Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I am having problems with the klone virus Please help. I am a novice so be gentle with me!!!
I have ran
AVG
CW Shredder
AdAware
Spybot
Ewido
all in safe mode and it hasnt helped!!! What do I do next??
Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified.
Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by "Create a desktop icon" then click "Next" again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click "Finish" and it will launch Hijack This.Exit hijack This
Rename hijackthis.exe as that sometime helps locate the baddies. Go to start> search> files and folders> type in the top space "hijackthis.exe" without the quotes> click search> when it is found in the right pane (looks like a pile of dynamite)>right click on it> click rename> rename it "show.exe" without the quotes> click a blank space on the screen.
Run Hijack This, click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread.Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.
0 
Logfile of HijackThis v1.99.1
Scan saved at 10:57:03 AM, on 16/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEP.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\show.exe.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\tgeraboj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {DF2B7129-8A40-414F-8EE4-61FC074F245C} - C:\WINDOWS\Help\vddcac.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4100 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEP.exe /P26 "EPSON Stylus CX4100 Series" /O6 "USB001" /M "Stylus CX4100"
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [EPSON Stylus CX4100 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEP.exe /P26 "EPSON Stylus CX4100 Series" /M "Stylus CX4100" /EF "HKCU"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SysProtect Free] "C:\Program Files\SysProtect Free\USYP.exe" /min
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102w.bay102.mail.live.com/...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/s...
O17 - HKLM\System\CCS\Services\Tcpip\..\{24B5DF9A-98A0-45E4-8B46-440EA892C260}: Domain = nsw.bigpond.net.au
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\Player\__CDS2.dll (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: vddcac - C:\WINDOWS\Help\vddcac.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
0
Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.Please download SmitRemFix from this link http://siri.urz.free.fr/Fix/SmitfraudFix.zip Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!
Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
0
SmitFraudFix v2.110
Scan done at 11:20:45.71, Mon 16/10/2006
Run from C:\Documents and Settings\Olmi\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Olmi
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Olmi\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Olmi\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
0
And the Vundofix log. Lets try to run these scans and post them in the order that they are requested please.
0
Sorry i didnt know that you wanted me to post the vundofix log i ran it and pressed remove to what came up.
I just scanned again and it says there are no infections
0
Ooops, my apologies I cut that put of my post.
Please download ComboFix to the Desktop from this link:
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)Please post the combofix.txt log.
0
Olmi - 06-10-16 12:04:56.06 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Program Files\Mozilla Firefox"(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\components
((((((((((((((((((((((((((((((( Files Created from 2006-09-16 to 2006-10-16 ))))))))))))))))))))))))))))))))))
2006-10-16 11:20 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-16 11:20 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-16 11:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-16 11:20 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-03 20:38 737,280 --a------ C:\WINDOWS\iun6002.exe
2006-09-22 20:29 24,192 --a------ C:\Documents and Settings\Olmi\usbsermptxp.sys
2006-09-22 20:29 22,768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2006-09-22 20:29 22,768 --a------ C:\Documents and Settings\Olmi\usbsermpt.sys
2006-09-19 20:50 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2006-09-19 20:50 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2006-09-19 20:50 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2006-09-19 20:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-09-19 20:50 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2006-09-19 20:50 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-16 12:04 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-16 10:57 -------- d-------- C:\Program Files\Hijackthis
2006-10-15 14:37 -------- d-------- C:\Program Files\3gpConvert
2006-10-15 13:11 -------- d-------- C:\Program Files\GraphicView32
2006-10-15 11:00 -------- d-a------ C:\Program Files\Common Files
2006-10-15 11:00 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-12 18:13 -------- d-------- C:\Program Files\SmartDraw 2007
2006-10-09 16:33 -------- d-------- C:\Program Files\MSN Messenger
2006-10-09 16:10 -------- d-------- C:\Program Files\WinZip
2006-10-03 20:57 -------- d-------- C:\Program Files\Replay Converter
2006-10-03 20:28 -------- d-------- C:\Program Files\WinXMedia
2006-10-03 19:08 -------- d-------- C:\Program Files\JoyceAudioConverter
2006-10-03 18:26 -------- d-------- C:\Documents and Settings\Olmi\Application Data\Softplicity
2006-10-03 13:44 -------- d-------- C:\Documents and Settings\Olmi\Application Data\NeroDCTemplates
2006-09-29 13:44 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-23 16:41 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-23 16:41 -------- d-------- C:\Program Files\Cheetah Burner
2006-09-22 20:34 -------- d-------- C:\Program Files\Avanquest update
2006-09-22 20:31 -------- d-------- C:\Program Files\Motorola Phone Tools
2006-09-19 20:50 -------- d-------- C:\Program Files\Ahead
2006-09-13 15:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-05 22:23 -------- d-------- C:\Documents and Settings\Olmi\Application Data\Real
2006-09-05 22:17 -------- d-------- C:\Program Files\Common Files\xing shared
2006-09-05 22:17 -------- d-------- C:\Program Files\Common Files\Real
2006-09-05 22:16 -------- d-------- C:\Program Files\Real
2006-09-01 08:19 -------- d-------- C:\Program Files\Google
2006-08-30 09:44 13844 --a------ C:\WINDOWS\system32\codgrara.exe
2006-08-29 13:09 -------- d-------- C:\Program Files\XoftSpy
2006-08-26 10:11 -------- d-------- C:\Documents and Settings\Olmi\Application Data\AdobeUM
2006-08-26 01:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 18:20 -------- d-------- C:\Documents and Settings\Olmi\Application Data\Adobe
2006-08-22 15:39 -------- d-------- C:\Program Files\vanBasco's Karaoke Player
2006-08-21 22:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 19:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 19:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 21:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-16 19:37 225664 --a------ C:\WINDOWS\system32\drivers\tcpip6.sys
2006-08-11 15:53 2580 --a------ C:\WINDOWS\system32\edvedefn.exe
2006-07-27 23:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 18:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-17 15:13 14848 --a------ C:\WINDOWS\system32\BASSMOD.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"EPSON Stylus CX4100 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEP.exe /P26 \"EPSON Stylus CX4100 Series\" /M \"Stylus CX4100\" /EF \"HKCU\""
"Free Download Manager"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.4156\\GoogleToolbarNotifier.exe"
"SysProtect Free"="\"C:\\Program Files\\SysProtect Free\\USYP.exe\" /min"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"Alcmtr"="ALCMTR.EXE"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"EPSON Stylus CX4100 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEP.exe /P26 \"EPSON Stylus CX4100 Series\" /O6 \"USB001\" /M \"Stylus CX4100\""
"DataLayer"="C:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"Blubster"="C:\\Program Files\\Blubster\\Blubster.exe SILENT"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,\
00,00,01,00,00,00[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.jobCompletion time: 06-10-16 12:05:48.31
C:\ComboFix.txt ... 06-10-16 12:05
0
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe modeUpdate Ewido.
Download Killbox to your desktop from this link Killbox by Option^Explicit. If you already have "Killbox" update to this newer version. We will need it later in safe mode
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\tgeraboj.dll (file missing)
O2 - BHO: (no name) - {DF2B7129-8A40-414F-8EE4-61FC074F245C} - C:\WINDOWS\Help\vddcac.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.exe
O4 - HKCU\..\Run: [SysProtect Free] "C:\Program Files\SysProtect Free\USYP.exe" /min
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/s...
O20 - Winlogon Notify: vddcac - C:\WINDOWS\Help\vddcac.dll
Exit Hijack This but remain in safe mode
Double-click on Killbox.exe to run it.
Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time.C:\WINDOWS\system32\tgeraboj.dll
C:\WINDOWS\Help\vddcac.dll
C:\Program Files\SysProtect Free\USYP.exe
C:\Program Files\SysProtect Free\
Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.From safe mode navigate to and delete this file if found:
C:\Program Files\SysProtect
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
In Safe Mode, run Ewido and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Reboot to normal mode.
Need to check some files, go to this link Virustotal then use there browse botton and browse to these files:
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\codgrara.exe
then one at the time "send" to be analyzed> Post the results please.
Post the ewido report on your desktop, a new Hijack This log and a new combofix log.
0
i Have just finished doing all these things.. I had some problems.
I could not find O20 - Winlogon Notify: vddcac - C:\WINDOWS\Help\vddcac.dll in the Hyjack this list at allthen i could not run killbox in safemode it said system error &H800706ba (.2147023174) the RPC server is unavailable
i searched for C:\Program Files\SysProtect to delete, it wasnt there.
Ewido report:
ewido anti-spyware - Scan Report
+ Created at: 4:05:17 PM 16/10/2006+ Scan result:
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D19M2108NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned with backup (quarantined).
:mozilla.86:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.56:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.94:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.104:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.105:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.106:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.107:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.109:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.112:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.102:C:\Documents and Settings\Olmi\Application Data\Mozilla\Firefox\Profiles\6fum6stb.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
::Report endhijack this report
Logfile of HijackThis v1.99.1
Scan saved at 4:26:14 PM, on 16/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEP.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\Program Files\Hijackthis\show.exe.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4100 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEP.exe /P26 "EPSON Stylus CX4100 Series" /O6 "USB001" /M "Stylus CX4100"
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [EPSON Stylus CX4100 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEP.exe /P26 "EPSON Stylus CX4100 Series" /M "Stylus CX4100" /EF "HKCU"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102w.bay102.mail.live.com/...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binar...
O17 - HKLM\System\CCS\Services\Tcpip\..\{24B5DF9A-98A0-45E4-8B46-440EA892C260}: Domain = nsw.bigpond.net.au
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\Player\__CDS2.dll (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.execombo fix log
Olmi - 06-10-16 16:27:29.18 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Olmi\Desktop\klone fix"((((((((((((((((((((((((((((((( Files Created from 2006-09-16 to 2006-10-16 ))))))))))))))))))))))))))))))))))
2006-10-16 11:20 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-16 11:20 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-16 11:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-16 11:20 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-03 20:38 737,280 --a------ C:\WINDOWS\iun6002.exe
2006-09-22 20:29 24,192 --a------ C:\Documents and Settings\Olmi\usbsermptxp.sys
2006-09-22 20:29 22,768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2006-09-22 20:29 22,768 --a------ C:\Documents and Settings\Olmi\usbsermpt.sys
2006-09-19 20:50 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2006-09-19 20:50 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2006-09-19 20:50 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2006-09-19 20:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-09-19 20:50 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2006-09-19 20:50 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-16 16:26 -------- d-------- C:\Program Files\Hijackthis
2006-10-16 16:09 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-16 13:35 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-15 14:37 -------- d-------- C:\Program Files\3gpConvert
2006-10-15 13:11 -------- d-------- C:\Program Files\GraphicView32
2006-10-15 11:00 -------- d-a------ C:\Program Files\Common Files
2006-10-12 18:13 -------- d-------- C:\Program Files\SmartDraw 2007
2006-10-09 16:33 -------- d-------- C:\Program Files\MSN Messenger
2006-10-09 16:10 -------- d-------- C:\Program Files\WinZip
2006-10-03 20:57 -------- d-------- C:\Program Files\Replay Converter
2006-10-03 20:28 -------- d-------- C:\Program Files\WinXMedia
2006-10-03 19:08 -------- d-------- C:\Program Files\JoyceAudioConverter
2006-10-03 18:26 -------- d-------- C:\Documents and Settings\Olmi\Application Data\Softplicity
2006-10-03 13:44 -------- d-------- C:\Documents and Settings\Olmi\Application Data\NeroDCTemplates
2006-09-29 13:44 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-23 16:41 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-23 16:41 -------- d-------- C:\Program Files\Cheetah Burner
2006-09-22 20:34 -------- d-------- C:\Program Files\Avanquest update
2006-09-22 20:31 -------- d-------- C:\Program Files\Motorola Phone Tools
2006-09-19 20:50 -------- d-------- C:\Program Files\Ahead
2006-09-13 15:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-05 22:23 -------- d-------- C:\Documents and Settings\Olmi\Application Data\Real
2006-09-05 22:17 -------- d-------- C:\Program Files\Common Files\xing shared
2006-09-05 22:17 -------- d-------- C:\Program Files\Common Files\Real
2006-09-05 22:16 -------- d-------- C:\Program Files\Real
2006-09-01 08:19 -------- d-------- C:\Program Files\Google
2006-08-30 09:44 13844 --a------ C:\WINDOWS\system32\codgrara.exe
2006-08-29 13:09 -------- d-------- C:\Program Files\XoftSpy
2006-08-26 10:11 -------- d-------- C:\Documents and Settings\Olmi\Application Data\AdobeUM
2006-08-26 01:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 18:20 -------- d-------- C:\Documents and Settings\Olmi\Application Data\Adobe
2006-08-22 15:39 -------- d-------- C:\Program Files\vanBasco's Karaoke Player
2006-08-21 22:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 19:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 19:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 21:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-16 19:37 225664 --a------ C:\WINDOWS\system32\drivers\tcpip6.sys
2006-08-11 15:53 2580 --a------ C:\WINDOWS\system32\edvedefn.exe
2006-07-27 23:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 18:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-17 15:13 14848 --a------ C:\WINDOWS\system32\BASSMOD.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"EPSON Stylus CX4100 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEP.exe /P26 \"EPSON Stylus CX4100 Series\" /M \"Stylus CX4100\" /EF \"HKCU\""
"Free Download Manager"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.4156\\GoogleToolbarNotifier.exe"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"EPSON Stylus CX4100 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEP.exe /P26 \"EPSON Stylus CX4100 Series\" /O6 \"USB001\" /M \"Stylus CX4100\""
"DataLayer"="C:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"Blubster"="C:\\Program Files\\Blubster\\Blubster.exe SILENT"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,\
00,00,01,00,00,00[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.jobCompletion time: 06-10-16 16:28:08.43
C:\ComboFix.txt ... 06-10-16 16:28
C:\ComboFix2.txt ... 06-10-16 12:05
virus totalComplete scanning result of "iun6002.exe", received in VirusTotal at 10.16.2006, 08:15:58 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.30 10.14.2006 no virus found
Authentium 4.93.8 10.13.2006 no virus found
Avast 4.7.892.0 10.13.2006 no virus found
AVG 386 10.14.2006 no virus found
BitDefender 7.2 10.16.2006 no virus found
CAT-QuickHeal 8.00 10.14.2006 no virus found
ClamAV devel-20060426 10.15.2006 no virus found
DrWeb 4.33 10.15.2006 no virus found
eTrust-InoculateIT 23.73.22 10.13.2006 no virus found
eTrust-Vet 30.3.3137 10.16.2006 no virus found
Ewido 4.0 10.15.2006 no virus found
Fortinet 2.82.0.0 10.16.2006 no virus found
F-Prot 3.16f 10.13.2006 no virus found
F-Prot4 4.2.1.29 10.13.2006 no virus found
Ikarus 0.2.65.0 10.16.2006 no virus found
Kaspersky 4.0.2.24 10.16.2006 no virus found
McAfee 4873 10.13.2006 no virus found
Microsoft 1.1603 10.16.2006 no virus found
NOD32v2 1.1804 10.15.2006 no virus found
Norman 5.90.23 10.13.2006 no virus found
Panda 9.0.0.4 10.15.2006 no virus found
Sophos 4.10.0 10.15.2006 no virus found
TheHacker 6.0.1.098 10.14.2006 no virus found
UNA 1.83 10.13.2006 no virus found
VBA32 3.11.1 10.15.2006 no virus found
VirusBuster 4.3.7:9 10.15.2006 no virus foundAditional Information
File size: 737280 bytes
MD5: 456462905091db042141487fe030e3c9
SHA1: bb57b4850528c3c8d9bf159fb5b9f414ddc7d5d7Complete scanning result of "codgrara.exe", received in VirusTotal at 10.16.2006, 08:23:37 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.30 10.14.2006 TR/Adload.MAS.6
Authentium 4.93.8 10.13.2006 no virus found
Avast 4.7.892.0 10.13.2006 no virus found
AVG 386 10.14.2006 no virus found
BitDefender 7.2 10.16.2006 Trojan.Adload.MAS
CAT-QuickHeal 8.00 10.14.2006 Downloader.WinFixer.r (Not a Virus)
ClamAV devel-20060426 10.15.2006 Trojan.Downloader.Adload-77
DrWeb 4.33 10.15.2006 Trojan.DownLoader.12309
eTrust-InoculateIT 23.73.22 10.13.2006 no virus found
eTrust-Vet 30.3.3137 10.16.2006 Win32/Secdrop!generic
Ewido 4.0 10.15.2006 Not-A-Virus.Downloader.Win32.WinFixer.r
Fortinet 2.82.0.0 10.16.2006 no virus found
F-Prot 3.16f 10.13.2006 no virus found
F-Prot4 4.2.1.29 10.13.2006 no virus found
Ikarus 0.2.65.0 10.16.2006 no virus found
Kaspersky 4.0.2.24 10.16.2006 not-a-virus:Downloader.Win32.WinFixer.r
McAfee 4873 10.13.2006 no virus found
Microsoft 1.1603 10.16.2006 no virus found
NOD32v2 1.1804 10.15.2006 no virus found
Norman 5.80.02 10.13.2006 W32/Adload.BAU
Panda 9.0.0.4 10.15.2006 Adware/SystemDoctor
Sophos 4.10.0 10.15.2006 no virus found
TheHacker 6.0.1.098 10.14.2006 Aplicacion/WinFixer.r
UNA 1.83 10.13.2006 TrojanDownloader.Win32.Adload.AF0
VBA32 3.11.1 10.15.2006 Downloader.Win32.WinFixer.r
VirusBuster 4.3.7:9 10.15.2006 no virus foundAditional Information
File size: 13844 bytes
MD5: cb1122d0dec30c2f6525043723f6c9ab
SHA1: b3114cc1c7b730fde343c92eff42cfe73317698d
0
Reboot into safe mode.
Run killbox again.
Double-click on Killbox.exe to run it.
Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time.C:\WINDOWS\system32\codgrara.exe
Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.I am not sure that this is a trust worthy program so you may want to remove it with add/remove programs, it once was loaded with spyware but was supposed to have cleaned there act up:
C:\Program Files\XoftSpy
Download the latest version of http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
. Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
You should add "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
Let me know how you are running or if you are still getting klone warnings.
0
I have done all the things you asked me to do.
I still couldnt run killbox in safe mode even after reinstalling it.
I ended just running it in normal mode.The computer seems to be working alot better than before and no popups so far..
Thanks heaps for all your help x
0
If you were unable to remove "C:\WINDOWS\system32\codgrara.exe" with Killbox.
Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip
1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop
2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXFiles to delete:
C:\WINDOWS\system32\codgrara.exeXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply and post a new Combofix log.
0
i am pretty sure i deleted that file using killbox in normal mode.
I just tried doing what you told me to do and it said Error. selected file does not seem to be a valid script..
i could not get any further
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
