - QUAKE Wars(TM) Beta 2
Enemy Territory - QUAKE Wars(TM) Demo
Far Cry
FL Studio 7
GameSpy Arcade
GPGNet
Grand Theft Auto
Half-Life 2: Episode One
Half-Life 2: Episode Two
Hamachi 1.0.2.5
HijackThis 2.0.2
ICQ6
IL Download Manager
ImTOO MP4 Video Converter
iTunes
Java(TM) SE Runtime Environment 6
LimeWire 4.14.10
M4A to MP3 Converter 1.2
Magic ISO Maker v5.4 (build 0256)
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Medieval II Total War
Metal Gear Solid
Microsoft .NET Framework 2.0
Microsoft Visual C++ 2005 Redistributable
Monopoly Here & Now
Motorola Phone Tools
Mozilla Firefox (3.0.1)
Neffy 1,2,0,12
NVIDIA Drivers
OpenOffice.org 2.2
Oxygen Phone Manager II for Nokia phones (Trial)
PDF Settings
Peggle Extreme
Pontifex II
Project Reality 0.75 Core
Project Reality 0.75 Levels
QuickSFV (Remove only)
QuickTime
Razer Habu Config
RealPlayer
Realtek AC'97 Audio
Rohan_USA
Rome - Total War
Sins of a Solar Empire
Sins of a Solar Empire
SpeedFan (remove only)
SPORE™ Creature Creator Trial Edition
Spring 0.75b2
SpywareBlaster 4.1
Star Trek Legacy
Star Trek Legacy Patch v1.2
Star Trek: Armada
Starcraft
Steam
Supreme Commander
SWAT 4
Tacto v1.5
Team Fortress 2
TeamSpeak 2 RC2
TotalBF2 Map Pack 1
TrackMania Nations Forever
Unofficial Far Cry Custom Map Pack
Unofficial Far Cry Custom Map Pack - Hotfix
Uplink
Ventrilo Client
VideoLAN VLC media player 0.8.6c
West Point Bridge Designer 2007
Windows Driver Package - MOTOROLA (uisp) USB (09/08/2006 1.2.0.0)
Windows Driver Package - Razer (HidUsb) HIDClass (01/10/2007 1.00)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
XAC
Xfire (remove only)
yBook
[SC] Far Cry Map Pack
malwarebytes log-
Malwarebytes' Anti-Malware 1.24
Database version: 1061
Windows 5.1.2600 Service Pack 2
19:04:55 17/08/2008
mbam-log-8-17-2008 (19-04-55).txt
Scan type: Full Scan (C:\|F:\|)
Objects scanned: 234348
Time elapsed: 1 hour(s), 19 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 21
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\edlb.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\xml2u32h.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bvbluwjj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcCSijH.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jbvpgs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkKEtRK.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\khfDspQH.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\niuleylu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\sljmwd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vcidkbyr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1D5158D0-84E6-45B4-87BC-C0A1AE359F0A}\RP2\A0000011.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1D5158D0-84E6-45B4-87BC-C0A1AE359F0A}\RP2\A0000015.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1D5158D0-84E6-45B4-87BC-C0A1AE359F0A}\RP2\A0000016.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1D5158D0-84E6-45B4-87BC-C0A1AE359F0A}\RP2\A0000017.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1D5158D0-84E6-45B4-87BC-C0A1AE359F0A}\RP2\A0000019.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1D5158D0-84E6-45B4-87BC-C0A1AE359F0A}\RP2\A0000021.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1D5158D0-84E6-45B4-87BC-C0A1AE359F0A}\RP2\A0000022.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1D5158D0-84E6-45B4-87BC-C0A1AE359F0A}\RP2\A0000025.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1D5158D0-84E6-45B4-87BC-C0A1AE359F0A}\RP2\A0000026.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1D5158D0-84E6-45B4-87BC-C0A1AE359F0A}\RP2\A0000032.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
thanks
Please do the following...
1. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
2. Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Extended (if available otherwise Standard)
Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:
Select
My Computer[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
- Now click on the Save Report As button:
- Change Save as type: to Text file
- Save this as Kaspersky scan to your Desktop
[*]Post the Kaspersky report in your next reply.Post the Kaspersky report back here.
If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.
If you are not the user who started this thread, you must start your own Thread instead