can't fix virus problem - help!

October 29, 2011 at 19:20:37
Specs: Windows XP

I think I must have a trojan but can't find it. I've used a couple of scans - including malwarebytes anti malware and housecall. They both found problems and fixed them but my computer is still not working properly.

Problems are basically that some exe programs will not work, others do. Also some websites won't load - particularly microsoft.com and also some of the sites that have software to remove viruses or help with this e.g. the one with hijackthis download on it. all other websites I've tried work fine - only ones with issues are ones that would help solve my problem so I MUST have some horrible virus I think.

when I go to these sites, it says my internet is not connected when it clearly is, when I refresh it says it cannot find the website.


See More: cant fix virus problem - help!

Report •


#1
October 29, 2011 at 20:09:19

I've just done another scan and it has found a trojan called ivxyvymq.exe in a folder called asjmlyda in my application data. The folder says it is empty when I hover over it but when I try to delete it, it says it can't because the directory is not empty. the malware scanner can't seem to get rid of it either.

It looks like this is running on start up but it is not there as a process I can end and is there as a registry value.

You can probably tell I don't know much about how to deal with these issues but I hope this info helps someone tell me what to do! thanks


Report •

#2
October 29, 2011 at 20:34:20

ok, so managed to get hijackthis via a roundabout route - here is the logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:33:37, on 30/10/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17103)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\docume~1\robert~1\locals~1\temp\cdm\{e139e129-43ed-42ce-8016-6ffe69155c4d}\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe
C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.Yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.Yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Documents and Settings\Robert Southgate\Local Settings\Application Data\asjmlyda\ivxyvymq.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Mobile Broadband] c:\SWsetup\HPQWWAN\HPMobileBroadband.exe /TrayMode
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mobile Partner] C:\Program Files\3MobileWiFi\3MobileWiFi
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED
O4 - HKCU\..\Run: [RegistryBooster] "C:\Program Files\Uniblue\RegistryBooster\launcher.exe" delay 20000
O4 - HKCU\..\Run: [IvxYvymq] C:\Documents and Settings\Robert Southgate\Local Settings\Application Data\asjmlyda\ivxyvymq.exe
O4 - HKUS\S-1-5-21-300809508-1115343126-350726946-1007\..\Run: [IvxYvymq] C:\Documents and Settings\Robert Southgate\Local Settings\Application Data\asjmlyda\ivxyvymq.exe (User 'Katie')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/Div...
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/get...
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flas...
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\docume~1\robert~1\locals~1\temp\cdm\{e139e129-43ed-42ce-8016-6ffe69155c4d}\STacSV.exe

--
End of file - 9924 bytes


Report •

#3
October 29, 2011 at 20:37:53

stimsonkatie,

In order to help identify the malware issue with your system, please do the following:

Download DDS from one of these locations:
http://download.bleepingcomputer.co...

http://download.bleepingcomputer.co...

Save it to your Desktop

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the programs we are about to run.

If you wish to look at information on how to disable these programs, please refer to the information available through this link:
http://www.bleepingcomputer.com/for...

XP: Double-click the DDS file to run the program

When done, DDS opens two logs:
-DDS.txt (Opens on the Desktop)
-Attach.txt (Is minimized - will show on the TaskBar)

Save both reports to your Desktop, and post them in your reply.

However, since these reports can be large, please upload them to Megaupload:
http://www.megaupload.com/

It is very easy to use:
Click: Browse
Select a file to upload
Upload the file
To the right of 'Send', enter a file description:
Click 'Send'
Copy the link provided, and post it in your reply.

Also download aswMBR:
http://public.avast.com/~gmerek/asw...

Save it to the Desktop.

XP: Double-click the file to run the program

Click Scan

Upon completion of the scan, click ‘Save log’ and save it to the Desktop.
Note - Please do NOT attempt any fix anything!!

Also post the log produced by 'aswMBR' in your reply.
This is a shorter report, and you do not need to upload it.


You will notice that another file is created on the Desktop.
It is named MBR.dat

Please keep the file on the Desktop, and do not do anything with it.
This is important, just in case we need to have access to the Master Boot Record (MBR) information.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

Related Solutions

#4
October 29, 2011 at 21:16:23

thank you so much for replying - but I get my redirect error on all the links to the downloads you posted.

I did do an MBR log with MBR check if that helps (log file pasted below)

This is the problem I have - most sites where I can get help of some kind, it blocks....very frustrating! I hope you can either get what you need from what I posted here or have another suggestion? By the way, Im thinking that this problem was caused when I downloaded DivX recently - I've seen a few posts that people have had issues after doing this. Don't know if that helps either......


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 118):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF79C8000 \WINDOWS\system32\KDCOM.DLL
0xF78D8000 \WINDOWS\system32\BOOTVID.dll
0xF74C8000 hdmkxw.sys
0xF7399000 ACPI.sys
0xF79CA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7388000 pci.sys
0xF74D8000 isapnp.sys
0xF78DC000 compbatt.sys
0xF78E0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7748000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF79D0000 intelide.sys
0xF7508000 MountMgr.sys
0xF7369000 ftdisk.sys
0xF78E4000 ACPIEC.sys
0xF7A91000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7750000 PartMgr.sys
0xF7518000 VolSnap.sys
0xF7351000 atapi.sys
0xF7528000 disk.sys
0xF7538000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7331000 fltMgr.sys
0xF731F000 sr.sys
0xF7308000 KSecDD.sys
0xF727B000 Ntfs.sys
0xF724E000 NDIS.sys
0xF7548000 RapportKELL.sys
0xF7234000 Mup.sys
0xF7638000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6C56000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF6C42000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6C1A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6ADF000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF7788000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6ABB000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7790000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7648000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77A0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6A82000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF79D6000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF77A8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7978000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7980000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF6991000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xF7B88000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7658000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF798C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF697A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7668000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7678000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77C8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6969000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7688000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77D8000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77E8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7698000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79DC000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF691E000 \SystemRoot\system32\DRIVERS\ks.sys
0xF68C0000 \SystemRoot\system32\DRIVERS\update.sys
0xF79A0000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF77F8000 \SystemRoot\system32\DRIVERS\btport.sys
0xF76A8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF76C8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xAA63F000 \SystemRoot\system32\drivers\sthda.sys
0xAA61B000 \SystemRoot\system32\drivers\portcls.sys
0xF76D8000 \SystemRoot\system32\drivers\drmk.sys
0xAA55F000 \SystemRoot\system32\drivers\AESTAud.sys
0xF7200000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xAA504000 \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus32_29574.sys
0xF79E4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7BDE000 \SystemRoot\System32\Drivers\Null.SYS
0xF79E8000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7840000 \SystemRoot\System32\drivers\vga.sys
0xF79EC000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79F0000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7850000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7860000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF71F8000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA4D1000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA478000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA450000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA42A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7708000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAA408000 \SystemRoot\System32\drivers\afd.sys
0xF7718000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA3DD000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA3B7000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
0xF7738000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
0xAA347000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF74F8000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7890000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF78A0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAA301000 \SystemRoot\System32\Drivers\usbvideo.sys
0xF7598000 \SystemRoot\System32\Drivers\btwusb.sys
0xAA2DD000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xAA2C5000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79F6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF79BC000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78D0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B6B000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xBF47A000 \SystemRoot\System32\ATMFD.DLL
0xAA181000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9EA0000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9FC5000 \SystemRoot\system32\drivers\sysaudio.sys
0xA9E28000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA99DD000 \SystemRoot\system32\DRIVERS\srv.sys
0xA930C000 \SystemRoot\System32\Drivers\HTTP.sys
0xF7870000 \??\C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\pkyjvvid.sys
0xA8DB3000 \SystemRoot\system32\drivers\kmixer.sys
0xBFF50000 \SystemRoot\System32\TSDDD.dll
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 73):
0 System Idle Process
4 System
536 C:\WINDOWS\system32\smss.exe
596 C:\WINDOWS\system32\csrss.exe
620 C:\WINDOWS\system32\winlogon.exe
664 C:\WINDOWS\system32\services.exe
676 C:\WINDOWS\system32\lsass.exe
844 C:\WINDOWS\system32\svchost.exe
928 C:\WINDOWS\system32\svchost.exe
980 C:\WINDOWS\system32\svchost.exe
1012 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
1128 C:\WINDOWS\system32\svchost.exe
1160 C:\WINDOWS\system32\svchost.exe
1464 C:\WINDOWS\explorer.exe
1500 C:\WINDOWS\system32\spoolsv.exe
1532 C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\CDM\{E139E129-43ED-42CE-8016-6FFE69155C4D}\stacsv.exe
1724 C:\WINDOWS\system32\svchost.exe
344 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1300 C:\Program Files\Java\jre6\bin\jqs.exe
1304 C:\Program Files\Google\Update\GoogleUpdate.exe
1748 C:\WINDOWS\system32\svchost.exe
1960 C:\WINDOWS\system32\igfxtray.exe
2020 C:\WINDOWS\system32\igfxsrvc.exe
216 C:\WINDOWS\system32\hkcmd.exe
456 C:\WINDOWS\system32\igfxpers.exe
680 C:\WINDOWS\system32\AESTFltr.exe
1068 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
920 C:\Program Files\Java\jre6\bin\jusched.exe
1136 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
1440 C:\Program Files\iTunes\iTunesHelper.exe
1736 C:\WINDOWS\system32\svchost.exe
1628 C:\Program Files\IDT\WDM\sttray.exe
1692 C:\WINDOWS\system32\svchost.exe
1904 C:\WINDOWS\system32\ctfmon.exe
128 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
580 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
3812 C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
2672 C:\WINDOWS\system32\wscntfy.exe
3648 C:\WINDOWS\system32\wbem\wmiprvse.exe
2676 C:\Program Files\iPod\bin\iPodService.exe
3208 C:\WINDOWS\system32\alg.exe
3792 C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe


Report •

#5
October 29, 2011 at 21:18:27

just a thought but can you upload the software yourself somehow for me to grab - I can manage to install some programs - so would probably be able to get them if you put them somewhere other than on those websites? e.g. the megaupload site you mentioned?

Report •

#6
October 29, 2011 at 21:39:32

Do you have another computer to which you can download these programs, move them to a USB Flash drive, and then move them to the infected computer?

Also, is it possible to copy/paste the address provided to the address bar of your browser? Do you get the download without a redirectiion?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#7
October 29, 2011 at 21:48:25

copy/paste just gets the same result. My other computer is a mac so I don't know if that would let me do it? If not I'll have to try and borrow someone's laptop tomorrow. thanks

Report •

#8
October 29, 2011 at 21:49:42

Hope these work...

DDS upload:
http://www.megaupload.com/?d=8G7RC3TJ

aswMBR upload:
http://www.megaupload.com/?d=9OU5RFNA

Signing off for tonight.

Take your time. Will be back tomorrow AM.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#9
October 30, 2011 at 05:33:12

fantastic, thank you!! Here is the DDS log file:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Robert Southgate at 12:30:07 on 2011-10-30
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.370 [GMT 0:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
c:\docume~1\robert~1\locals~1\temp\cdm\{e139e129-43ed-42ce-8016-6ffe69155c4d}\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~2\WksWP.exe
C:\PROGRA~1\MICROS~2\WkDStore.exe
C:\PROGRA~1\MICROS~2\wkgdcach.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://www.Yahoo.com
uSearch Bar =
mDefault_Page_URL = hxxp://www.Yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant =
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\robert southgate\local settings\application data\asjmlyda\ivxyvymq.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Shopping Assistant Plugin: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.5.0\PriceGongIE.dll
BHO: CescrtHlpr Object: {64182481-4f71-486b-a045-b233bd0da8fc} - c:\program files\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\datamngr\toolbar\searchqudtx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} -
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\datamngr\toolbar\searchqudtx.dll
TB: facemoods Toolbar: {db4e9724-f518-4dfd-9c7c-78b52103cab9} - c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Mobile Partner] c:\program files\3mobilewifi\3MobileWiFi
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [IvxYvymq] c:\documents and settings\robert southgate\local settings\application data\asjmlyda\ivxyvymq.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Mobile Broadband] c:\swsetup\hpqwwan\HPMobileBroadband.exe /TrayMode
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [facemoods] "c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{054944BF-148F-45C6-B441-7F91B0F72632} : DhcpNameServer = 192.168.1.254
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\robert southgate\application data\mozilla\firefox\profiles\wrpdhaxq.default\
FF - plugin: c:\documents and settings\robert southgate\local settings\application data\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extentions.y2layers.installId - e7ad5e41-44c6-4dc8-80d8-0475001b1605
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-6-22 53816]
R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\29574\RapportCerberus32_29574.sys [2011-8-7 216912]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-6-22 66360]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-6-22 158904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-3-19 113664]
RUnknown Micorsoft Windows Service;Micorsoft Windows Service; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-19 136176]
S3 cpuz134;cpuz134;\??\c:\docume~1\robert~1\locals~1\temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\robert~1\locals~1\temp\cpuz134\cpuz134_x32.sys [?]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-2-2 117504]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-19 136176]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2011-2-2 100992]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
=============== Created Last 30 ================
.
2011-10-30 12:20:44 -------- d-----w- C:\MGtools
2011-10-30 12:16:44 -------- d-----w- c:\program files\FYZip
2011-10-30 12:16:41 -------- d-----w- c:\program files\PriceGong
2011-10-30 12:16:41 -------- d-----w- c:\documents and settings\robert southgate\application data\PriceGong
2011-10-30 12:16:36 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-10-30 12:16:36 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
2011-10-30 12:16:30 773080 ----a-w- c:\program files\mozilla firefox\sqlite3.dll
2011-10-30 12:16:28 -------- d-----w- c:\program files\facemoods.com
2011-10-30 04:38:58 2423465 ----a-w- C:\MGtools.exe
2011-10-30 04:35:37 -------- d-----w- c:\documents and settings\robert southgate\application data\SUPERAntiSpyware.com
2011-10-30 04:35:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-30 04:35:10 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-10-30 04:29:40 -------- d-----w- c:\documents and settings\all users\application data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-10-30 03:19:28 -------- d-----w- c:\program files\Trend Micro
2011-10-30 01:54:17 -------- d-----w- c:\documents and settings\robert southgate\application data\Uniblue
2011-10-30 01:54:12 -------- d-----w- c:\program files\Uniblue
2011-10-29 23:10:38 -------- d-----w- c:\documents and settings\robert southgate\P5JavaClientSettings
2011-10-29 21:53:58 -------- d-----w- c:\documents and settings\robert southgate\application data\searchquband
2011-10-29 21:48:38 -------- d-----w- c:\documents and settings\robert southgate\application data\searchqutoolbar
2011-10-29 21:21:27 -------- d-----w- c:\documents and settings\robert southgate\application data\MSNInstaller
2011-10-29 21:09:45 -------- d-----w- c:\documents and settings\robert southgate\application data\Malwarebytes
2011-10-29 21:09:36 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-29 21:09:32 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-29 21:09:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-28 21:46:41 -------- d-----w- c:\windows\pss
2011-10-28 18:26:33 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-10-25 21:35:21 -------- d--h--w- c:\documents and settings\all users\application data\DivX
2011-10-18 23:47:07 -------- d-----w- c:\program files\BitComet
2011-10-18 23:34:33 -------- d-----w- c:\documents and settings\all users\application data\Premium
2011-10-18 23:34:31 -------- d--h--w- c:\documents and settings\all users\application data\InstallMate
2011-10-18 23:28:30 -------- d-----w- c:\documents and settings\robert southgate\local settings\application data\Ilivid Player
2011-10-18 23:25:40 -------- d-----w- c:\program files\Windows iLivid Toolbar
2011-10-18 23:25:39 -------- d-----w- c:\program files\SearchCore for Browsers
2011-10-18 23:05:58 -------- d-----w- c:\program files\Conduit
2011-10-18 23:05:56 -------- d-----w- c:\documents and settings\robert southgate\local settings\application data\Conduit
2011-10-13 22:29:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-04 20:09:44 -------- d-----w- c:\documents and settings\robert southgate\local settings\application data\Mozilla
.
==================== Find3M ====================
.
2011-10-28 19:55:44 102400 ----a-w- c:\windows\RegBootClean.exe
2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-17 21:32:17 832512 ----a-w- c:\windows\system32\wininet.dll
2011-08-17 21:32:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-08-17 21:32:16 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-17 21:32:15 17408 ----a-w- c:\windows\system32\corpol.dll
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-17 12:22:23 389120 ----a-w- c:\windows\system32\html.iec
2011-08-12 12:51:26 26488 ----a-w- c:\windows\system32\spupdsvc.exe
.
============= FINISH: 12:31:14.32 ===============

Report •

#10
October 30, 2011 at 05:40:31

Here is the MBR log file:

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-30 12:32:39
-----------------------------
12:32:39.343 OS Version: Windows 5.1.2600 Service Pack 3
12:32:39.343 Number of processors: 2 586 0x1C02
12:32:39.343 ComputerName: EBAYLAPTOP UserName:
12:32:41.562 Initialize success
12:34:00.906 AVAST engine download error: 0
12:34:16.750 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:34:16.765 Disk 0 Vendor: TOSHIBA_MK6028GAL BN101C Size: 57231MB BusType: 3
12:34:18.781 Disk 0 MBR read successfully
12:34:18.796 Disk 0 MBR scan
12:34:18.812 Disk 0 unknown MBR code
12:34:18.828 Disk 0 scanning sectors +117194175
12:34:18.890 Disk 0 scanning C:\WINDOWS\system32\drivers
12:34:26.187 Service scanning
12:34:28.015 Modules scanning
12:34:59.390 Disk 0 trace - called modules:
12:34:59.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys
12:34:59.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d78ab8]
12:34:59.421 3 CLASSPNP.SYS[f7538fd7] -> nt!IofCallDriver -> \Device\0000006b[0x86d709e8]
12:34:59.421 5 ACPI.sys[f739f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86d79d98]
12:34:59.421 Scan finished successfully
12:36:44.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Robert Southgate\Desktop\requested logs\MBR.dat"
12:36:44.109 The log file has been saved successfully to "C:\Documents and Settings\Robert Southgate\Desktop\requested logs\aswMBR.txt"



Report •

#11
October 30, 2011 at 05:43:19

and finally here is the attach.txt file link :
http://www.megaupload.com/?d=IVL8P3C4
I think it is actually a really small file but thought I'd do as I was told and upload it here :-)

Hope this gives you what you need to help solve my problem.


Report •

#12
October 30, 2011 at 09:48:43

BTW, the 'Megaupload' website is down. Please use the 'Uploading’ website:
http://uploading.com/files/upload/


Please go to Control Panel > Add/Remove Programs
See if you find any program there with 'Bandoo' or 'iLivid' in the name.
If so, see if you can remove it.

Post back on whether you were able to uninstall.

~~~~
Run 'HijackThis' once again, and click on Config > Misc Tools > Open Uninstall Manager

Save the Uninstall Manager list to the Desktop, and also post in your reply.


~~~~
If you have ComboFix (CF) already on your Desktop, please remove it. We'll download an updated version:
http://download.bleepingcomputer.co...


Save ComboFix.exe to your Desktop!!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.
Information on disabling these programs is available here:
http://www.bleepingcomputer.com/for...

XP: Right-click on 'ComboFix.exe' to run the program.

Install the >Recovery Console< if asked to do so.

Click on 'Yes', to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply by uploading it, as you did previously, but to the 'Uploading.com' website instead.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run.
If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

~~~~
Alternative

If you have problems running ComboFix...

Restart the computer in Safe Mode with Networking:
As the computer is booting tap the 'F8' Key
At the "Windows Advanced Options Menu" use the arrow keys to select, and press your Enter key.

Reference Image:
http://www.computerhope.com/issues/...


Now, remove the prevous compy of ComboFix, and download ComboFix again.
http://download.bleepingcomputer.co...

Rename it in the Save prompt to: thecat.com
Save it to the Desktop.

Double-click on 'thecat.com' and follow the prompts.

If you still have problems running this tool, stop and post back.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#13
October 30, 2011 at 14:22:44

I had something called windows ilivid toolbar. I tried to uninstall and it looked like it was doing it but then the add/remove programe window froze. It is still there in the list produced by hijackthis:

3MobileWiFi
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.1.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Broadcom 802.11 Wireless LAN Adapter
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Facemoods Toolbar
FYZip 1.00
Gala Poker
Google Chrome
Google Earth
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Doc Viewer
HP Help and Support
HP Mobile Broadband Setup Utility
HP User Guides 0119
HP Wireless Assistant
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 13
Java(TM) 6 Update 6
Malwarebytes' Anti-Malware version 1.51.2.1300
Marvell Miniport Driver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mozilla Firefox 7.0.1 (x86 en-GB)
MP3 Rocket
MSN
Opera 10.62
PriceGong 2.5.0
QuickTime
Rapport
Rapport
SearchCore for Browsers
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB2586448)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SUPERAntiSpyware
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.6195
Viewpoint Media Player
WIDCOMM Bluetooth Software
Windows Backup Utility
Windows Driver Package - SMSC LAN9500 USB 2.0 to Ethernet 10/100 Adapter x64 Driver (05/12/2008 1.52.0000.0000)
Windows Driver Package - SMSC LAN9500 USB 2.0 to Ethernet 10/100 Adapter x86 Driver (05/12/2008 1.52.0000.0000)
Windows iLivid Toolbar
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Yontoo Layers Runtime 1.10.01


Report •

#14
October 30, 2011 at 14:36:18

HI again- I can't install combofix either from your link or any other - I just get redirected to the fake page saying not connected. Is that bleeping computer site which is blocked by the virus. Also interestingly I can't start my computer in safe mode with networking - it just cycles back to the same start mode option screen every time until I select the regular option to start normally.

can I get combofix from you via the upload site do you think?


Report •

#15
October 30, 2011 at 16:42:37

quick update - looks like I've managed to remove the ilivid program after all - when I tried again to look in add/remove programs it said that it was already removed.

Report •

#16
October 30, 2011 at 18:06:31

Here we go...hope it works OK:

http://uploading.com/files/baeb9356...

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#17
October 30, 2011 at 20:06:03

superb, thank you - worked fine. I've uploaded the log file onto:

http://uploading.com/files/8d6c6198...


Report •

#18
October 30, 2011 at 20:13:25

Glad it worked.

Will be taking a good look. There are some entries in there that need to go.

Signing out for tonight, but will get back with you tomorrow, 31Oct11.

Try not to use the computer, if possible.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#19
October 30, 2011 at 20:24:53

fantastic, thanks. I'll be at work tomorrow anyway - well in a few hours (I'm in the UK) so won't be loggin back on again until early afternoon pacific time.

Report •

#20
October 30, 2011 at 22:04:52

When you post back in, will you post whatever log Malwarebytes' produced. You should find the reports by clicking the 'Logs' tab.

Also, in any scan that was done, did you see the following:
Virus:Win32/Ramnit


(Illinois - Central Time) :-)

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#21
October 31, 2011 at 19:38:49

Please open Notepad (Start > Run, in the Open field type: notepad)
Click: OK

Copy/paste all the following text below to Notepad:

KILLALL::

DDS::
BHO: Shopping Assistant Plugin: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.5.0\PriceGongIE.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\datamngr\toolbar\searchqudtx.dll
BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} -
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\datamngr\toolbar\searchqudtx.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [IvxYvymq] c:\documents and settings\robert southgate\local settings\application data\asjmlyda\ivxyvymq.exe

Folder::
c:\documents and settings\Robert Southgate\Local Settings\Application Data\asjmlyda
c:\documents and settings\Robert Southgate\Application Data\searchquband
c:\documents and settings\Robert Southgate\Local Settings\Application Data\Ilivid Player
c:\program files\Conduit
c:\documents and settings\Robert Southgate\Local Settings\Application Data\Conduit
c:\program files\PriceGong
c:\program files\Windows iLivid Toolbar
c:\program files\SearchCore for Browsers
c:\program files\Conduit
c:\documents and settings\robert southgate\local settings\application data\Conduit

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] 
"Userinit"="c:\windows\system32\userinit.exe,"


Save as CFScript.txt
Change the 'Save as type' to: All Files (*.*)

Save it to the Desktop

(Both the ComboFix icon and the CFScript.txt must be on the Desktop.)

Reference Image:
http://img.photobucket.com/albums/v...

Left click and drag the CFScript.txt file over to the ComboFix icon. Then, 'drop' it over CF.

This triggers ComboFix to run another scan where it carries out the commands of CFScript.

CF may reboot when it finishes. This is normal.


Do not mouse-click ComboFix while it is running, as iIt may cause a stall!

When finished, a log is produced: ComboFix.txt

Please upload the contents of the new ComboFix.txt to the Uploading website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the ComboFix report, and click on 'Open'
You will see the following:
Your file has been uploaded successfully: (Name and size of the file)

Please copy the 'Download link', and provide it in your reply.

~~~~
Next, please remove any previous download of TDSSKiller (if used) and download the latest version:
http://support.kaspersky.com/downlo...

Execute the file:
XP: Double-click the downloaded file to run the program

Press the button: Start Scan

The tool scans and detects two object types:
'Malicious' (where the malware has been identified)
'Suspicious' (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action ('Cure' or 'Delete') for 'Malicious' objects. Leave the setting as it is.

It also prompts the User to select an action to apply to 'Suspicious' objects ('Skip', by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.


A Reboot Required prompt may appear after a disinfection. Please reboot.


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\.

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please post the TDSSKiller log in your reply, by uploading it also.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#22
November 1, 2011 at 14:47:28

HI there, I had to work late last night so couldn't carry on fixing the issue! here is the most recent malwarebytes log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8042

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

30/10/2011 22:52:23
mbam-log-2011-10-30 (22-52-23).txt

Scan type: Quick scan
Objects scanned: 174026
Time elapsed: 14 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IvxYvymq (Trojan.Agent) -> Value: IvxYvymq -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\robert southgate\local settings\application data\asjmlyda\ivxyvymq.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\robert southgate\start menu\programs\startup\ivxyvymq.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\robert southgate\local settings\Temp\mum39.tmp (PUP.Casino.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\robert southgate\local settings\Temp\aevwxbowlialjpik.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\robert southgate\local settings\Temp\eurB1.tmp (PUP.Casino.Gen) -> Quarantined and deleted successfully.


Report •

#23
November 1, 2011 at 15:22:01

Here is the link to the latest combofix scan using your txt file to run it:

http://uploading.com/files/15d95fd9...

I have just downloaded tdsskiller and will run a scan now then post the outcome later.
thanks


Report •

#24
November 1, 2011 at 15:59:06

ok, so TDSSkiller just says no threats found. it is version 2.6.14.0 - I couldn't use the link you sent but found it on another site. Hopefully this is an up to date version? If not, maybe you could put the latest onto uploader again? sorry to be a pain!

OK, that's my jobs done now I think

Thanks again


Report •

#25
November 1, 2011 at 17:24:58

quick update- I just ran malwarebytes again and still have a few files infected which it is unable to remove - they keep reappearing:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8065

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

02/11/2011 00:22:13
mbam-log-2011-11-02 (00-22-13).txt

Scan type: Quick scan
Objects scanned: 171897
Time elapsed: 9 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IvxYvymq (Trojan.Agent) -> Value: IvxYvymq -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\robert southgate\local settings\application data\asjmlyda\ivxyvymq.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\robert southgate\start menu\programs\startup\ivxyvymq.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\robert southgate\local settings\temp\aevwxbowlialjpik.exe (Trojan.Agent) -> Quarantined and deleted successfully.


Report •

#26
November 1, 2011 at 17:46:02

final update, I did a text search of all the logs and could find no reference to Win32/Ramnit and do not recall seeing it anywhere. The key thing that stands out when I read the logs is the weird folder called asjmlyda in local settings application data which seems to contain a dodgy exe file called IvxYvymq which is running on start up. I haven't seen any recognizable names in any of the logs. Oh and I've run a few others too prior to finding you on this forum and I checked those too - I think you can see from one of the log files I sent you that I have installed quite a lot of malware / spyware stuff lately!

Report •

#27
November 1, 2011 at 20:35:41

stimsonkatie,

Thanks for providing the Malwarebytes' log.

The folder you are referencing keeps appearing. It also shows in the ComboFix report, even though it was a target for deletion with the CFScript.

Need to think about this one.

Did you reboot after running Malwarebytes'?

Thanks for your patience!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#28
November 1, 2011 at 22:39:23

Also, when you ran 'aswMBR', another file was created on the Desktop: 'MBR.dat'

Please submit the MBR.dat for analysis to 'VirusTotal':
http://www.virustotal.com/

Use the 'Browse' button to navigate to the location of the file.
Click on the file, then, click the 'Open' button.
The file is now displayed in the Submit Box.
Scroll down and click 'Send File', and wait for the results
If you get a message saying: 'File has already been analyzed', click 'Reanalyze file now'

Once scanned, please provide the link to the results page in your reply.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#29
November 2, 2011 at 12:48:34

Hi, yes I did reboot after running the malwarebytes scan. It seems that the scan removes the issues with the registry but can't remove the two root files causing the problem, then when I reboot, the registry ones pop up again on the next scan.

I also can't go to the site virustotal.com - gets blocked.

I have uploaded the MBR output file - I just did another scan so it is totally up to date. Can you either run it or if you are too busy, then I could probably run it on my work computer - if it would still work to do it on another machine?

The MBRcheck file is here: http://uploading.com/files/5c68d33c...

This seems to be an incredibly stubborn issue I have - I am so glad you are helping me with this!

I guess if all else fails, I will have to just wipe the whole computer and start again? I have already pulled everything off it that I can think of like photos etc. but would love not to lose everything like my favourites, links etc. so it would be great if we could solve the issue.

I would need help to do this though - I can't even do a system restore as despite this functionality being switched on - and always having been on for the last 3 years I've owned this machine - there are NO system restore dates available for before I had the issue.

OK, anyway, thanks again and hope you come up with something creative and brilliant to help me!


Report •

#30
November 2, 2011 at 22:16:04

s_katie,

Let’s make another attempt to resolve the problems on the infected computer, however, IMO, after quite a bit of research, you are faced with what is called: TROJ_RAMNIT.

It is a file infector that will inject or append itself to .exe, .dll, and .htm files.
If the attempt we are making next fails, might have one more thing to attempt, but, if not successful, you may be facing a format and reinstall.


Please open Notepad (Start > Run, in the Open field type: notepad)
Click: OK

Copy/paste all the following text below to Notepad:

KILLALL::

File::   	
c:\documents and settings\Robert Southgate\Start Menu\Programs\Startup\ivxyvymq.exe 
c:\documents and settings\robert southgate\local settings\temp\aevwxbowlialjpik.exe

Folder::	
c:\documents and settings\Robert Southgate\Local Settings\Application Data\asjmlyda

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IvxYvymq"=-			
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,

Driver::	
“Micorsoft Windows Service” 
MICORSOFT_WINDOWS_SERVICE 

Rootkit::
C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\pkyjvvid.sys


Save as CFScript.txt
Change the 'Save as type' to: All Files (*.*)

Save it to the Desktop

(Both the ComboFix icon and the CFScript.txt must be on the Desktop.)

Reference Image:
http://img.photobucket.com/albums/v...


Left click and drag the 'CFScript.txt' file over to the 'ComboFix' icon. Then, 'drop' it over CF.

This triggers ComboFix to run another scan where it carries out the commands of CFScript.

CF may reboot when it finishes. This is normal.


Do not mouse-click ComboFix while it is running, as iIt may cause a stall!

When finished, a log is produced: 'ComboFix.txt'

Please upload the contents of the new ComboFix.txt to the Uploading website:
http://uploading.com/files/upload/"

Then, copy the 'Download link', and provide it in your reply.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#31
November 3, 2011 at 16:13:17

well I guess at least we know what we are dealing with even though it sounds bad :-(

here is the latest log from combofix using the script above:

http://uploading.com/files/9b94e7eb...

cheers

Katie


Report •

#32
November 3, 2011 at 20:27:14

s_katie,

Have looked at the ComboFix log you provided last, and there is reason to be cautiously optimistic!

Did no see any trace of the malicious file or service on the report. However, do not want to claim a premature victory, and then have a let-down.

If you can do the following, that will be a good sign...

Let's search for any malware remnants by doing the scan that follows.

You will need to use Internet Explorer for this scan, since the scanner is implemented as an ActiveX control.

However, compatibility with other browsers (Firefox, Opera, Netscape, etc.) was added if you agree to the installation of the ESET Smart Installer, an application which will install and launch ESET Online Scanner in a new browser window.

Download the ESET Online Scanner:
http://www.eset.com/us/online-scanner

Press the 'ESET Online Scanner' download button
-In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
-Allow the ActiveX to download, and click: Install
http://www.eset.com/us/online-scann...

Click: Start
-Make sure that the option 'Remove found threats' is unticked/unchecked.
-Click: 'Scan', and wait for the scan to finish
-If threats are found, click the 'List of found threats', then click 'Export to text file...'
-Save the file to your Desktop as: 'ESET Scan'.

Please provide the contents of 'ESET Scan' in your reply.


Also, can you provide the brand and model of the infected computer? Just want to check the characteristics of its Master Boot Record (MBR).

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#33
November 4, 2011 at 13:51:55

I am sorry but I don't think the problem has gone away as I am unable to access that website :-( I get the same old problem that it looks like I have no internet connection....oh and just to reiterate, the only sites I can't access are those which might be helpful - microsoft.com and various support forums, online scan sites etc.

product name: Compaq Mini
product number: NF280EA#ABU

Should I just do another type of scan with one of the other things I've already got downloaded? I can do housecall online if that helps?

thanks

Katie



Report •

#34
November 4, 2011 at 19:39:20

Basically, are we still at the following stage:
1. Some exe programs do not work
2. Malware/virus removal websites won't load
3. Internet reports it is not connected when it is

What browser do you use when you try to download programs from malware/virus removal websites, and you can't. Is this issue happening with Google Chrome, FireFox, Internet Explorer, or all of them, it makes no difference?

Try to download the Avant Browser:
http://www.avantbrowser.com/downloa...

See if you have the same problems with it. Post backk on how it goes.


Download MiniToolBox, save it to your Desktop and run it:
http://download.bleepingcomputer.co...

Checkmark the following:

•Flush DNS
•Report IE Proxy Settings
•Report FF Proxy Settings
•List content of Hosts
•List IP configuration
•List Winsock entries
•List last 10 Event Viewer log

Click 'GO' and post the report: Result.txt

(A copy of Result.txt is also saved in the same directory the tool is run.)


Uploaded MiniToolBox:
http://uploading.com/files/72245acf...


Also try stopping the client side DNS cache service from a command prompt and then try to browse to a blocked Website.

In Windows XP:
Click Start > Run, type cmd
Click: OK

Type: net stop dnscache
Press: Enter

You will see the message “The DNS Client service was stopped successfully“.
Reference Image:
http://assets.malwarehelp.org/blog/...

Type: Exit
Press: Enter

Now, try to browse to a blocked website...any luck?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#35
November 5, 2011 at 12:01:57

Hi, just to let you know that I tried last night and again just now but uploading.com is saying I've reached a daily limit (even though I've not used it today!). will try again later

in terms of the problems I still have, I can't run some exe problems and both firefox and IE redirect microsoft and useful forum type webpages to a disconnected error page

Thanks


Report •

#36
November 5, 2011 at 15:04:06

Try to upload to Megaupload:
http://www.megaupload.com/

Click: Browse
Select a file to upload
Upload the file
To the right of 'Send', enter a file description:
Click 'Send'
Copy the link provided, and post it in your reply.

These uploading websites are sometimes up, sometimes down, quotas are enforced to upload or download,...etc.

Have problems with them also.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#37
November 6, 2011 at 06:01:19

Hi,
I think malware or trojan program affects to your computer.You should go to the boot menu and load operating software cd in your cd drive. Then boot from cd and install the OS soft. After installing OS at first you should install trojan removal tool. Scan the computer to remove trojan. After finishing the scan install your browser. Go through the link http://www.techyv.com/questions/tro... and understand that how to remove Trojan.

Thanks,


Report •

#38
November 6, 2011 at 19:25:38

to aaflac 44. I tried the stop dns cache thing and it made no difference I'm afraid. My note about the uploading was in reference to your link to download mini toolbox - I couldn't download it - and still can't. Bleeping computer is a site affected by the issue so I can't go to it, and uploading says I have reached a download limit.

I have done a google search for mini toolbox but it brings up too many things so I can't tell what you need me to download. Do you have another link? Thanks!

Oh and thank you to the other person who has replied to this issue but my machine has no CD drive and we were trying to see if we could remove the malware prior to starting again from scratch.


Report •

#39
November 6, 2011 at 20:12:56

stimsonkatie, aaflac 44 is probably asleep, to get things moving, I have downloaded the file, zipped it up & renamed it Johnw.
With a bit of luck, this will outsmart your infection & you will be able to download & run it.

http://www.mediafire.com/?2d622uo02...


Report •

#40
November 6, 2011 at 20:39:13

Johnw,

Not sleeping yet, but signing off pretty soon.
It is 10:40 PM (Sunday) in Illinois, Usa
4:40AM in London (Monday)
Sydney 3:40PM (Monday)

Was just going to post a renamed zip file to simpsonkatie, but you beat me to it by one minute!!! ROFL!!

Good job!! Thanks for your help.

Sure hope something works here...

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#41
November 7, 2011 at 04:59:15

aaflac44, I'm off to bed now, good luck, I'm sure you will find a way.

Report •

#42
November 7, 2011 at 12:08:38

thanks both :-)

here is the output result.txt file link:

http://www.megaupload.com/?d=UAAWNEAI


Report •

#43
November 7, 2011 at 15:03:14

Please go to Start > Run and type: services.msc
Double click the 'DNS Client' to bring up DNS Client Properties window.
Make sure the startup type is set to 'Automatic' and service status is 'Started'.
If not, just select the drop menu, select 'Automatic' and then click the 'Start' button.
Press Apply/OK

Reference Image:
http://cdn.raymond.cc/images/dns-cl...


Now, to launch command prompt, go to Start > Run and type: CMD
Then, type the following command:

ipconfig /flushdns

Press: Enter

Did you get the following:
“Successfully flushed the DNS Resolver Cache”

Try your browser, and post back.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#44
November 7, 2011 at 15:20:33

I did the first thing and it was already set to automatic.

on the second thing I get the message:

could not flush the DNS resolver cache: function failed during execution

:-(


Report •

#45
November 7, 2011 at 15:43:05

"I did the first thing and it was already set to automatic"

But, is it Started?

"and service status is 'Started'.
If not, just select the drop menu, select 'Automatic' and then click the 'Start' button.
Press Apply/OK"


Report •

#46
November 7, 2011 at 16:09:35

ah hah - I didn't read it properly. OK so it is started, service status is started and now the cache is flushed. .... but no change to my ability to go to any of the websites I have had problems getting to. I just tried microsoft and bleeping computer and just the same issue as before - the cannot connect page. The only microsoft and other site pages I can access are cached ones.

Report •

#47
November 7, 2011 at 19:50:33

skatie,

Johnw is going to assist you with the network issue.

You are in good hands.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#48
November 7, 2011 at 19:53:40

stimsonkatie, had to go out, lets try this using Firefox.

Open Firefox > Tools > Options.

Click on Advanced.
Click on Network.
Where it says connections, click on Settings.
It will say either:
No proxy.
Auto-detect proxy settings for this network.
Use system proxy settings.
Manual proxy configuration.

1st choice > Use system proxy settings

2nd choice if needed > Auto-detect proxy settings for this network.

Close & reopen Firefox, if it dos'nt work.


Report •

#49
November 8, 2011 at 05:50:04

I was hoping to know how things went with Firefox, before going to bed, here are a few more things to try.

Right click Local Area Connection > Repair.
http://www.bleepingcomputer.com/com...

How to reset Internet Protocol (TCP/IP)
http://support.microsoft.com/?kbid=...


Report •

#50
November 8, 2011 at 18:38:20

well I had to select option 2 to auto-detect proxy settings. then firefox would not open so I had to restart my computer. THEN I could go to microsoft and bleeping computer sites!!!!! but then I came to this site and it looks like a cached version - not the proper page format. Not sure if that is relevant or not.....
Sorry I've been ages replying - I work really late hours during the week sometimes - it's 2.30am now and I'm only just getting in! Got to get to bed now so can't try anything else but please let me know if I need to try those other two things also
Thanks

Report •

#51
November 9, 2011 at 02:46:44

"I work really late hours during the week sometimes"
You are doing it tough, not nice. I used to be self employed, leave in the dark, get home in the dark. Did that for 18 years, not worth it.

"let me know if I need to try those other two things also"
Yep, we keep trying things, until we get everything back to normal, I think we are very close.


Report •

#52
November 9, 2011 at 15:51:11

no it's not nice! ... but I do love my job at the same time so it's not all bad.

OK so, I did the other two things but then Firefox stopped allowing me to go to microsoft / bleeping computer sites.

I redid the first thing you asked in terms of firefox connection settings - in order to get it to work again, had to select system proxy settings, close, restart firefox, select auto-detect settings, close firefox, restarted firefox - still broken. restarted computer and working again now. Can access microsoft etc. but ONLY from firefox. IE still no good. aaargh.


Report •

#53
November 9, 2011 at 15:53:14

oh and installed programs still don't always work - even the basic things like calculator. double click, it starts the process but the program doesn't come up. it seems erratic though - sometimes OK.

Report •

#54
November 9, 2011 at 16:33:05

"but I do love my job at the same time so it's not all bad"
That is probably the most important thing, considering the amount of time we spend there.

"oh and installed programs still don't always work"
Now things are getting complicated.

To save me rereading everything.

1: Do you have the XP CD?
2: Is it the original or have you updated it with the latest Service pack ( SP3 )?
3: Is it a PC or laptop?
4: Do you have a CD drive?


Report •

#55
November 9, 2011 at 17:44:37

Upload screenshots please of the items listed below, I find this site very reliable, you can load multi images in one go.
http://www.mediafire.com/

Screen Capture ( make sure you select GIF or JPEG, anything else is a bigger size )
http://www.microsoft.com/windowsxp/...
http://askbobrankin.com/take_a_scre...
http://graphicssoft.about.com/cs/ge...
http://www.wikihow.com/Take-a-Scree...
http://www.ehow.com/how_4725692_scr...
If you are in any windows based program, just hit the Print Screen key on your keyboard ( or Ctrl + V ) and you have a full screenshot.
If you hold down the 'Alt' key with the Print Screen key, you will capture only the window that is on your screen, not the whole desk top.
This sends it to Clipboard, now you can Paste it into Paint ( go to Edit ) or any other Windows based graphics program.
Save as...
Save as type, select GIF or JPEG.

1: Start > Control Panel > Double click on Windows FireWall & take screenshot.
2: Stay on that page & up the top click on Exceptions & take a screenshot.
3: Alongside Exceptions, click on Advanced & take a screenshot.
4: Stay on that page, LocalArea Connection 2, click on Settings & take a screenshot.
5: Stay on that page & alongside Services, click on ICMP & take a screenshot.

1: Start > Control Panel, double click on Network Connections then right click on LocalArea Connection 2, select Properties & take a screenshot.
2: Stay on that page & go down to Internet Protocol, highlight & then click on Properties, screenshot.
3: Stay on that page & click Advanced, screenshots of each page ( 4 tabs at the top )
4: Go back to Internet Protocol & click Alternative Configuration, screenshot.


Report •

#56
November 12, 2011 at 17:29:44

ok, all files uploaded - links below - hope I've done them all!

In terms of this machine, it is a little mini laptop, no CD ROM, didn't come with CD or software of any kind. Have checked system resore about a week or so ago and had NO restore points at all. Don't really know what to do if we have to wipe it!! It's my only personal laptop - I use it for relaxation in my very rare spare time to do things I can't do on my work machine like watch tv shows, play games etc. so really need it fixed as I will miss it.

The original problem had a few features - could not go to microsoft / bleeping computer / selected other sites where I might have found help. Could not always download programs effectively from internet - got some kind of error when I tried to run some .exe files. Also some programs would not open that use an internet connection (e.g. games). One other problem I've noticed, don't know if connected, is that Adobe pdf reader won't work - it says it has an invalid plug in. I've tried to uninstall / reinstall and it won't do either - I just get an error. Have had to download a different pdf reader in the meantime. Anyway, here's all the links. Thanks for sticking with me through this issue!!

http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...


Report •

#57
November 12, 2011 at 17:31:17

oh I should have said, on a couple of the screenshots near the beginning of your requests, my screen wouldn't display the whole list - think there's one item missing on each screenshot - please just ask if you need me to check what it is

Report •

#58
November 12, 2011 at 18:11:26

Morning stimsonkatie from John in Western Australia.

I will get you to do this first, reboot & test.

1: Start > Control Panel > Double click on Windows FireWall
2: Uncheck > Don't allow exceptions.


Report •

#59
November 12, 2011 at 19:24:30

Ah hi John, didn't realise it was you again. I'm in UK by the way and it's Katie (probably guessed that already!).

that change has made no difference - firefox will go to microsoft (after a fix that aaflac44 got me to do earlier) but IE is still not working properly and still have the issue with programs.


Report •

#60
November 12, 2011 at 20:02:27

"that change has made no difference"
Ok, leave it unchecked, that is normal.

Working my way through the screenshots ( I shall call them shots, from now on ) I see I asked you to click on Properties instead of Advanced, sorry about that, you worked it out beautifully, I have edited the original post, for the benefit of googlers who may find it.

As we cannot leave any stone unturned, I will get you to use the scroll bar & do 2 shots of this page > windows firewall exceptions.

1: Start > Control Panel > Double click on Windows FireWall, on that page & up the top click on Exceptions ( 2 shots )
2: Alongside Exceptions, click on Advanced.
3: BluetoothConnection, click on Settings & take a shot.
4: Wireless Network Connection 2, click on Settings & take a shot.

From my previous post.
3: Stay on that page & click Advanced, screenshots of each page ( 4 tabs at the top )
Go to the 4th tab > Options, click on > Properties & take a shot.


Report •

#61
Report •

#62
November 12, 2011 at 20:25:38

Another question Katie, are you sharing your internet connection?


Report •

#63
November 12, 2011 at 20:36:30

sometimes. I actually use a couple of different connection - at the weekend like now I'm on a wifi network which is shared by 3 other people - but no others on it right now. during the week I use my own mifi usually, sometimes a hotel connection. always the same problems regardless of where I am.

Report •

#64
November 12, 2011 at 20:40:02

I don't know if this adds anything to your understanding but I've tried a couple of other browsers - I had opera installed and it opens and immediately shuts down with an error so I can't use it. I also installed Google Chrome and it installed OK but simply won't start - I double click, get the egg timer for a little while and then nothing - I can't even see it as a running process.

Report •

#65
November 12, 2011 at 21:34:30

"I don't know if this adds anything to your understanding"
Thanks Katie, nothing is adding up at this point.

This will probably take 3 shots of Services, make sure you select GIF or JPEG.
Control Panel > Administrative Tools > Services.



Report •

#66
November 12, 2011 at 21:39:05

TFC
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please download TFC - Temporary File Cleaner by Old Timer, saving it to your desktop.
* Open the file and close any other windows.
* It will close all programs itself when run, make sure to let it run uninterrupted.
* Click the Start button to begin the process. The program should not take long to finish it's job
* Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean.
* Test.

Report •

#67
November 12, 2011 at 22:33:32

Please download Farbar Service Scanner: (a brand new tool, compliments of aaflac44)
http://download.bleepingcomputer.co...
Run it on the computer with the connection issue.
Check: Include All Files
Then, press: Scan
It will create a log (FSS.txt) in the same directory where the tool is run.

Please copy/paste FSS.txt, and provide it in your reply.


Report •

#68
November 13, 2011 at 14:16:49

Hi all!!

Just some quick info...

Farbar Service Scanner checks 'Services', so, you might want to see what it produces before following Post #65.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#69
November 14, 2011 at 17:15:56

OK here's the 'servces' screenshots:
http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...
http://www.mediafire.com/download.p...

I ran the temp file thing - but it wouldn't finish - it deleted loads of temp files but then just kept flashing and never went any further.

Am just about to try the services program now - will post the log in a minute.

THanks

Katie


Report •

#70
November 14, 2011 at 17:17:21

Farbar log:

Farbar Service Scanner
Ran by Robert Southgate (administrator) on 15-11-2011 at 01:16:41
Microsoft Windows XP Service Pack 3 (X86)
********************************************************

Service Check:
==============

File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
LAN connected.
Google site is accessible.
Yahoo site is accessible.

**** End of log ****


Report •

#71
November 14, 2011 at 17:20:26

one more thing - I know aaflac mentioned ramnit before - I have recently changed my anti virus software to avast and it found hundreds of files 'infected' by ramnit-G and ramnit-H. Also named another virus which I wrote down at home but forgot to bring away with me this week - imy terrible memory thinks that the first bit said Win 32: ProP but I can't remember the rest of the word. If it matters I will let you guys know - so tell me if it does! thanks

Report •

#72
November 14, 2011 at 17:43:07

Katie, when I was looking to see what AntiVirus you are using, I noticed Trusteer Rapport, which I had never heard of, so I googled.
I would uninstall it (you can always reinstall it later, if removing dos'nt help) using Revo.

Your Farbar log is perfect, I will let aaflac44 deal with the Avast issue, he may need to know if Avast was able to remove those infections.

Revo Uninstaller
http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.revouninstaller.com/
I use Advanced Mode. Screenshots of how to use.
http://img695.yfrog.com/gal.php?g=r...
http://img695.imageshack.us/slidesh...
If you have partially uninstalled your program, you get a message from Revo, that it can't find the uninstaller, hit Cancel & let Revo continue on, to search for the remnants.
Reboot.

Reset all of IE's options back to default and delete all cookies.
http://support.microsoft.com/kb/967897
Run TFC & CCleaner.

TFC
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please download TFC - Temporary File Cleaner by Old Timer, saving it to your desktop.
* Open the file and close any other windows.
* It will close all programs itself when run, make sure to let it run uninterrupted.
* Click the Start button to begin the process. The program should not take long to finish it's job
* Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean.

CCleaner
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://www.ccleaner.com/
http://www.piriform.com/ccleaner/do...
Tutorial
http://www.ccleaner.com/help/tour/
http://www.download.com/How-to-use-...


Report •

#73
November 15, 2011 at 01:01:28

Hi Katie, bad news, aaflac44 has alerted me that this virus is impossible to remove.
To give you more info, I googled & got this.
http://www.techspot.com/vb/topic154...
http://www.techspot.com/vb/search.p...

Installing a new operating system on your netbook can be done, you will need a clean copy of whatever you choose, if XP, the file needed is i386.

Let us know what you decide & I can guide you through it.


Report •

#74
November 16, 2011 at 17:19:06

I was beginning to think that this was an impossible task as we have thrown so much expertise and so many tools at it. We've managed to contain it a bit I think as some things work better but I do think it is time to give up and start again now.

I would very much appreciate your help on how to do this - I haven't a clue without a system restore point or a CD/DVD drive!

Thanks

Katie


Report •

#75
November 16, 2011 at 17:37:13

Katie can we have your computer Make & exact model please.

A new operating system, can be done via an USB hard drive or thumb drive.


Report •

#76
November 16, 2011 at 21:24:48

2 more questions Katie.

Are you comfortable in the registry ( Regedit )?

Have you had the computer since new?


Report •

#77
November 17, 2011 at 15:01:04

product name: Compaq Mini
product number: NF280EA#ABU

I have no idea what regedit is - but can follow instructions! oh and yes I have had it since new.


Report •

#78
November 17, 2011 at 15:30:36

Just so we have this on the page, googling the > NF280EA#ABU numbers, reveal the actual model number is > 702EA

"but can follow instructions!"
Yes you are doing very well, make sure you use google, that is what I do all the time, trillions of fixes out there, just a matter of getting the right keywords into the search.

Example, > download 702EA manual ( which I am about to read )
http://is.gd/s69GYr
http://h10025.www1.hp.com/ewfrf/wc/...


Report •

#79
November 17, 2011 at 15:58:07

"didn't come with CD or software of any kind"

"oh and yes I have had it since new"

Have you looked in the pockets of the carry case, you should have manual & CD/CD's

Extract from the manual.

Operating System and Driver Recovery discs (included with your device): You can use the discs
to recover your operating system and programs installed at the factory.
http://h10032.www1.hp.com/ctg/Manua...
Recovering the operating system and programs
In case of system failure or instability, use the Operating System and Driver Recovery discs included
with your device to recover your operating system and programs installed at the factory.
CAUTION: The recovery process reformats and completely erases the hard drive. All files you have
created and any software installed on the device are permanently removed. The recovery process
reinstalls the original operating system, software, and drivers. Software, drivers, and updates not
installed by HP must be manually reinstalled.
NOTE: To perform a recovery with the recovery discs, you will need an external optical drive
(purchased separately).
NOTE: The recovery process will take several hours to complete.

Don't buy anything, I hope to be able to work this out without you spending any money.


Report •

#80
November 22, 2011 at 14:33:12

I don't have anything at all with the machine - no carry case. It came free with a mobile phone and I never had a handbook or anything to my recollection. Maybe I have to buy the recovery software and download onto a usb stick or something? I do have an external hard drive by the way with big capacity if that makes any difference. That is currently holding all photos, music, files etc that I already took from this machine. Is there any chance these files will be corrupt? There are no program files.
Thanks - oh and sorry for taking ages to reply - was at my sister's for a long weekend- she has just had twins (9weeks old) and had a tummy bug, also her 15 month old girl has chicken pox and same tummy bug so she was literally on the verge of collapse. I had no time to go online since last thursday!

Report •

#81
November 22, 2011 at 15:36:25

You did the right thing going to your sister, fingers crossed she copes from now on.

"Maybe I have to buy the recovery software and download onto a usb stick or something?"
Everything I am going to suggest is FREE, including recovery software.

Going to change tact for a little, see if you can install & run this in normal mode, then click on > File > Save as < to your desktop.
Now upload that file for me please.

Process Explorer
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://technet.microsoft.com/en-gb/...
http://technet.microsoft.com/en-us/...


Report •

#82
November 22, 2011 at 16:07:17

"Is there any chance these files will be corrupt? There are no program files"
Not having any program files may help, music could be infected, depends where you got it from, the thing is, you got infected from something.

Keep that drive disconnected & remind us what to do with it later, I will work out a plan using a thumb drive once I know that is my only route left.


Report •

#83
November 22, 2011 at 17:15:31

Here's the output. OH and by the way, my bank account got hijacked on Saturday - can't help but think it might be linked to the virus - have to close my bank account completely now according to the bank as they used both online and telephone access to remove money. :-( I am really keen just to get rid of it asap now as you can imagine! I stopped accessing any accounts on this machine after realizing it had a nasty virus but obviously I was too late.....

Process PID CPU Private Bytes Working Set Description Company Name
System Idle Process 0 84.85 0 K 28 K
System 4 0 K 132 K
Interrupts n/a 0.76 0 K 0 K Hardware Interrupts and DPCs
smss.exe 576 176 K 148 K Windows NT Session Manager Microsoft Corporation
csrss.exe 628 1,888 K 2,840 K Client Server Runtime Process Microsoft Corporation
winlogon.exe 652 7,136 K 1,448 K Windows NT Logon Application Microsoft Corporation
services.exe 696 2,176 K 2,104 K Services and Controller app Microsoft Corporation
svchost.exe 868 3,640 K 1,952 K Generic Host Process for Win32 Services Microsoft Corporation
Foxit Reader.exe 4076 15,588 K 24,472 K
wmiprvse.exe 2224 2,832 K 5,500 K WMI Microsoft Corporation
svchost.exe 972 2,264 K 1,760 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1024 26,620 K 29,344 K Generic Host Process for Win32 Services Microsoft Corporation
btwdins.exe 1056 2,404 K 1,052 K Bluetooth Support Server Broadcom Corporation.
svchost.exe 1140 2,372 K 2,004 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1184 1,984 K 1,536 K Generic Host Process for Win32 Services Microsoft Corporation
AvastSvc.exe 1436 35,228 K 38,364 K avast! Service AVAST Software
spoolsv.exe 108 5,560 K 2,012 K Spooler SubSystem App Microsoft Corporation
svchost.exe 180 1,776 K 208 K Generic Host Process for Win32 Services Microsoft Corporation
SASCore.exe 356 1,020 K 204 K Core Service SUPERAntiSpyware.com
AppleMobileDeviceService.exe 368 5,892 K 1,588 K MobileDeviceService Apple Inc.
jqs.exe 452 2,604 K 1,420 K Java(TM) Quick Starter Service Sun Microsystems, Inc.
svchost.exe 620 3,112 K 2,712 K Generic Host Process for Win32 Services Microsoft Corporation
alg.exe 1180 1,584 K 884 K Application Layer Gateway Service Microsoft Corporation
lsass.exe 708 4,324 K 1,516 K LSA Shell (Export Version) Microsoft Corporation
GoogleUpdate.exe 488 3,728 K 1,356 K Google Installer Google Inc.
explorer.exe 3192 0.76 26,768 K 21,172 K Windows Explorer Microsoft Corporation
AvastUI.exe 3740 6,840 K 7,200 K avast! Antivirus AVAST Software
GoogleToolbarNotifier.exe 3748 6,376 K 1,832 K GoogleToolbarNotifier Google Inc.
ctfmon.exe 3760 1,372 K 1,724 K CTF Loader Microsoft Corporation
firefox.exe 4004 4.55 284,232 K 235,344 K Firefox Mozilla Corporation
plugin-container.exe 3960 7.58 111,956 K 123,992 K Plugin Container for Firefox Mozilla Corporation
plugin-container.exe 3088 7,704 K 6,608 K Plugin Container for Firefox Mozilla Corporation
procexp.exe 1256 1.52 9,364 K 14,512 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com


Report •

#84
November 22, 2011 at 17:41:18

Ok, Install & run this please.

Open RegSeeker, up the top, click on > Find in registry, tick all the boxes in HKEY, copy & paste > ramnit into Search for & click > Search.

Upload a screenshot please, use the scroll bar if more than one shot is needed.

RegSeeker
http://www.snapfiles.com/get/regsee...
http://www.hoverdesk.net/freeware.htm


Report •

#85
November 22, 2011 at 17:54:42

"OH and by the way, my bank account got hijacked on Saturday - can't help but think it might be linked to the virus

Without doubt Katie, that was in the link I googled for & gave to you to read.

http://www.techspot.com/vb/topic154...

"Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity."


Report •

#86
November 25, 2011 at 15:30:46

yes I did change the internet banking password etc.on my work laptop but apparently they did it over the phone - they must already have picked up enough information about me to give security answers!

sorry for delay again - I'm being punished for being a good samaritan and helping my sister - have caught the stomach virus!

here's the output as requested:

http://www.mediafire.com/download.p...


Report •

#87
November 25, 2011 at 16:02:32

Ok Katie, download & run this please, you should get a log report.

PCMAV Express Cleaner For Ramnit
http://pcmav.web.id/2011/06/14/remo...
http://www.mediafire.com/file/99tft...
Instructions.
1: Download exe onto Desktop.
2: Boot into Safe mode.
3: Close all open GUI applications.
4: Disconnect LAN/Internet connection.
5: Connect all drives that have been used & may be infected ( thumb, external/internal etc )
6: Click > Scan & Clean
7: Wait, how long depends on your drive/drives.


Report •

#88
November 25, 2011 at 16:09:19

"sorry for delay again - I'm being punished for being a good samaritan and helping my sister - have caught the stomach virus!"
If you go there again, maybe someone who is computer savy in her house or friends nearby, can help you, if you take your comp to her place, then we can keep things moving.

Report •

#89
November 25, 2011 at 19:01:18

"sorry for delay again - I'm being punished for being a good samaritan and helping my sister - have caught the stomach virus! "

Forgot to mention, we were in UK for a month in June, rented a house in Frome (Somerset) my wife got the stomach virus & only came good 6 weeks ago, she got rid of the virus, but it left her with Chronic Fatigue Syndrome.


Report •

#90
November 26, 2011 at 05:35:13

Oh I know Frome! We have a cottage about 15 mins from there which is rented now but we lived there for about 3 years. very pretty part of the country. Sorry to hear about yr wife - I really hope I feel better in less than 4 months!

I ran the file - but could not get my computer to start in safe mode - it just kept cycling round to the same screen with the boot options saying it couldn't start last time. I tried all options but nothing would work apart from normal mode. I thought I had nothing to lose by just running it anyway though. here's the log:

http://www.mediafire.com/?z2hyryq5q...

Thanks


Report •

#91
November 26, 2011 at 07:45:59

Just got home from a friends house.

It says all those files have been removed, reboot & try to see if it will run in safe mode.

Even if you can't, run the program again & lets see if those files have stayed deleted.

Then reboot & run Avast in safe or if unable, normal mode. Lets see the log.

Ta.


Report •

#92
November 26, 2011 at 08:12:49

If you are still having trouble getting into Safe mode, use this, refer screenshot 2.

Re-Enable
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://www.freewarefiles.com/Re-Ena...
http://www.tangosoft.co.uk/
http://www.raymond.cc/forum/general...


Report •

#93
November 26, 2011 at 17:32:12

I ran the ramnit fix again and it was totally clean....but then I ran Avast - and it found about 700 files infected with Ramnit G, Ramnit H and PrefPoly. I've moved them all to the chest but I'm not sure what to do with them - worried to delete them as it looks like a lot of files!

Report •

#94
November 26, 2011 at 17:42:41

Did you get safe mode working?


Report •

#95
November 26, 2011 at 18:02:11

"I've moved them all to the chest but I'm not sure what to do with them"
That's fine for now.

"worried to delete them as it looks like a lot of files!"
No need to worry, next step if we can't get rid of your infections & get the comp running normally, is to delete everything by formatting, therefore you lose everything.


Report •

#96
November 28, 2011 at 07:44:41

I actually decided that I might as well delete everything as computer is essentially useless anyway! have deleted all files and scans are now showing clean. one program that wouldn't open before now does which looks like something has improved. IE won't work though - opens and shuts down immediately..

Report •

#97
November 28, 2011 at 15:28:02

oh and no, safe mode still didn't work after trying the thing you asked me to do

Report •

#98
November 29, 2011 at 04:16:49

Katie, up the top of the page, on the right hand side of your name, I have a Private Message ( PM ) for you.

Report •

#99
January 13, 2012 at 05:59:49

what type of virus

Report •


Ask Question