trojan removal help please

[chiaz]

What I got you to run was MalwareBytes and ComboFix (in my earlier post).

 

Please follow all instructions to the letter.

 

Thank you.

[jinkie]

ve ran the combofix program this is the results

 

ComboFix 09-12-06.01 - rita 06/12/2009 18:26.1.1 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.446.140 [GMT 0:00]

Running from: c:\users\rita\Desktop\ComboFix.exe

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

SP: AVG Anti-Virus *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

.

Error: Cfiles.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\FunWebProducts

c:\program files\GamesBar\obERontb.dll

c:\program files\MyWebSearch

c:\program files\MyWebSearch\bar\Settings\s_pid.dat

c:\windows\system32\rthdvcpl .exe

c:\windows\system32\s3trayp .exe

c:\windows\system32\s3trayp.exe83

Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected

Restored copy from - c:\windows\system32\logevent.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

 

((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))

.

2009-12-06 18:44 . 2009-12-06 18:56 -------- d-----w- c:\users\rita\AppData\Local\temp

2009-12-06 18:44 . 2009-12-06 18:44 -------- d-----w- c:\users\Default\AppData\Local\temp

2009-12-05 12:02 . 2009-12-05 12:02 -------- d-----w- c:\program files\Windows Live SkyDrive

2009-12-02 21:10 . 2008-04-05 03:34 15360 ----a-w- c:\windows\system32\pacerprf.dll

2009-12-02 21:10 . 2008-04-05 01:21 72192 ----a-w- c:\windows\system32\drivers\pacer.sys

2009-12-02 21:10 . 2008-09-18 04:56 125952 ----a-w- c:\windows\system32\wersvc.dll

2009-12-02 21:10 . 2008-09-18 04:56 147456 ----a-w- c:\windows\system32\Faultrep.dll

2009-12-02 21:05 . 2008-06-26 03:29 565248 ----a-w- c:\windows\system32\emdmgmt.dll

2009-12-02 21:05 . 2008-08-02 01:01 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2009-12-02 21:05 . 2008-06-26 03:29 45056 ----a-w- c:\windows\system32\dataclen.dll

2009-12-02 21:05 . 2008-05-20 02:07 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys

2009-12-02 21:05 . 2008-08-02 03:26 36864 ----a-w- c:\windows\system32\cdd.dll

2009-12-02 21:05 . 2008-05-08 21:59 90112 ----a-w- c:\windows\system32\wshext.dll

2009-12-02 21:05 . 2008-05-08 21:59 155648 ----a-w- c:\windows\system32\wscript.exe

2009-12-02 21:05 . 2008-05-08 21:59 180224 ----a-w- c:\windows\system32\scrobj.dll

2009-12-02 21:05 . 2008-05-08 21:58 135168 ----a-w- c:\windows\system32\cscript.exe

2009-12-02 21:05 . 2008-05-08 21:59 172032 ----a-w- c:\windows\system32\scrrun.dll

2009-12-01 23:59 . 2009-12-01 23:59 -------- d-----w- c:\users\rita\AppData\Local\Conduit

2009-12-01 23:59 . 2009-12-02 00:01 -------- d-----w- c:\users\rita\AppData\Local\thechatterbox.cc

2009-12-01 23:57 . 2009-12-01 23:57 24416 ----a-w- c:\windows\system32\drivers\regguard.sys

2009-12-01 23:38 . 2009-12-01 23:38 -------- d-----w- c:\programdata\WindowsSearch

2009-12-01 23:14 . 2009-12-01 23:14 -------- d-----w- C:\PerfLogs

2009-11-30 21:44 . 2009-11-30 21:44 -------- d-----w- C:\5ff6dc1a37b0825ae2b52688d575241f

2009-11-28 15:16 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll

2009-11-28 15:13 . 2009-11-28 15:15 -------- d-----w- C:\1616f725a5e5b95ccf8ab39d189792

2009-11-28 12:12 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll

2009-11-28 12:12 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll

2009-11-28 11:48 . 2009-11-28 11:48 -------- d-----w- c:\program files\Trend Micro

2009-11-25 18:05 . 2009-11-25 18:05 -------- d-----w- c:\users\rita\AppData\Roaming\TuneUp Software

2009-11-25 18:04 . 2007-12-20 10:44 16640 ----a-w- c:\windows\system32\authuitu.dll

2009-11-25 18:04 . 2009-11-25 18:04 306432 ----a-w- c:\windows\system32\TuneUpDefragService.exe

2009-11-25 18:04 . 2007-12-20 10:41 29440 ----a-w- c:\windows\system32\uxtuneup.dll

2009-11-25 18:02 . 2009-11-25 18:02 -------- d-----w- c:\programdata\TuneUp Software

2009-11-25 18:01 . 2009-11-25 18:04 -------- d-----w- c:\program files\TuneUp Utilities 2008

2009-11-25 17:58 . 2009-11-25 17:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-11-25 17:56 . 2009-11-25 17:56 2 --shatr- c:\windows\winstart.bat

2009-11-25 17:55 . 2009-11-25 17:55 35040 ----a-w- c:\windows\system32\Partizan.exe

2009-11-25 17:55 . 2009-11-25 17:55 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys

2009-11-25 17:54 . 2009-09-17 15:49 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys

2009-11-25 17:54 . 2009-11-25 17:54 680 ----a-w- c:\users\rita\AppData\Local\d3d9caps.dat

2009-11-24 18:23 . 2009-11-24 18:23 -------- d-----w- c:\users\rita\AppData\Roaming\Malwarebytes

2009-11-24 18:21 . 2009-12-02 18:21 -------- d-----w- c:\program files\UnHackMe

2009-11-24 18:15 . 2009-11-24 18:15 -------- d-----w- c:\programdata\Malwarebytes

2009-11-20 11:04 . 2009-11-20 11:04 -------- d-----w- C:\e5386a5f5f5379da555eb926d1e9

2009-11-20 10:50 . 2009-11-20 10:55 -------- d-----w- c:\users\rita\AppData\Roaming\Simply Super Software

2009-11-20 10:50 . 2009-11-20 10:50 -------- d-----w- c:\programdata\Simply Super Software

2009-11-20 10:16 . 2009-11-20 10:16 -------- d-----w- C:\9bd87550ded90e318a4d2f3f

2009-11-16 20:19 . 2009-11-16 20:21 -------- d-----w- c:\users\rita\Spybot - Search & Destroy

2009-11-14 20:52 . 2009-11-14 20:52 -------- d-----w- c:\users\rita\AppData\Local\Threat Expert

2009-11-14 19:40 . 2009-11-24 19:20 -------- d-----w- c:\program files\Spyware Doctor

2009-11-14 19:40 . 2009-11-14 20:04 4096 d-----w- c:\program files\Common Files\PC Tools

2009-11-14 19:40 . 2009-11-14 19:40 -------- d-----w- c:\users\rita\AppData\Roaming\PC Tools

2009-11-14 19:40 . 2009-11-14 19:40 -------- d-----w- c:\programdata\PC Tools

2009-11-08 00:31 . 2009-12-06 17:39 -------- d-----w- c:\users\rita\Tracing

2009-11-08 00:18 . 2009-11-10 21:25 -------- d-----w- c:\program files\Microsoft Silverlight

2009-11-08 00:13 . 2009-11-08 00:13 -------- d-----w- c:\program files\Microsoft Sync Framework

2009-11-07 23:56 . 2009-11-07 23:56 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2009-11-07 23:47 . 2009-12-05 12:07 -------- d-----w- c:\program files\Microsoft

2009-11-07 23:35 . 2009-11-07 23:35 -------- d-----w- c:\program files\Common Files\Windows Live

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-06 18:43 . 2008-08-31 14:55 -------- d-----w- c:\program files\GamesBar

2009-12-06 17:33 . 2009-10-24 18:31 0 ----a-r- c:\windows\win32k.sys

2009-12-05 12:00 . 2007-12-09 15:23 4096 d-----w- c:\program files\Windows Live

2009-12-03 11:04 . 2009-11-01 11:00 4096 d-----w- c:\programdata\avg9

2009-12-02 21:56 . 2006-11-02 12:35 4096 d-----w- c:\program files\Windows Defender

2009-12-01 23:57 . 2009-06-19 09:35 8192 d-----w- c:\program files\iWin Games

2009-12-01 23:16 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar

2009-12-01 23:16 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail

2009-12-01 23:16 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar

2009-12-01 23:16 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery

2009-12-01 23:16 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration

2009-12-01 23:14 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat

2009-11-30 20:49 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll

2009-11-30 20:48 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll

2009-11-28 15:19 . 2007-01-25 15:48 -------- d-----w- c:\programdata\Microsoft Help

2009-11-28 13:12 . 2008-05-03 14:34 8192 d-----w- c:\program files\Spybot - Search & Destroy

2009-11-28 12:42 . 2008-06-14 08:34 -------- d-----w- c:\program files\RealArcade

2009-11-28 12:20 . 2009-11-01 11:01 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-11-24 19:31 . 2009-04-02 22:31 -------- d-----w- c:\users\rita\AppData\Roaming\Deal or No Deal

2009-11-24 19:31 . 2008-05-03 14:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2009-11-24 19:31 . 2008-11-29 22:33 -------- d-----w- c:\program files\thechatterbox.cc

2009-11-24 19:31 . 2009-08-03 18:34 -------- d-----w- c:\program files\Pirateville

2009-11-24 19:31 . 2009-06-11 22:22 -------- d-----w- c:\program files\Oberon Media

2009-11-24 19:31 . 2009-08-25 16:47 -------- d-----w- c:\program files\Hidden Expedition - Titanic

2009-11-24 19:31 . 2007-11-21 15:54 -------- d-----w- c:\program files\Google

2009-11-24 19:31 . 2007-01-25 16:18 4096 d-----w- c:\program files\Common Files\LightScribe

2009-11-24 19:31 . 2009-10-10 12:33 20480 d-----w- c:\program files\CDBurnerXP

2009-11-24 19:31 . 2009-08-25 17:01 -------- d-----w- c:\program files\Amazing Adventures - Around the World

2009-11-14 22:22 . 2008-02-25 10:51 -------- d-----w- c:\program files\iWin.com

2009-11-04 13:15 . 2009-03-09 15:39 -------- d-----w- c:\programdata\Gogii

2009-11-04 12:52 . 2009-11-04 12:52 -------- d-----w- c:\programdata\Playrix Entertainment

2009-11-04 12:38 . 2009-11-04 12:38 -------- d-----w- c:\programdata\GameHouse

2009-11-02 20:42 . 2009-10-05 15:05 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-11-01 11:01 . 2009-11-01 11:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2009-11-01 11:01 . 2009-11-01 11:01 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2009-11-01 11:01 . 2009-11-01 11:01 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-11-01 11:01 . 2009-11-01 11:01 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-11-01 11:00 . 2009-11-01 11:00 -------- d-----w- c:\program files\AVG

2009-10-24 18:55 . 2009-10-24 18:09 -------- d-----w- c:\program files\WinAVI Video Converter

2009-10-24 18:48 . 2009-10-10 12:42 -------- d-----w- c:\program files\Common Files\AVSMedia

2009-10-24 18:48 . 2009-10-10 12:41 -------- d-----w- c:\program files\AVS4YOU

2009-10-16 16:32 . 2007-01-21 21:39 -------- d-----w- c:\program files\Microsoft Works

2009-10-10 12:44 . 2009-10-10 12:44 -------- d-----w- c:\users\rita\AppData\Roaming\AVS4YOU

2009-10-10 12:44 . 2009-10-10 12:44 -------- d-----w- c:\programdata\AVS4YOU

2009-10-10 12:34 . 2009-10-10 12:34 -------- d-----w- c:\programdata\Canneverbe Limited

2009-10-10 12:28 . 2009-10-10 12:27 -------- d-----w- c:\users\rita\AppData\Roaming\GetRightToGo

2009-09-28 20:57 . 2009-10-10 12:33 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys

2009-09-14 09:44 . 2009-10-15 17:57 144896 ----a-w- c:\windows\system32\drivers\srv2.sys

2009-09-10 17:30 . 2009-10-15 17:58 213504 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 15:21 . 2009-10-29 21:24 8147456 ----a-w- c:\windows\system32\wmploc.DLL

2009-09-10 15:21 . 2009-10-29 21:24 310784 ----a-w- c:\windows\system32\unregmp2.exe

.

<pre>
c:\program files\Common Files\Ahead\Lib\nerocheck .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\windows\PixArt\PAC7302\monitor .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00b8e20c-5c71-4c2f-85a5-6ad541500df0}"= "c:\program files\thechatterbox.cc\tbthec.dll" [2008-11-23 1784856]

[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]

2008-11-23 23:03 1784856 ----a-w- c:\program files\thechatterbox.cc\tbthec.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{00b8e20c-5c71-4c2f-85a5-6ad541500df0}"= "c:\program files\thechatterbox.cc\tbthec.dll" [2008-11-23 1784856]

[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{00B8E20C-5C71-4C2F-85A5-6AD541500DF0}"= "c:\program files\thechatterbox.cc\tbthec.dll" [2008-11-23 1784856]

[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2009-09-17 238304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-28 2020120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

R3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-11-25 34760]

R3 RegGuard;RegGuard;c:\windows\system32\Drivers\regguard.sys [2009-12-01 24416]

S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-11-01 161800]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-11-01 333192]

S1 AvgTdiX;AVG Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-11-28 360584]

S2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2009-11-01 906520]

S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2009-11-01 285392]

S2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [2009-06-04 78104]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 810320]

S3 S3GIGP;S3GIGP;c:\windows\system32\DRIVERS\VTGKModeDX32.sys [2007-01-10 815616]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.virginmedia.com/

DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} - hxxp://www.gamehouse.com/realarcade-webgames/bcasanfrancisco/JBGamePlayer.cab

.

- - - - ORPHANS REMOVED - - - -

AddRemove-Activation Assistant for the 2007 Microsoft Office suites - c:\programdata\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe REMOVE=TRUE MODIFY=FALSE

AddRemove-RealArcade - c:\program files\RealArcade\Installer\bin\gameinstaller.exe c:\program files\RealArcade\Installer\installerMain.clf

 

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2009-12-06 18:57

Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2136)

c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll

c:\program files\Common Files\Ahead\Lib\MFC71U.DLL

c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\lxdacoms.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\windows\system32\WUDFHost.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\AVG\AVG9\avgtray.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe

c:\program files\Windows Live\Contacts\wlcomm.exe

.

**************************************************************************

.

Completion time: 2009-12-06 19:23 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-06 19:23

Pre-Run: 176,074,375,168 bytes free

Post-Run: 176,213,168,128 bytes free

- - End Of File - - F6089255E28C0140A84349B03814C2A0

[chiaz]

How about MalwareBytes? Did you run that? I need you to post the generated log here as well.

[jinkie]

i ran the scan yesterday and this is the log but i ran it today and nothing was found

 

 

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 6.0.6001 Service Pack 1

06/12/2009 21:46:54

mbam-log-2009-12-06 (21-46-54).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 219209

Time elapsed: 1 hour(s), 38 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 14

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\DivoCodec (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.

C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Windows\System32\cngaudit.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.

C:\Windows\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

thanks for helping

[chiaz]

OK....let's have you go HERE to run Panda ActiveScan 2.0

• Click the big green Scan now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• Once the scan is completed, please hit the notepad icon next to the text Export to:
  
• Save it to a convenient location such as your Desktop
  
• Post the contents of the ActiveScan.txt in your next reply.

[jinkie]

THIS IS FROM THE LOG

 

;***********************************************************************************************************************************************************************************

ANALYSIS: 2009-12-09 20:33:39

PROTECTIONS: 1

MALWARE: 10

SUSPECTS: 5

;***********************************************************************************************************************************************************************************

PROTECTIONS

Description Version Active Updated

;===================================================================================================================================================================================

AVG Anti-Virus Free Yes Yes

;===================================================================================================================================================================================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===================================================================================================================================================================================

00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\users\rita\appdata\roaming\microsoft\windows\cookies\low\rita@com[1].txt

00167760 Cookie/Hitslink TrackingCookie No 0 Yes No c:\users\rita\appdata\roaming\microsoft\windows\cookies\low\rita@counter.hitslink[1].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\users\rita\appdata\roaming\microsoft\windows\cookies\low\rita@apmebf[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\rita\appdata\roaming\mozilla\firefox\profiles\s3j76al0.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\rita\appdata\roaming\mozilla\firefox\profiles\s3j76al0.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\rita\appdata\roaming\mozilla\firefox\profiles\s3j76al0.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\rita\appdata\roaming\mozilla\firefox\profiles\s3j76al0.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\rita\appdata\roaming\mozilla\firefox\profiles\s3j76al0.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\rita\appdata\roaming\mozilla\firefox\profiles\s3j76al0.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\rita\appdata\roaming\mozilla\firefox\profiles\s3j76al0.default\cookies.txt[.ads.pointroll.com/]

02463795 Adware/iWinArcade Adware Yes 0 Yes No c:\program files\iwin games\iwintrusted.exe

02893775 Spyware/Iehelp Spyware No 1 Yes No c:\program files\iwin games\firefox\iwinarcadelauncher.exe

03281648 Trj/Lineage.BZE Virus/Trojan No 1 No No c:\users\rita\desktop\new folder (2)\files\p\polly pride - pet detective.exe[uninstall.exe]

03637626 Adware/Zango Adware No 0 Yes No c:\qoobox\quarantine\c\program files\gamesbar\oberontb.dll.vir

05176738 Generic Backdoor Virus/Trojan No 0 Yes No c:\program files\iwin.com\mcf ravenhearst\gamelauncher.exe

05560839 Trj/Downloader.MDW Virus/Trojan No 1 Yes No c:\program files\common files\ahead\lib\nerocheck.exe84

05560839 Trj/Downloader.MDW Virus/Trojan No 1 Yes No c:\program files\common files\ahead\lib\nerocheck.exe127

05560839 Trj/Downloader.MDW Virus/Trojan No 1 Yes No c:\qoobox\quarantine\c\windows\system32\rthdvcpl .exe.vir

05560839 Trj/Downloader.MDW Virus/Trojan No 1 Yes No c:\qoobox\quarantine\c\windows\system32\s3trayp.exe83.vir

05560839 Trj/Downloader.MDW Virus/Trojan No 1 Yes No c:\windows\pixart\pac7302\monitor.exe133

05560839 Trj/Downloader.MDW Virus/Trojan No 1 Yes No c:\windows\pixart\pac7302\monitor.exe217

05560839 Trj/Downloader.MDW Virus/Trojan No 1 Yes No c:\windows\pixart\pac7302\monitor.exe91

;===================================================================================================================================================================================

SUSPECTS

Sent Location

;===================================================================================================================================================================================

Yes c:\program files\iwin games\adminworker.exe

Yes c:\program files\iwin games\iwingames.exe

Yes c:\program files\iwin games\uninstall.exe

Yes c:\program files\iwin games\webinstaller.exe

Yes c:\program files\iwin games\webupdater.exe

;===================================================================================================================================================================================

VULNERABILITIES

Id Severity Description

;===================================================================================================================================================================================

;===================================================================================================================================================================================

[chiaz]

Go to Control Panel > Add/Remove Programs and uninstall anything related to IWin Games.

 

Reboot your PC, then navigate to and delete the following file if still present:

c:\users\rita\desktop\new folder (2)\files\p\polly pride - pet detective.exe

 

As well as this folder:

c:\program files\iwin games\

 

=====================

 

Next go to http://virusscan.jotti.org , click on Browse, and upload the following files for analysis: You will only be able to have one file scanned at a time.

 

c:\windows\pixart\pac7302\monitor.exe

c:\program files\common files\ahead\lib\nerocheck.exe

 

Then click Submit. Allow the files to be scanned individually, and then please Copy/Paste the results here for me to see.

[jinkie]

http://virusscan.jotti.org/images/logo_jotti-trans.png

 

 

Jotti's malware scan

 

This file has been scanned before. The results for this previous scan are listed below.

 

 

Filename: a.x Status: Scan finished. 13 out of 21 scanners reported malware.

Scan taken on: Thu 29 Oct 2009 16:05:39 (CET) Permalink

 

 

Additional info

 

File size: 30208 bytes Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: 5dffef985b3401929cf3adbd629f31eb SHA1: 5c7d2730108bcc12aa930bedffe613fc1e07b861

 

 

 

 

 

 

 

Scanners

 

http://virusscan.jotti.org/images/logos/arcavir.gif 2009-10-29 Downloader.Small.Anxi

http://virusscan.jotti.org/images/logos/gdata.gif 2009-10-29 Trojan.Downloader.JMME

http://virusscan.jotti.org/images/logos/asquared.gif 2009-10-29 Trojan-Downloader.Win32.Small!IK

http://virusscan.jotti.org/images/logos/ikarus.gif 2009-10-29 Trojan-Downloader.Win32.Small

http://virusscan.jotti.org/images/logos/avast.gif 2009-10-28 Win32:Malware-gen

http://virusscan.jotti.org/images/logos/kaspersky.gif 2009-10-29 Trojan-Downloader.Win32.Small.anxi

http://virusscan.jotti.org/images/logos/avg.gif 2009-10-29 Found nothing

nod 32 2009-10-29 Win32/TrojanDownloader.Unruy.AA

antivir 2009-10-29 TR/Dldr.Small.anxi

http://virusscan.jotti.org/images/logos/norman.gif 2009-10-29 Found nothing

http://virusscan.jotti.org/images/logos/bitdefender.gif 2009-10-29 Trojan.Downloader.JMME

http://virusscan.jotti.org/images/logos/panda.gif 2009-10-28 Found nothing

http://virusscan.jotti.org/images/logos/clamav.gif 2009-10-29 Found nothing

http://virusscan.jotti.org/images/logos/quickheal.gif 2009-10-29 Found nothing

http://virusscan.jotti.org/images/logos/cpsecure.gif 2009-10-29 Troj.Downloader.W32.Small.anxi

http://virusscan.jotti.org/images/logos/sophos.gif 2009-10-29 Troj/Dldr-CF

http://virusscan.jotti.org/images/logos/drweb.gif 2009-10-29 Trojan.DownLoad.56293

http://virusscan.jotti.org/images/logos/vba32.gif 2009-10-28 Found nothing

http://virusscan.jotti.org/images/logos/fprot.gif 2009-10-29 Found nothing

http://virusscan.jotti.org/images/logos/virusbuster.gif 2009-10-28 Found nothing

http://virusscan.jotti.org/images/logos/fsecure.gif 2009-10-29 Trojan-Downloader.Win32.Small.anxi

 

 

 

 

 

Scan a file - Hash search - Frequently Asked Questions - Privacy policy

 

© 2004-2009 Jotti <jotti@jotti.org>

[jinkie]

nerocheck.exe

 

http://virusscan.jotti.org/images/logos/arcavir.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/gdata.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/asquared.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/ikarus.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/avast.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/kaspersky.gif 2009-12-07 Found nothing

avg 2009-12-07 Scanner unavailable

http://virusscan.jotti.org/images/logos/nod32.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/avira.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/norman.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/bitdefender.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/panda.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/clamav.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/quickheal.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/cpsecure.gif 2009-12-04 Found nothing

http://virusscan.jotti.org/images/logos/sophos.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/drweb.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/vba32.gif 2009-12-06 Found nothing

http://virusscan.jotti.org/images/logos/fprot.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/virusbuster.gif 2009-12-07 Found nothing

http://virusscan.jotti.org/images/logos/fsecure.gif 2009-12-07 Found nothing

[chiaz]

OK...do you actually recognize what this program is?

c:\windows\pixart\pac7302\monitor.exe

[jinkie]

no i dont know what it is can i just remove it

[chiaz]

Yea please have that file deleted (or at least renamed) if you do not recognize it.

 

How's your PC running now?

[jinkie]

a hell of a lot better thank you for all of your help :):)

[chiaz]

It's time to remove ComboFix.

 

Go to to Start > Run

Type in box

 

combofix /uninstall

 

Note: the space between the X and the /uninstall

 

Press Enter.

 

This command will:

 

Delete the following:

ComboFix and its associated files and folders.

VundoFix backups, if present

The C:\Deckard folder, if present

The C:_OtMoveIt folder, if present

 

Reset the clock settings.

Hide file extensions, if required.

Hide System/Hidden files, if required.

Reset System Restore.

 

 

Even if you have no more queries, I would appreciate if you can reply once more to this thread so we can be sure all your problems are truly resolved. Thanks. :)

Edited December 19, 2009 by chiaz

[jinkie]

hello sorry i havent got back sooner working away on the start menu i cant find the run only the search box is this the same one i use thanks

[chiaz]

In Vista,

 

Click the bottom left button (Start button).

Right above is a small search box. Type Run.

 

The Run program option will appear. Click on that, then proceed with the uninstallation per my instructions above.

 

Thanks.

[jinkie]

thanks for all your help and to all that tryed to help that the comp back to normal :D

[chiaz]

You're welcome jinkie.