clueless1976 Posted November 24, 2009 Posted November 24, 2009 hi there, completely new to this so i really hope any of you guys can help;). being a physiotherapist, or physical therapist if you're from the US, i can fix people but i am rubbish with computers.:confused: well here is my problem:- when i switch my pc on and it loads up it comes onto my desktop, as usual, but now my AVG resident shield alert pops up with Multiple threat detection. C:\WINDOWS\system32\mswsock32.dll Trojan horse Agent2.AAUD this appears twice in the pop up box then another is added to the list everytime i use anything on my computer. the list just keeps getting longer. i've read all the help icons on the pop up from AVG and followed everything they say. i have to press the remove all unhealed infections then it says i should reboot. so i do this and the same thing happens when my pc starts up. i only have AVG free addition 9.0. i have found the file on 'my computer' C:\WINDOWS\system32\mswsock32.dll and tried to remove it but it won't let me. any help would be greatly appreciated:) as i am a bit wary of using pc much longer just in case it spreads or makes things worse. like a said i am a complete beginner so please try to keep it a little bit simple.:confused: i have recently changed from using Mozilla firefox to using explorer 8, last week. firefox just kept crashing so i uninstalled it and installed explorer 8. could this be where it came from? but it did only start doint this this morning. hope someone can help because otherwise i don't know what to do; so open to all suggestions. thanks in advance Will. Quote
Match Posted November 24, 2009 Posted November 24, 2009 Hi and welcome I'm sure someone will help you soon ;) but you should have posted your problem here Malware Infection Removal - Computer Support Forums - FreePCHelp.co.uk not to worry I'm sure one of the staff will be along to move it for you. ;) Quote
Plastic Nev Posted November 24, 2009 Posted November 24, 2009 Hi and welcome to Extreme Tech Support - Free PC Help. Do you wish to start again on our malware removal section, as Match suggested, (thanks Match) or do you wish me or other moderator to move this post over there for you? You will get the help you need there as it does need a malware (virus) expert to sort that problem. Please let us know which way you wish to go, and all the best to you. Nev. Quote Need help with your computer problems? Then why not join Free PC Help. Register here. If Free PC Help has helped you then please consider a donation. Click here We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs. -------------------------------------------------------------------- I have installed Windows, now how do I install the curtains? 😄
clueless1976 Posted November 25, 2009 Author Posted November 25, 2009 that would be great if you could put me where i need to be, thank you. do you think it is ok to still use my PC or should i stay off it for a while? many thanks will Quote
maynardvdm Posted November 25, 2009 Posted November 25, 2009 Hi Please do the following so that our malware expert can have a look at the system. Please download the latest version of HijackThis from Trend Micro and save it to your desktop. Download HJTInstall.exe to your desktop. Doubleclick HJTInstall.exe to install HijackThis. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed, it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Include this log in your next reply. Notes: Do not use the AnalyseThis button, its findings are dangerous if misinterpreted. Do not have Hijackthis fix anything yet. Most of what it finds will be harmless, or required for your computer to run like it should. Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs. RaidMax Smilodon Gaming Case | Gigabyte Z77X-UD5H M/B | Intel Core i5 3570K @ 3.4GHz | 8GB Corsair RAM | Nvidia GTX550 Ti 1GB GDDR5 | Corsair 800w PSU Register for FREE >>here<< | If we have helped you, please consider a donation >>here<< SAS | MBAM | WinPatrol | Avira | ERUNT | Nvidia Drivers http://i285.photobucket.com/albums/ll57/mjsmileys/userbarnew4sec.gif
clueless1976 Posted November 25, 2009 Author Posted November 25, 2009 here are the results from the scan, thanks for your help. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:49:20, on 25/11/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\AVG\AVG9\avgui.exe C:\Program Files\AVG\AVG9\avgscanx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\AVG\AVG9\avgscanx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Microsoft Windows Update F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,C:\WINDOWS\system32\twext.exe,C:\WINDOWS\system32\win32room.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0b65b2c4-dda0-4848-9990-75801a03a97d} - C:\WINDOWS\system32\kapidapu.dll (file missing) O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file) O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file) O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file) O2 - BHO: (no name) - {742b6c81-18e1-4714-90b3-f8309c85d681} - C:\WINDOWS\system32\sisazibo.dll (file missing) O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file) O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file) O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file) O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file) O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [WinDll32] C:\WINDOWS\system32:Dll32.exe O4 - HKLM\..\Run: [muyidimabo] Rundll32.exe "C:\WINDOWS\system32\vahuyayu.dll",s O4 - HKLM\..\Run: [781aef91] rundll32.exe "C:\WINDOWS\system32\yafajawo.dll",b O4 - HKLM\..\Run: [CPM7b29dc0d] Rundll32.exe "c:\windows\system32\yulejoka.dll",a O4 - HKLM\..\Run: [internat] C:\WINDOWS\internat.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-19\..\Run: [muyidimabo] Rundll32.exe "C:\WINDOWS\system32\kusohove.dll",s (User '?') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-21-1935655697-630328440-725345543-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-1935655697-630328440-725345543-500\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?') O4 - HKUS\S-1-5-21-1935655697-630328440-725345543-500\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon (User '?') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\vetuloke.dll c:\windows\system32\melamiro.dll c:\windows\system32\riturifa.dll c:\windows\system32\hinikafo.dll c:\windows\system32\habanuvo.dll c:\windows\system32\garowori.dll c:\windows\system32\zelosubo.dll c:\windows\system32\dewulale.dll c:\windows\system32\yumaluso.dll c:\windows\system32\yulejoka.dll,C:\WINDOWS\system32\buyenayo.dll,C:\WINDOWS\system32\tipukuvu.dll,C:\WINDOWS\system32\kozeyizu.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 10525 bytes Quote
chiaz Posted November 25, 2009 Posted November 25, 2009 Hi clueless, I definitely see malware in there. A few things before we start.... 1. Please Read All Instructions Carefully. 2. If you don't understand something, stop and ask! Don't keep going on. 3. Please do not run any other tools or scans whilst I am helping you. 4. If you have to go away for an extended period of time, let me know. 5. Please continue to respond until I give you the "All Clear". (Just because you can't see a problem doesn't mean it isn't there) Please download Malwarebytes' Anti-Malware by clicking the link below: Malwarebytes Anti-Malware - Reviews and free Malwarebytes Anti-Malware downloads at Download.com Double Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Quick Scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * You'll be required to post the contents of this log later. Please Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool: Go here ======> A guide and tutorial on using ComboFix <====== Go here Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should get a prompt that says: The Recovery Console was successfully installed. Please continue as follows: (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. (2) Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Please include MBAM log, C:\ComboFix.txt and a new HijackThis log for further review, so that we may continue cleansing the system. Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems. Quote
clueless1976 Posted November 25, 2009 Author Posted November 25, 2009 hey chiaz thanks for the help, it's very much appreciated. here are the 3 logs starting with MBAM then C:\Combofix.txt and then a new Hijackthis log. MBAM Malwarebytes' Anti-Malware 1.41 Database version: 3230 Windows 5.1.2600 Service Pack 3 25/11/2009 16:51:32 mbam-log-2009-11-25 (16-51-32).txt Scan type: Quick Scan Objects scanned: 103013 Time elapsed: 4 minute(s), 47 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 37 Registry Values Infected: 4 Registry Data Items Infected: 4 Folders Infected: 6 Files Infected: 8 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0b65b2c4-dda0-4848-9990-75801a03a97d} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{0b65b2c4-dda0-4848-9990-75801a03a97d} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{742b6c81-18e1-4714-90b3-f8309c85d681} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{742b6c81-18e1-4714-90b3-f8309c85d681} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{684ee1db-cd52-4ca9-9ccf-93d5f6b419ba} (Trojan.Banker) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\GenericMultiMedia (Trojan.WinCoDecPRO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\xpreaxs (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\seneka (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muyidimabo (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\781aef91 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm7b29dc0d (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,C:\WINDOWS\system32\twext.exe,C:\WINDOWS\system32\win32room.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.Rabio) -> Quarantined and deleted successfully. C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\xors32 (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\WINDOWS\FLEOK (Fake.Dropped.Malware) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\xors32\worf.gop (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\xors32\worg.gos (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\winfrun32.bin (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\fmark2.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully. Quote
clueless1976 Posted November 25, 2009 Author Posted November 25, 2009 Combofix ComboFix 09-11-25.01 - Administrator 25/11/2009 17:10.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.959.415 [GMT 0:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe * Created a new restore point . ADS - system32: deleted 4560 bytes in 1 streams. ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\Application Data\inst.exe c:\temp\1cb c:\temp\1cb\syscheck.log c:\temp\DIV55 c:\temp\DIV55\xDb.log c:\windows\system32\xa.tmp . ((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 ))))))))))))))))))))))))))))))) . 2009-11-25 16:43 . 2009-11-25 16:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-11-25 16:43 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-25 16:43 . 2009-11-25 16:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-25 16:43 . 2009-11-25 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-25 16:43 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-25 12:47 . 2009-11-25 12:47 -------- d-----w- c:\program files\Trend Micro 2009-11-20 14:18 . 2009-11-16 18:18 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll 2009-11-20 14:18 . 2009-11-16 18:18 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll 2009-11-20 14:18 . 2009-11-16 18:18 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe 2009-11-20 14:18 . 2009-11-16 18:18 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll 2009-11-18 09:52 . 2009-11-18 09:52 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache 2009-11-18 09:51 . 2009-11-18 09:51 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-11-18 09:48 . 2009-11-18 09:48 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-11-18 09:44 . 2009-11-18 09:45 -------- d-----w- c:\windows\ie8updates 2009-11-18 09:41 . 2009-11-18 09:42 -------- dc-h--w- c:\windows\ie8 2009-11-18 09:39 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-11-18 09:39 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-11-18 09:39 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-11-16 20:42 . 2009-11-25 13:11 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat 2009-11-16 18:18 . 2009-11-16 18:18 -------- d-----w- C:\$AVG 2009-11-16 18:18 . 2009-11-16 18:18 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-11-16 18:18 . 2009-11-16 18:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2009-11-16 18:18 . 2009-11-16 18:18 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-11-16 18:18 . 2009-11-16 18:18 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-11-16 18:18 . 2009-11-25 11:12 -------- d-----w- c:\windows\system32\drivers\Avg 2009-11-16 18:18 . 2009-11-25 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2009-11-10 13:21 . 2009-11-10 13:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sony 2009-11-10 12:31 . 2009-11-10 12:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sony Ericsson 2009-11-10 12:29 . 2007-06-25 09:43 10792 ----a-w- c:\windows\system32\drivers\s117cr.sys 2009-11-10 12:29 . 2007-06-25 09:43 98856 ----a-w- c:\windows\system32\drivers\s117unic.sys 2009-11-10 12:29 . 2007-06-25 09:43 100264 ----a-w- c:\windows\system32\drivers\s117mgmt.sys 2009-11-10 12:29 . 2007-06-25 09:43 98344 ----a-w- c:\windows\system32\drivers\s117obex.sys 2009-11-10 12:29 . 2007-06-25 09:43 22952 ----a-w- c:\windows\system32\drivers\s117nd5.sys 2009-11-10 12:29 . 2007-06-25 09:43 108456 ----a-w- c:\windows\system32\drivers\s117mdm.sys 2009-11-10 12:29 . 2007-06-25 09:43 14888 ----a-w- c:\windows\system32\drivers\s117mdfl.sys 2009-11-10 12:29 . 2007-06-25 09:43 12200 ----a-w- c:\windows\system32\drivers\s117cmnt.sys 2009-11-10 12:29 . 2007-06-25 09:43 12200 ----a-w- c:\windows\system32\drivers\s117cm.sys 2009-11-10 12:28 . 2007-06-25 09:43 12200 ----a-w- c:\windows\system32\drivers\s117whnt.sys 2009-11-10 12:28 . 2007-06-25 09:43 12200 ----a-w- c:\windows\system32\drivers\s117wh.sys 2009-11-10 12:28 . 2007-06-25 09:43 82984 ----a-w- c:\windows\system32\drivers\s117bus.sys 2009-11-10 12:28 . 2009-11-10 13:14 -------- d-----w- c:\program files\Sony Ericsson 2009-11-10 12:28 . 2009-11-10 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Ericsson 2009-11-10 12:27 . 2009-11-10 12:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-25 12:35 . 2009-03-12 22:18 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-11-24 12:11 . 2009-01-12 16:05 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-11-24 12:04 . 2008-12-12 13:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype 2009-11-24 10:12 . 2008-12-12 13:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM 2009-11-20 15:49 . 2008-02-27 23:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso 2009-11-18 14:26 . 2008-02-01 08:08 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-11-18 09:24 . 2008-02-11 14:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\MSN6 2009-11-16 18:18 . 2009-04-02 08:09 -------- d-----w- c:\program files\AVG 2009-11-16 08:04 . 2008-01-29 19:50 69232 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-13 11:00 . 2008-01-29 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-11-02 20:42 . 2009-10-06 12:34 195456 ------w- c:\windows\system32\MpSigStub.exe 2009-10-09 15:09 . 2008-02-16 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki 2009-09-30 10:53 . 2009-09-30 10:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage 2009-09-29 08:27 . 2008-07-28 22:23 -------- d-----w- c:\program files\Common Files\Real 2009-09-29 08:26 . 2009-09-29 08:26 -------- d-----w- c:\program files\Common Files\xing shared 2009-09-29 08:26 . 2008-01-29 20:04 499712 ----a-w- c:\windows\system32\msvcp71.dll 2009-09-29 08:26 . 2008-01-29 19:43 348160 ----a-w- c:\windows\system32\msvcr71.dll 2009-09-29 08:25 . 2009-09-29 08:25 -------- d-----w- c:\program files\real 2009-09-29 08:20 . 2009-09-29 08:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2009-09-14 12:37 . 2009-09-14 12:37 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-09-11 14:18 . 2002-08-29 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-14 68856] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-24 2001648] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-01-24 86016] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160] "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-16 2020120] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2006-01-11 577536] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-01-24 1519616] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-05 10:54 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-16 18:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"= "c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"= "c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/11/2009 18:18 333192] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/11/2009 18:18 360584] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [22/12/2008 11:06 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [22/12/2008 11:05 74480] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/11/2009 18:18 285392] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [22/12/2008 11:06 7408] S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\Administrator\Desktop\SABKUTIL.sys --> c:\documents and settings\Administrator\Desktop\SABKUTIL.sys [?] S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?] S3 iadusb;MT882;c:\windows\system32\DRIVERS\glauiad.sys --> c:\windows\system32\DRIVERS\glauiad.sys [?] S3 X-Micro WLAN 11g USB Adapter(X-Micro);X-Micro WLAN 11g USB Adapter Driver(X-Micro);c:\windows\system32\DRIVERS\zd1211Bu.sys --> c:\windows\system32\DRIVERS\zd1211Bu.sys [?] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CD100847-C7D4-744C-C8F6-0AE88ED79EF0}] c:\windows\system32:Dll32.exe . Contents of the 'Scheduled Tasks' folder 2009-11-25 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20] 2009-11-25 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab . - - - - ORPHANS REMOVED - - - - WebBrowser-{EC97B998-D2B5-40D6-A073-BDCD4F3554D6} - (no file) HKLM-Run-WinDll32 - c:\windows\system32:Dll32.exe HKLM-Run-internat - c:\windows\internat.exe HKLM-Run-4oD - c:\program files\Kontiki\KHost.exe AddRemove-NVIDIA Drivers - c:\windows\system32\nvudisp.exe UninstallGUI AddRemove-RealPlayer 12.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0 ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-25 17:21 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run WinDll32 = c:\windows\system32:Dll32.exe????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? internat = c:\windows\internat.exe?_ ?||???? @????|????????????$???@????????????????r??????S scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1935655697-630328440-725345543-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,28,15,f6,28,4e,d9,c9,45,89,18,37,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,28,15,f6,28,4e,d9,c9,45,89,18,37,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC97B998-D2B5-40D6-A073-BDCD4F3554D6}\InprocServer32] @DACL=(02 0000) @="c:\\WINDOWS\\system32\\winpl77.dll" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC97B998-D2B5-40D6-A073-BDCD4F3554D6}\Properties] @DACL=(02 0000) "Version"="77" "BuildName"="876984" "Affiliate"="Unknown" "Show3X"=dword:00000001 "ShowType"=dword:00000001 "PopupCount"=dword:00000000 "BlockEnable"=dword:00000001 "Ticket"="00882839229767" "WalkThrough"=dword:00000000 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC97B998-D2B5-40D6-A073-BDCD4F3554D6}\TypeLib] @DACL=(02 0000) @="{BB47D49B-B55D-487E-A436-F35C4DD71B07}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC97B999-D2B5-40D6-A073-BDCD4F3554D6}\InprocServer32] @DACL=(02 0000) @="c:\\WINDOWS\\system32\\winpl77.dll" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC97B999-D2B5-40D6-A073-BDCD4F3554D6}\TypeLib] @DACL=(02 0000) @="{BB47D49B-B55D-487E-A436-F35C4DD71B07}" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(860) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(1828) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\windows\system32\HPZipm12.exe c:\program files\AVG\AVG9\avgnsx.exe c:\windows\system32\RUNDLL32.EXE c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe c:\program files\HP\Digital Imaging\bin\hpqtra08.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe . ************************************************************************** . Completion time: 2009-11-25 17:26 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-25 17:26 Pre-Run: 16,766,685,184 bytes free Post-Run: 16,864,595,968 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn - - End Of File - - 29C1C0A8C92C686201F2B48A5FCEC25B Quote
clueless1976 Posted November 25, 2009 Author Posted November 25, 2009 Hijackthis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:06:33, on 25/11/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 7858 bytes thanks again chiaz. while i have been doing these scans my AVG shield still pops up everytime i click an icon, is this ok? and is it still ok to keep using computer? I have to see a few patients in about 2 - 3 hours so i'll will be on here until then. i should be back at 11ish, is that ok? Quote
chiaz Posted November 27, 2009 Posted November 27, 2009 Looks like that removed a ton of stuff. Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis: c:\WINDOWS\system32\winpl77.dll Then click Submit. Allow the file to be scanned, and then please Copy/Paste the results here for me to see later in your next reply. If Jotti is busy, please go to http://www.virustotal.com. ================================================= Then go HERE to run Panda ActiveScan 2.0Click the big green Scan now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) Once the scan is completed, please hit the notepad icon next to the text Export to: Save it to a convenient location such as your Desktop Post the contents of the ActiveScan.txt in your reply, along with the Jotti/VirusTotal results. Quote
clueless1976 Posted November 27, 2009 Author Posted November 27, 2009 Hi Chiaz i have followed your instructions and have browsed for c:\WINDOWS\system32\winpl77.dll but it does not seem to be there. am i doing something wrong? i've checked checked and double checked. will. Quote
RandyL Posted November 27, 2009 Posted November 27, 2009 I suggest waiting for chiaz but for now try going to folder options in control panel and tic to show hidden files and folders and untic hide protected operating systems files. The file structure in that folder can be misleading so it might be hard to find. If you use search it should find it there as it is in the log you submitted. I know it can be hard to find but it does appear to be there. Actually you shouldn't need to change the folder options but I always do. Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
clueless1976 Posted November 27, 2009 Author Posted November 27, 2009 hey RandyL thanks for reply. i did try your instructions also but still no luck finding it, i even searched for it but still no luck. thanks for your help though. I do get a screen up now when i boot up with a choice of windows recovery console or windows xp professional but it only stays there for 2 - 3 seconds then starts up automatically. is that normal? Quote
chiaz Posted November 27, 2009 Posted November 27, 2009 Yes that is normal. This gives you an option to use the Recovery Console if there is a problem with even booting your PC. Skip the VirusTotal/Jotti scan and go on with the Panda ActiveScan. Quote
clueless1976 Posted November 27, 2009 Author Posted November 27, 2009 hey chiaz everytime i press 'scan' on the Panda ActiveScan a bar comes up on my browser to say that they are trying to download the software, before i can click on it it closes down my browser saying it is not responding. but, as i just started up the infection seems to have stopped as nothing is popping up. could this be the case? thanks again will Quote
chiaz Posted November 28, 2009 Posted November 28, 2009 It is likely that your PC is clean now, but I would like a confirmation before we really send you off. :D Try this scanner instead? Kaspersky Online Scanner 7.0 Quote
clueless1976 Posted November 29, 2009 Author Posted November 29, 2009 hey chiaz i've run the scan and nothing was found, are we safe in presuming that it is clear? if so i would like to thank you so much for your time and effort over the past few days, it's very much appreciated. i've put a reminder on my phone to donate some money to you guys at the end of january, hope you understand with the holidays coming up i'm already very low on funds but please expect a donation as soon as pay day comes in jan. thanks once again. it's great to know there are good people out there. will. Quote
chiaz Posted November 30, 2009 Posted November 30, 2009 Yes, I think your PC is all clean now. It's time to remove ComboFix. Go to to Start > Run Type in box combofix /uninstall Note: the space between the X and the /uninstall Press Enter. This command will: Delete the following: ComboFix and its associated files and folders. VundoFix backups, if present The C:\Deckard folder, if present The C:_OtMoveIt folder, if present Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Reset System Restore. And, also you're welcome Will. As you probably know a donation is not required, but would be greatly appreciated. I thank you in advance of the staff here. :) Quote
clueless1976 Posted November 30, 2009 Author Posted November 30, 2009 hey chiaz i know a donation isn't required but you have saved me taking it to a repair shop to be ripped off beyond belief. i am however following your instructions to remove combofix and the pop up box just keeps appearing to run the program again, should this happen? will. Quote
chiaz Posted November 30, 2009 Posted November 30, 2009 Yes, run it. It will prompt to disable your anti-virus programs (just like when you ran the scan), after which it will say ComboFix has been uninstalled. Quote
clueless1976 Posted December 1, 2009 Author Posted December 1, 2009 all done. thanks for your help and time chiaz. donation to follow. keep well will. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.