TheTechGuide Forum
General Category => Tech Clinic => Topic started by: neal2087 on November 04, 2008, 09:34:52 AM
-
i am unable to change to " show hiden files" every time i select show hidden files and click on apply and ok it dosent do the changes
this is my hijack this log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:55 PM, on 11/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\nilesh\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sify.com/?userid=3729&check=838d03a7347f55fa (http://\"http://www.sify.com/?userid=3729&check=838d03a7347f55fa\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\System32\database.exe,
O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
O1 - Hosts: 210.210.19.82 www.sifymall.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab (http://\"http://www.acclaim.com/cabs/acclaim_v5.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe (file missing)
--
End of file - 4848 bytes
-
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Temporarily disable any AntiVirus, Anti-Spyware or Firewall software so it won't interfere with the next step
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
By default it will save a copy to C:\Combofix.txt
I'll need to see this log later
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post the log from ComboFix and a fresh Hijackthis log
-
[quote name=\'guestolo\' post=\'446159\' date=\'Nov 4 2008, 10:47 PM\']<br />Download this file - <a href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" target="_blank" rel="nofollow">Combofix.exe</a> and save it ONLY to your desktop<br /><br />Temporarily disable any AntiVirus, Anti-Spyware or Firewall software so it won't interfere with the next step<br /><br />Double click <b>combofix.exe</b> & follow the prompts.<br />When finished, it shall produce a log for you.<br />By default it will save a copy to C:\Combofix.txt<br />I'll need to see this log later<br />Note:<br />Do not mouseclick combofix's window whilst it's running. That may cause it to stall<br /><br />Post the log from ComboFix and a fresh Hijackthis log<br />[/quote]<br /><br /><br />
I think my problem is solved thank you
But still if their are any malwares left in my pc then plz help me clean them plz
this is my combofix log file :
ComboFix 08-11-04.02 - nilesh 2008-11-05 4:53:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.487 [GMT 5.5:30]
Running from: c:\documents and settings\nilesh\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
c:\windows\system32\amvo.exe
c:\windows\system32\amvo0.dll
C:\x.com
D:\Autorun.inf
D:\x.com
E:\Autorun.inf
E:\x.com
F:\Autorun.inf
F:\x.com
.
((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 )))))))))))))))))))))))))))))))
.
2008-11-04 22:07 . 2008-11-04 22:07 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-10-28 16:40 . 2008-10-28 16:40 <DIR> d-------- c:\program files\System32
2008-10-28 16:40 . 2008-11-04 22:07 <DIR> d-------- c:\documents and settings\Administrator
2008-10-25 16:43 . 2008-10-25 16:43 <DIR> d-------- c:\program files\Xilisoft
2008-10-21 19:40 . 2008-10-21 19:40 <DIR> d-------- c:\documents and settings\nilesh\Application Data\123 Free Solitaire
2008-10-09 19:14 . 2008-10-09 19:14 31 --a------ c:\windows\warhead.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 22:38 --------- d-----w c:\documents and settings\nilesh\Application Data\Broadband
2008-11-01 19:39 --------- d-----w c:\program files\Sify Broadband
2008-10-10 18:03 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-10-10 18:03 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-10-03 14:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-09-22 17:38 --------- d-----w c:\documents and settings\nilesh\Application Data\dvdcss
2008-09-14 04:33 --------- d-----w c:\program files\Trend Micro
2008-09-12 23:49 --------- d-----w c:\program files\C-Media 3D Audio
2008-09-06 18:40 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-09-05 17:39 --------- d-----w c:\program files\Symantec AntiVirus
2008-09-05 17:39 --------- d-----w c:\program files\Symantec
2008-09-05 17:39 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-09-05 17:39 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-09-04 10:52 --------- d-----w c:\documents and settings\nilesh\Application Data\vlc
2008-09-04 10:50 --------- d-----w c:\program files\VideoLAN
2008-09-04 09:44 --------- d-----w c:\program files\Counter Strike - Condition Zero (Ultimate Edition)
2008-09-01 11:34 1,127,881 ----a-w c:\windows\Counter Strike - Condition Zero (Ultimate Edition) Uninstaller.exe
2008-08-19 17:23 81,920 ------r c:\windows\bwUnin-6.1.4.68-8876480L.exe
2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL
.
((((((((((((((((((((((((((((( snapshot@2008-09-05_14.59.40.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-11 18:39:39 683,520 ----a-w c:\windows\$hf_mig$\KB951066\SP2QFE\inetcomm.dll
+ 2008-04-11 19:04:26 691,712 ----a-w c:\windows\$hf_mig$\KB951066\SP3GDR\inetcomm.dll
+ 2008-04-11 18:52:26 691,712 ----a-w c:\windows\$hf_mig$\KB951066\SP3QFE\inetcomm.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB951066\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB951066\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB951066\update\spcustom.dll
+ 2007-12-03 15:25:31 755,576 ----a-w c:\windows\$hf_mig$\KB951066\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB951066\update\updspapi.dll
+ 2004-08-03 19:56:44 678,400 -c----w c:\windows\$NtUninstallKB951066$\inetcomm.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB951066$\spuninst\spuninst.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\$NtUninstallKB951066$\spuninst\updspapi.dll
- 2004-08-03 19:56:44 678,400 -c--a-w c:\windows\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 -c--a-w c:\windows\system32\dllcache\inetcomm.dll
+ 2008-06-19 12:17:58 17,144 ----a-w c:\windows\system32\drivers\mbam.sys
+ 2008-06-19 12:18:04 34,296 ----a-w c:\windows\system32\drivers\mbamcatchme.sys
+ 2007-01-24 12:15:46 102,800 ----a-w c:\windows\system32\drivers\tmcomm.sys
+ 2006-11-14 06:44:04 73,288 ----a-w c:\windows\system32\drivers\tmtdi.sys
- 2004-08-03 19:56:44 678,400 ----a-w c:\windows\system32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w c:\windows\system32\inetcomm.dll
+ 2008-10-05 03:16:26 235,936 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10a.exe
- 2008-07-29 11:03:59 74,137 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-10-31 16:37:12 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2008-07-31 15:02:14 41,040 ----a-w c:\windows\system32\perfc009.dat
+ 2008-10-16 01:00:27 41,040 ----a-w c:\windows\system32\perfc009.dat
- 2008-07-31 15:02:14 314,838 ----a-w c:\windows\system32\perfh009.dat
+ 2008-10-16 01:00:27 314,838 ----a-w c:\windows\system32\perfh009.dat
+ 2001-08-17 08:28:02 35,840 ----a-w c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\isapnp.sys
+ 2004-08-03 17:38:44 57,600 ----a-w c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbhub.sys
+ 2004-08-03 17:38:44 142,976 ----a-w c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbport.sys
+ 2004-08-03 17:38:38 20,480 ----a-w c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbuhci.sys
+ 2004-08-03 19:26:48 74,240 ----a-w c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbui.dll
- 2004-08-03 18:08:44 57,600 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbhub.sys
+ 2004-08-03 17:38:44 57,600 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbhub.sys
- 2004-08-03 18:08:44 142,976 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbport.sys
+ 2004-08-03 17:38:44 142,976 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbport.sys
- 2004-08-03 18:08:38 20,480 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbuhci.sys
+ 2004-08-03 17:38:38 20,480 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbuhci.sys
- 2004-08-04 00:56:48 74,240 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbui.dll
+ 2004-08-03 19:26:48 74,240 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbui.dll
+ 2004-08-03 17:29:44 95,360 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
+ 2001-08-17 08:21:52 3,328 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\pciide.sys
+ 2004-08-03 17:29:42 25,088 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\pciidex.sys
+ 2002-06-13 03:37:16 45,568 ----a-w c:\windows\system32\ReinstallBackups\0006\DriverFiles\R8139n51.sys
+ 2004-08-03 17:37:48 68,224 ----a-w c:\windows\system32\ReinstallBackups\0012\DriverFiles\i386\pci.sys
+ 2003-04-15 02:40:46 78,752 ----a-w c:\windows\system32\ReinstallBackups\0013\DriverFiles\ialmkchw.sys
+ 2003-04-15 02:39:54 11,319 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\a302.sys
+ 2003-04-15 02:39:58 29,239 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\a303.sys
+ 2003-04-15 02:40:04 46,647 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\a304.sys
+ 2003-04-15 02:40:08 11,831 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\a305.sys
+ 2003-04-15 02:40:12 16,439 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\a306.sys
+ 2003-04-15 02:40:16 21,559 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\a307.sys
+ 2003-04-15 02:40:20 10,807 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\a308.sys
+ 2003-04-15 02:40:24 25,655 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\a309.sys
+ 2003-04-15 02:40:28 33,335 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\a310.sys
+ 2003-04-15 02:40:32 32,823 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\a311.sys
+ 2003-04-15 02:41:00 37,431 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\a313.sys
+ 2003-04-15 02:41:04 10,807 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\a314.sys
+ 2003-04-06 16:05:16 118,784 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\hccutils.dll
+ 2003-04-06 16:07:38 114,688 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\hkcmd.exe
+ 2003-04-15 02:39:48 65,536 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\iAlmCoIn.dll
+ 2003-04-15 02:39:10 459,330 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\ialmdd5.dll
+ 2003-04-15 02:39:36 187,963 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\ialmdev5.dll
+ 2003-04-15 02:39:44 115,772 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\ialmdnt5.dll
+ 2003-04-15 02:20:48 188,416 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\ialmgdev.dll
+ 2003-04-15 02:20:12 1,859,584 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\ialmgicd.dll
+ 2003-04-15 02:40:46 78,752 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\ialmkchw.sys
+ 2003-04-15 02:39:46 90,907 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\ialmnt5.sys
+ 2003-04-15 02:40:40 73,728 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\ialmrem.dll
+ 2003-04-15 02:40:56 33,792 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\ialmrnt5.dll
+ 2003-04-15 02:40:54 113,504 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\ialmsbw.sys
+ 2003-04-06 16:13:58 487,424 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\igfxcfg.exe
+ 2003-04-06 16:04:54 147,456 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\igfxdev.dll
+ 2003-04-06 16:15:52 45,056 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\igfxdgps.dll
+ 2003-04-06 16:15:50 151,552 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\igfxdiag.exe
+ 2003-04-06 16:04:14 86,016 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\igfxdo.dll
+ 2003-04-06 16:17:44 221,184 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\igfxeud.dll
+ 2003-04-06 16:20:14 32,768 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\igfxexps.dll
+ 2003-04-06 16:20:10 90,112 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\igfxext.exe
+ 2003-04-06 16:07:12 118,784 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\igfxhk.dll
+ 2003-04-06 16:18:56 204,800 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\igfxpph.dll
+ 2003-04-06 16:05:42 503,808 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\igfxress.dll
+ 2003-04-06 16:06:48 315,392 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\igfxsrvc.dll
+ 2003-04-06 16:19:52 155,648 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\igfxtray.exe
+ 2003-04-15 02:40:36 20,533 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\vch.sys
+ 2003-04-15 02:39:50 33,335 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\wa301a.sys
+ 2003-04-15 02:39:50 33,335 ----a-w c:\windows\system32\ReinstallBackups\0014\DriverFiles\wa301b.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SifyBB"="c:\program files\Sify Broadband\BBImpSec.exe" [2006-04-21 127085]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-06 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-06 114688]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 356352]
"Cmaudio"="cmicnfg.cpl" [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\\WINDOWS\\system32\\userinit.exe,c:\\Program Files\\System32\\database.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\install4j\\bin\\install4j.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Counter Strike - Condition Zero (Ultimate Edition)\\czero.exe"=
R0 pnpshark;pnpshark;c:\windows\system32\DRIVERS\pnpshark.sys [2003-10-02 119552]
R0 st3shark;st3shark;c:\windows\system32\DRIVERS\st3shark.sys [2003-09-27 5504]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);c:\windows\system32\DRIVERS\ss_bus.sys [2005-01-24 52384]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;c:\windows\system32\DRIVERS\ss_mdfl.sys [2005-01-24 6064]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;c:\windows\system32\DRIVERS\ss_mdm.sys [2005-01-24 84512]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71f56054-aa37-11dd-9eeb-000b6aea30d5}]
\Shell\AutoRun\command - H:\x.com
\Shell\explore\Command - H:\x.com
\Shell\open\Command - H:\x.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cd01b6f-79e3-11dd-9e24-000b6aea30d5}]
\Shell\AutoRun\command - H:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe8b47c0-5bbe-11dd-9dce-000b6aea30d5}]
\Shell\AutoRun\command - winsystem.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1CB622F9-7299-4245-0705-080208070506}]
c:\windows\system32\SecSystem.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-winsystem - c:\documents and settings\Administrator\WINDOWS\system\winsystem.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\nilesh\Application Data\Mozilla\Firefox\Profiles\13l2jbiy.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.in/
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-11-05 04:54:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-05 4:55:59
ComboFix-quarantined-files.txt 2008-11-04 23:25:53
ComboFix2.txt 2008-09-05 09:30:01
Pre-Run: 1,155,801,088 bytes free
Post-Run: 1,179,709,440 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
233 --- E O F --- 2008-09-10 02:14:57
This is my fresh hijack this log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:05 AM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\System32\database.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\Misc\xpupg.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\nilesh\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sify.com/?userid=3729&check=838d03a7347f55fa (http://\"http://www.sify.com/?userid=3729&check=838d03a7347f55fa\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\System32\database.exe,
O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
O1 - Hosts: 210.210.19.82 www.sifymall.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [winsystem] C:\Documents and Settings\Administrator\WINDOWS\system\winsystem.exe
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab (http://\"http://www.acclaim.com/cabs/acclaim_v5.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe (file missing)
--
End of file - 5129 bytes
-
We have a bit more cleanup to do
Can you do the following
go to this link
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Copy and paste the following bold line to the space next to 'Upload a File'
Or Browse to the file
C:\Program Files\System32\database.exe
Then use the SEND FILE button
Let it finish scanning
Could you post back the results this scan back here please
Or better yet, just link to the results page
I'm unsure if the file still exists, but check anyways
I'm not even sure if the folder System32 exists
Notice the path C:\Program Files\System32
The correct System32 folder is this path
C:\WINDOWS\system32
After you post those results, or even if you can't find the file
Can you do the following
If you have an older version of SDFix, delete it
We need an updated copy
Download
[color=\"red\"]SDFix[/color] (http://\"http://downloads.andymanchesta.com/RemovalTools/SDFix.exe\")
Save it to your desktop
Reboot your computer in Safe Mode by doing the following :- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
In Safe mode
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Go to START>>My Computer>>Double click to open the C:\ folder - Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
Post the report from SDFix please
In addition, can you let me know if you have any external flash drives
Eg.. Usb Thumbdrives, external harddrive, etc...
-
this is the link to the result page and that folder did exist
http://www.virustotal.com/analisis/688df7a...0f5abe425a47c53 (http://\"http://www.virustotal.com/analisis/688df7a12372628190f5abe425a47c53\")
will do the remaining thing in a while
-
yes i use flash drives
-
[quote name=\'neal2087\' post=\'446263\' date=\'Nov 5 2008, 07:18 AM\']<br />yes i use flash drives<br />[/quote]<br /><br /><br />
This is the sdfix log
SDFix: Version 1.239
Run by nilesh on Wed 11/05/2008 at 06:30 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\SecSystem.exe - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-11-05 06:33:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\install4j\\bin\\install4j.exe"="C:\\Program Files\\install4j\\bin\\install4j.exe:*:Enabled:install4j"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Counter Strike - Condition Zero (Ultimate Edition)\\czero.exe"="C:\\Program Files\\Counter Strike - Condition Zero (Ultimate Edition)\\czero.exe:*:Enabled:Condition Zero Launcher"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 4 Aug 2004 1,667,584 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Thu 22 May 2008 290,816 ..SH. --- "C:\Program Files\System32\DATABASE.exe"
Thu 9 Oct 2008 41,048 A.SH. --- "C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\boot.exe"
Tue 20 Mar 2007 9,824 A.SH. --- "C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\explorer.exe"
Sun 26 Nov 2006 2,652 A.SH. --- "C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\fooool.exe"
Mon 28 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\BIT1.tmp"
Thu 11 Sep 2008 687,224 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e507e8f3bef2a675e185bf0840eebb5f\BIT1.tmp"
Finished!
-
that folder of system32 in program files shall i delete it ??
this is my fresh Hijack this log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:15 AM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\System32\database.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\TEMP\AAF694.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\nilesh\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sify.com/?userid=3729&check=838d03a7347f55fa (http://\"http://www.sify.com/?userid=3729&check=838d03a7347f55fa\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\System32\database.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [winsystem] C:\Documents and Settings\Administrator\WINDOWS\system\winsystem.exe
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab (http://\"http://www.acclaim.com/cabs/acclaim_v5.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe (file missing)
--
End of file - 5260 bytes
-
Can you do the following for now please
download Flash_Disinfector (http://\"http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe\") and save it to your desktop- Double on Flash_Disinfector.exe and select Run As Administrator to run it. If you receive a prompt, please allow it.
- You will be prompted to plug in your flash drive. Plug it in. If you have more than one, plug them in
- Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
- When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
- Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.
Leave any flash drive or external harddrives connected
Then:
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work
[color=\"#0000FF\"]File::
c:\Program Files\System32\database.exe
H:\x.com
H:\setup.exe
c:\documents and settings\Administrator\WINDOWS\system\winsystem.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsystem"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71f56054-aa37-11dd-9eeb-000b6aea30d5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cd01b6f-79e3-11dd-9e24-000b6aea30d5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe8b47c0-5bbe-11dd-9dce-000b6aea30d5}]
DirLook::
c:\program files\System32
[/color]
Save this as txtfile on your laptops desktop, with the exact name of
CFScript
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
I'll need to see that log again later along with a fresh Hijackthis log
Could you also let me know if this folder is empty, or if there are any files/folders in it
c:\documents and settings\Administrator\WINDOWS
-
That folder u asked about is empty
this is my combix log file :
ComboFix 08-11-04.02 - nilesh 2008-11-05 7:27:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.350 [GMT 5.5:30]
Running from: c:\documents and settings\nilesh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\nilesh\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\documents and settings\Administrator\WINDOWS\system\winsystem.exe
c:\program files\System32\DATABASE.exe
H:\setup.exe
H:\x.com
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\System32\DATABASE.exe
H:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.
2008-11-05 06:27 . 2008-11-05 06:27 <DIR> d-------- c:\windows\ERUNT
2008-11-05 06:26 . 2008-11-05 06:34 <DIR> d-------- C:\SDFix
2008-11-04 22:07 . 2008-11-04 22:07 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-10-28 16:40 . 2008-11-05 07:27 <DIR> d-------- c:\program files\System32
2008-10-28 16:40 . 2008-11-04 22:07 <DIR> d-------- c:\documents and settings\Administrator
2008-10-25 16:43 . 2008-10-25 16:43 <DIR> d-------- c:\program files\Xilisoft
2008-10-21 19:40 . 2008-10-21 19:40 <DIR> d-------- c:\documents and settings\nilesh\Application Data\123 Free Solitaire
2008-10-09 19:14 . 2008-10-09 19:14 31 --a------ c:\windows\warhead.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 01:12 --------- d-----w c:\documents and settings\nilesh\Application Data\Broadband
2008-11-01 19:39 --------- d-----w c:\program files\Sify Broadband
2008-10-10 18:03 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-10-10 18:03 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-10-03 14:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-09-22 17:38 --------- d-----w c:\documents and settings\nilesh\Application Data\dvdcss
2008-09-14 04:33 --------- d-----w c:\program files\Trend Micro
2008-09-12 23:49 --------- d-----w c:\program files\C-Media 3D Audio
2008-09-06 18:40 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-09-05 17:39 --------- d-----w c:\program files\Symantec AntiVirus
2008-09-05 17:39 --------- d-----w c:\program files\Symantec
2008-09-05 17:39 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-09-05 17:39 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-09-01 11:34 1,127,881 ----a-w c:\windows\Counter Strike - Condition Zero (Ultimate Edition) Uninstaller.exe
2008-08-19 17:23 81,920 ------r c:\windows\bwUnin-6.1.4.68-8876480L.exe
2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL
.
((((((((((((((((((((((((((((( snapshot_2008-11-05_ 4.55.33.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 09:57:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-11-05 00:58:06 4,075,520 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-11-05 00:58:06 167,936 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 09:57:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-11-05 00:57:55 4,075,520 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-11-05 00:57:55 167,936 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-11-05 01:18:51 16,384 ----atw c:\windows\temp\Perflib_Perfdata_c20.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SifyBB"="c:\program files\Sify Broadband\BBImpSec.exe" [2006-04-21 127085]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-06 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-06 114688]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 356352]
"Cmaudio"="cmicnfg.cpl" [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\install4j\\bin\\install4j.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Counter Strike - Condition Zero (Ultimate Edition)\\czero.exe"=
R0 pnpshark;pnpshark;c:\windows\system32\DRIVERS\pnpshark.sys [2003-10-02 119552]
R0 st3shark;st3shark;c:\windows\system32\DRIVERS\st3shark.sys [2003-09-27 5504]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);c:\windows\system32\DRIVERS\ss_bus.sys [2005-01-24 52384]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;c:\windows\system32\DRIVERS\ss_mdfl.sys [2005-01-24 6064]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;c:\windows\system32\DRIVERS\ss_mdm.sys [2005-01-24 84512]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-11-05 07:28:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-05 7:30:19
ComboFix-quarantined-files.txt 2008-11-05 02:00:13
ComboFix2.txt 2008-11-04 23:26:00
ComboFix3.txt 2008-09-05 09:30:01
Pre-Run: 2,833,309,696 bytes free
Post-Run: 2,825,736,192 bytes free
118 --- E O F --- 2008-09-10 02:14:57
This is my fresh hijack this file :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:48 AM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\nilesh\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sify.com/?userid=3729&check=838d03a7347f55fa (http://\"http://www.sify.com/?userid=3729&check=838d03a7347f55fa\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab (http://\"http://www.acclaim.com/cabs/acclaim_v5.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe (file missing)
--
End of file - 4911 bytes
-
DO reply if the cleaning up process is done
that database.exe file was deleted by combofix
and i personlaly deleted that folder system32 from program files
-
Please download [color=\"blue\"]DirLook[/color] by jpshortstuff from one of the following mirrors:
[color=\"red\"]Link 1[/color] (http://\"http://jpshortstuff.247fixes.com/DirLook.exe\")
[color=\"red\"]Link 2[/color] (http://\"http://images.malwareremoval.com/jpshortstuff/DirLook.exe\")
[color=\"red\"]Link 3[/color] (http://\"http://downloads.securitycadets.com/DirLook.exe\")
- Double-click DirLook.exe to run it (Vista Users should right-click and select Run As Administrator...).
- Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
- Copy the content of the following codebox into the main textfield:
c:\documents and settings\Administrator
- Click the DirLook button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\DirLook.txt)
-
DirLook.exe v2.0 by jpshortstuff
Log created at 16:15 on 05/11/2008
==================================
Contents of "c:\documents and settings\Administrator"
[color=\"blue\"]---FOLDERS---[/color]
WINDOWS (Created on 04/11/2008 at 16:37) d-----
[color=\"blue\"]---FILES---[/color]
(none found)
==================================
[color=\"blue\"]=EOF=[/color]
-
That folder looks empty and harmless
Can you post one last log, also let me know how things are running
Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents
-
this is the hijack this log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:38 PM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\28463\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\nilesh\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sify.com/?userid=3729&check=838d03a7347f55fa (http://\"http://www.sify.com/?userid=3729&check=838d03a7347f55fa\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe regsvr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [svchost Agent] C:\WINDOWS\system32\28463\svchost.exe
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Msn Messsenger] C:\WINDOWS\system32\regsvr.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab (http://\"http://www.acclaim.com/cabs/acclaim_v5.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe (file missing)
--
End of file - 4953 bytes
This is the uninstall list:
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
CCleaner (remove only)
C-Media 3D Audio
Counter Strike - Condition Zero (Ultimate Edition)
DAEMON Tools
Google Talk (remove only)
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
HP Extended Capabilities 6.1
HP Imaging Device Functions 6.1
HP Photosmart Essential
HP PSC & OfficeJet 6.1.A
HP Software Update
HP Solution Center and Imaging Support Tools 6.1
install4j 4.1.3
Intel® Extreme Graphics Driver
Java(tm) 6 Update 6
K-Lite Mega Codec Pack 3.9.0
Logitech Desktop Messenger
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft VM for Java
Microsoft Web Publishing Wizard 1.53
Mozilla Firefox (2.0.0.17)
MSDN Library - Visual Studio 6.0
Nero Suite
RTLSetup for Realtek RTL8139/810x Family NIC 3.00
SAMSUNG Mobile USB Modem 1.0 Software
Samsung PC Studio
Samsung PC Studio 3 USB Driver Installer
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Sify Broadband 3.22
Trend Micro OfficeScan Client
Update for Windows XP (KB898461)
Update for Windows XP (KB904942)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Video Converter 3
VideoLAN VLC media player 0.8.6d
Winamp
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
Yahoo! Messenger
-
Looks as if you already go reinfected?
Can you do the following
Again, delete your copy of ComboFix and redownload a fresh copy
Also, delete CFScript.txt from desktop, let's recreate it
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work
[color=\"#0000FF\"]
KillAll::
File::
C:\WINDOWS\system32\28463\svchost.exe
C:\WINDOWS\system32\regsvr.exe
DirLook::
C:\WINDOWS\system32\28463
[/color]
Save this as txtfile on your laptops desktop, with the exact name of
CFScript
Next: do the following
Do a "System scan only" with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe regsvr.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\Run: [svchost Agent] C:\WINDOWS\system32\28463\svchost.exe
O4 - HKCU\..\Run: [Msn Messsenger] C:\WINDOWS\system32\regsvr.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
I'll need to see that log again later along with a fresh Hijackthis log
-
ya a cousin of mine had her pendrive in my pc i think it should have come from their itself
This is my fresh hijack this log file :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:31 PM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\nilesh\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sify.com/?userid=3729&check=838d03a7347f55fa (http://\"http://www.sify.com/?userid=3729&check=838d03a7347f55fa\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab (http://\"http://www.acclaim.com/cabs/acclaim_v5.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe (file missing)
--
End of file - 4423 bytes
-
Can I see the new ComboFix log also
Do you still have her thumbdrive? It's infected and will infect any system she puts it on
Unless the drive is scanned first with an updated Virus scanner
-
i dont have her drive now but i think she will be comming by tommorrow or on saturday with her flashdrive
This is the combo fix log file :
ComboFix 08-11-04.02 - nilesh 2008-11-05 23:01:40.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.375 [GMT 5.5:30]
Running from: c:\documents and settings\nilesh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\nilesh\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.
2008-11-05 06:27 . 2008-11-05 06:27 <DIR> d-------- c:\windows\ERUNT
2008-11-05 06:26 . 2008-11-05 06:34 <DIR> d-------- C:\SDFix
2008-10-28 16:40 . 2008-11-05 22:28 <DIR> d-------- c:\documents and settings\Administrator
2008-10-25 16:43 . 2008-10-25 16:43 <DIR> d-------- c:\program files\Xilisoft
2008-10-21 19:40 . 2008-10-21 19:40 <DIR> d-------- c:\documents and settings\nilesh\Application Data\123 Free Solitaire
2008-10-09 19:14 . 2008-10-09 19:14 31 --a------ c:\windows\warhead.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 17:27 --------- d-----w c:\documents and settings\nilesh\Application Data\Broadband
2008-11-01 19:39 --------- d-----w c:\program files\Sify Broadband
2008-10-10 18:03 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-10-10 18:03 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-10-03 14:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-09-22 17:38 --------- d-----w c:\documents and settings\nilesh\Application Data\dvdcss
2008-09-14 04:33 --------- d-----w c:\program files\Trend Micro
2008-09-12 23:49 --------- d-----w c:\program files\C-Media 3D Audio
2008-09-06 18:40 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-09-05 17:39 --------- d-----w c:\program files\Symantec AntiVirus
2008-09-05 17:39 --------- d-----w c:\program files\Symantec
2008-09-05 17:39 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-09-05 17:39 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-09-01 11:34 1,127,881 ----a-w c:\windows\Counter Strike - Condition Zero (Ultimate Edition) Uninstaller.exe
2008-08-19 17:23 81,920 ------r c:\windows\bwUnin-6.1.4.68-8876480L.exe
2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\28463 ----
c:\windows\system32\28463\
((((((((((((((((((((((((((((( snapshot_2008-11-05_ 4.55.33.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 09:57:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-11-05 00:58:06 4,075,520 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-11-05 00:58:06 167,936 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 09:57:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-11-05 00:57:55 4,075,520 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-11-05 00:57:55 167,936 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-11-05 17:27:33 16,384 ----atw c:\windows\temp\Perflib_Perfdata_fa0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SifyBB"="c:\program files\Sify Broadband\BBImpSec.exe" [2006-04-21 127085]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-06 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-06 114688]
"Cmaudio"="cmicnfg.cpl" [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\install4j\\bin\\install4j.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Counter Strike - Condition Zero (Ultimate Edition)\\czero.exe"=
R0 pnpshark;pnpshark;c:\windows\system32\DRIVERS\pnpshark.sys [2003-10-02 119552]
R0 st3shark;st3shark;c:\windows\system32\DRIVERS\st3shark.sys [2003-09-27 5504]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);c:\windows\system32\DRIVERS\ss_bus.sys [2005-01-24 52384]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;c:\windows\system32\DRIVERS\ss_mdfl.sys [2005-01-24 6064]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;c:\windows\system32\DRIVERS\ss_mdm.sys [2005-01-24 84512]
.
Contents of the 'Scheduled Tasks' folder
2008-11-05 c:\windows\Tasks\At1.job
- c:\windows\system32\svchost []
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-11-05 23:02:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-05 23:03:41
ComboFix-quarantined-files.txt 2008-11-05 17:33:07
ComboFix2.txt 2008-11-05 17:26:21
ComboFix3.txt 2008-11-05 02:00:20
ComboFix4.txt 2008-11-04 23:26:00
ComboFix5.txt 2008-11-05 17:31:15
Pre-Run: 3,521,167,360 bytes free
Post-Run: 3,513,393,152 bytes free
115 --- E O F --- 2008-09-10 02:14:57
-
Can you do the following
Download > [color=\"red\"]OTMoveIt3[/color] (http://\"http://oldtimer.geekstogo.com/OTMoveIt3.exe\") <[/url] by OldTimer.
- Save it to your desktop.
- Double-click OTMoveIt3.exe to run it.
- Copy the entries below in Blue to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
================================================
[color=\"#4169E1\"]:Processes
explorer.exe
:Reg
:Files
c:\windows\system32\28463
c:\windows\Tasks\At1.job
:Commands
[EmptyTemp]
[Start Explorer]
======================================================
- Return to OTMoveIt3, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
- Click the red "[color="red"]MoveIt![/color]" button.
- Close OTMoveIt when it has completed.
[color=\"red\"]Note[/color]: If an entry cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".
A Log should open, can you post it back here
If no log opens
OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log <-indicates date_time of log
NOTE: I see you have Trend Micro Office Scan installed but not of it's components appear to be running in your processes
Not it's Virus scanner or it's Firewall
Is it running properly?
If not, we can remove it and get you free software
Let me know please
Also, since we have ran ComboFix, If you put her thumbdrive into your computer
It shouldn't Autostart
Can you scan her drive with an updated Virus scanner
You should also run Flash_Disinfector with it plugged in
I would like to see a fresh Hijackthis log after you have finished the above
In addition, if her flashdrive is infected, there's a good chance her own computer is infected also
She may want to post a log to ensure it's clean
-
i have it installed but its installed just because my internet client dosent launch if its not installed and i close it after i launch my internet client i close all its processes as it dosent catch any malewares and it eats up my memory making all process go slow
this is the log file u requested :
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
========== FILES ==========
File/Folder c:\windows\system32\28463 not found.
c:\windows\Tasks\At1.job moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\nilesh\LOCALS~1\Temp\Perflib_Perfdata_a3c.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\nilesh\LOCALS~1\Temp\Perflib_Perfdata_a58.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\nilesh\LOCALS~1\Temp\~DF330E.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_8c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\nilesh\Local Settings\Application Data\Mozilla\Firefox\Profiles\13l2jbiy.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\nilesh\Local Settings\Application Data\Mozilla\Firefox\Profiles\13l2jbiy.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\nilesh\Local Settings\Application Data\Mozilla\Firefox\Profiles\13l2jbiy.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\nilesh\Local Settings\Application Data\Mozilla\Firefox\Profiles\13l2jbiy.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11072008_190348
Files moved on Reboot...
File C:\DOCUME~1\nilesh\LOCALS~1\Temp\Perflib_Perfdata_a3c.dat not found!
File C:\DOCUME~1\nilesh\LOCALS~1\Temp\Perflib_Perfdata_a58.dat not found!
File C:\DOCUME~1\nilesh\LOCALS~1\Temp\~DF330E.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_8c.dat moved successfully.
C:\Documents and Settings\nilesh\Local Settings\Application Data\Mozilla\Firefox\Profiles\13l2jbiy.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\nilesh\Local Settings\Application Data\Mozilla\Firefox\Profiles\13l2jbiy.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\nilesh\Local Settings\Application Data\Mozilla\Firefox\Profiles\13l2jbiy.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\nilesh\Local Settings\Application Data\Mozilla\Firefox\Profiles\13l2jbiy.default\Cache\_CACHE_MAP_ moved successfully.
This is the hijack this log file :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:59 PM, on 11/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Trend Micro\OfficeScan Client\Misc\xpupg.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Documents and Settings\nilesh\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sify.com/?userid=3729&check=838d03a7347f55fa (http://\"http://www.sify.com/?userid=3729&check=838d03a7347f55fa\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab (http://\"http://www.acclaim.com/cabs/acclaim_v5.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{4200454F-5193-4FCE-A2EF-DA93D4C4CD0A}: NameServer = 202.144.115.4,202.144.66.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe (file missing)
--
End of file - 4682 bytes
-
i have it installed but its installed just because my internet client dosent launch if its not installed and i close it after i launch my internet client i close all its processes as it dosent catch any malewares and it eats up my memory making all process go slow
I'm not familiar with your ISP's requirements
Hopefully your Virus scanner updates?
I would like to do some final cleanup of the tools we used, but I'm hesitating till you had a chance to clean your cousin's pen drive
For now, can you do the following
I suggest that you add SpywareBlaster to your protection software, this small program does not, and won't run in the background
SpywareBlaster by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\") *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection
Take a look at miekiemoes' site with other ideas on How to prevent Malware: (http://\"http://users.telenet.be/bluepatchy/miekiemoes/prevention.html\")
You can also look at her site Help! My computer is slow! (http://\"http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html\")
-
MY isp's name is Sifybroadband
this antivirus dosent update itself
i wont be inserting her pendrive in my pc unles i get AVG or something causei am going to change my ISP soon and will get AVG installed then untill then no other flash drives going in my pc
am downloading that s/w u said
-
Let's clean some of the tools we used
I would opt to hold onto Malwarebytes AntiMalware
Update and run a Quick Scan occassionally
You can delete Flash_Disinfector and DirLook from desktop
Then, * Go to START> RUN and copy and paste next command :
ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore.
OTMoveit3- Double-click OTMoveIt3.exe to run it.
- Click the Cleanup! button
A list will be downloaded>>Allow it Internet access if prompted by your Firewall
Don't change anything in this list
- Select Yes at the prompt
Wait for the confirmation box to open to reboot the computer
Don't mouseclick during the wait as you may cause the tool to stall
- Select Yes to reboot Now
NOTE: This procedure will also delete OTMoveit.exe from desktop
Stay safe
Note: You should convince your cousin to post a log
Try and stop some of the infections being passed around by her thumbdrive
Or at least, have her run Flash_Disinfector.exe with her thumbdrive inserted to the computer
And run an Updated Virus scan on her pendrive and whole computer