Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I'm having the same issues as lot of people it seems - google redirect virus. Can't even get onto sites to download AVG updates or MalwareBytes1 (as posted in a previous post). Have scanned with Ad Aware and Spybot Search and Destory (nothing).
I have a hi jack log that I was ready to post - though it prompted me not to post unless asked - tried the online analyzer and nothing "bad" came up.
Please help.
Eric
Download malwarebytes to a cd from an uninfected computer if possible (if not possible let me know) then run it on the infected computer. Don't check the boxes to "update" and "run on startup" if you run it form the cd, just click the desktop icon.
Please download Malwarebytes' Anti-Malware from one of these sites:
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.
Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
0 
Thanks for the reply - but I don't have access to another computer to download Malwarebytes (computer won't let me go to that site). do you want me to post my hi jack log?
0
Not yet On the Hijack This log. You may not be able to get into safe mode to run SDFix but try.
Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
0
I can't access the sites via the web that you have listed - SDFix.exe or the other "Link". Just get the "Internet Explorer cannot display the web page".
Eric
0
If this works it will be short lived so run MalwareBytes as soon as possible if you can access the site.
Please download HostsXpert from the following link:
Extract the HostsXpert.zip by doing the following:Right-click HostsXpert.zip and select extract all – Follow the wizard and extract it to your DesktopClick Finish. Double-click the HostsXpert folder and then double-click HostsXpert.exe. Click “ Restore MS Hosts File” and press OK.Exit the program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.
Next, launch notepad, and copy/paste everything between the X's making "regedit4" the very top line.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXThen, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Delete the fixme.reg file just created.Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making "regsvr32 Shdocvw.dll" the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
regsvr32 Shdocvw.dll
regsvr32 Shell32.dll
regsvr32 Oleaut32.dll
regsvr32 Actxprxy.dll
regsvr32 Mshtml.dll
regsvr32 Urlmon.dll
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXGo to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fixreg.bat then save it to your desktop.
Double click Fixreg.bat (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
0
I downloaded HostsXpert - though when I go to Restore MS Hosts file I get an error - "Cannot create file C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts" In looking in the c drive - there is a file already created of that name (260kb)- date modified 21/9/2008.
Next step?
0
The very top left button on the HostsXpert sceen should say "Make ReadOnly" if it says "Make Writable" click it so that it says "Make ReadOnly' then click the"Restore MS Hosts File" button. Then continue.
0
O.K. Fixreg.bat completed. 5 ".dll"'s came up succeeded - though one didn't. "Mshtml.dll" entry point not found - file could not be registered.
Malware links still don't work.
Next?
Eric
0
Download this tool compliments of Miekiemoes:
Unzip it and then RIGHT CLICK VArestorepolicies.inf and select Install from the Context menu.
Log off or reboot to apply the changes.
This will set the display in the Start menu to Windows default. It will also delete some policies which you may have set yourself previously. The above instructions only remove the VIRUS ALERT! in the clock and System properties and the restrictive policies+registry modifications being set.Try to access the Malwarebytes site again.
0
I think I did the VArestorepolicies.inf - it's just a 2,026 bytes notepad file? Right clicked it and selected install, and rebooted but still can't access Malwarebytes sites.
Eric
0
This may not change a lot but may stop the virus from getting worse.
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making "@echo off
" the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
@echo offattrib -r -h C:\WINDOWS\system32\drivers\tdssserv.sys
del /a /f /q C:\WINDOWS\system32\drivers\tdssserv.sys
attrib -r -h C:\WINDOWS\system32\tdssadw.dll
del /a /f /q C:\WINDOWS\system32\tdssadw.dll
attrib -r -h C:\WINDOWS\system32\TDSSerrors.log
del /a /f /q C:\WINDOWS\system32\TDSSerrors.log
attrib -r -h C:\WINDOWS\system32\tdssinit.dll
del /a /f /q C:\WINDOWS\system32\tdssinit.dll
attrib -r -h C:\WINDOWS\system32\tdssl.dll
del /a /f /q C:\WINDOWS\system32\tdssl.dll
attrib -r -h C:\WINDOWS\system32\tdssmain.dll
del /a /f /q C:\WINDOWS\system32\tdssmain.dll
attrib -r -h C:\WINDOWS\system32\tdssservers.dat
del /a /f /q C:\WINDOWS\system32\tdssservers.dat
del delete.bat
exitXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it delete.bat then save it to your desktop.
Now double-click on the delete.bat on your desktop -- a window will popup and close, this is normal.
Restart the computer, try once again to download Malwarebytes.
0
made the delete.bat file - and when I double clicked it - it opened/did it stuff then it delete it self (?).
Rebooted and computer/internet is much faster than yesturday, though still can't get onto any of the Malwarebytes links provided (tried to cut and paste into a different browser and that still doesn't work also).
Thanks for you help so far.
Next Step?
0
Tried to see if I could download MalwareBytes from a torrent site though another poster said download it from the manufactures site which I was able to get too and directed me to download.com. Ran and here are results:
Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 303/10/2008 12:47:24 PM
mbam-log-2008-10-03 (12-47-24).txtScan type: Quick Scan
Objects scanned: 44819
Time elapsed: 3 minute(s), 48 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.Registry Values Infected:
(No malicious items detected)Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.Folders Infected:
(No malicious items detected)Files Infected:
C:\WINDOWS\SYSTEM32\ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\ (Trojan.Agent) -> Quarantined and deleted successfully.
Ran HiJack as originally instructed:
Log below:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:49 PM, on 03/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://connect.brucepower.com/Citrix/MetaFrame/auth/login.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr0...
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.servicehonda.com/TSWeb/m...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe--
End of file - 6912 bytesNext step?
0
Please download ComboFix to the desktop from one of the following links:
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, Ad-Aware, Spybot and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.
Remember to re-enable the protection again afterwards before connecting to the Internet.
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.
0
I think I did this right - Combo Fix log:
XXXXXXXXXXXXXXXXX
ComboFix 08-10-06.05 - Family 2008-10-07 19:32:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.905 [GMT -4:00]
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
..
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.-------\Service_TDSSserv
((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.2008-10-06 20:56 . 2008-10-06 20:56 <DIR> d----c--- C:\327882R2FWJFW
2008-10-03 12:39 . 2008-10-03 12:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-03 12:39 . 2008-10-03 12:39 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Malwarebytes
2008-10-03 12:39 . 2008-10-03 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-03 12:39 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-10-03 12:39 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-10-02 15:51 . 2008-10-02 15:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 10:23 . 2008-10-02 10:22 410,976 --a------ C:\WINDOWS\SYSTEM32\deploytk.dll
2008-10-02 09:12 . 2008-10-03 13:04 8,192 --a------ C:\WINDOWS\SYSTEM32\tdssserf1.dll
2008-10-02 09:03 . 2008-10-02 15:42 <DIR> d-------- C:\Documents and Settings\Family\.SunDownloadManager
2008-09-21 15:44 . 2008-09-21 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-14 15:53 . 2008-09-14 15:55 2,833 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2008-09-14 15:50 . 2008-09-14 15:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-09-14 15:50 . 2008-09-14 15:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-09-14 15:50 . 2008-09-14 15:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-09-14 15:50 . 2008-09-14 15:50 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-14 15:48 . 2008-09-14 15:48 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-14 15:42 . 2008-09-14 15:42 <DIR> d-------- C:\WINDOWS\EHome
2008-09-12 00:20 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\SYSTEM32\ati3duag.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 07:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-10-02 19:49 --------- d-----w C:\Program Files\Java
2008-09-30 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-30 20:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-24 23:58 --------- d-----w C:\Documents and Settings\Family\Application Data\Vso
2008-09-21 19:44 --------- d-----w C:\Program Files\Lavasoft
2008-09-21 19:44 --------- d-----w C:\Documents and Settings\Family\Application Data\Lavasoft
2008-09-21 19:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-20 01:11 --------- d-----w C:\Documents and Settings\Family\Application Data\BitTorrent
2008-08-26 20:44 --------- d-----w C:\Program Files\Sun
2008-01-08 20:30 47,360 ----a-w C:\Documents and Settings\Family\Application Data\pcouffin.sys
2007-01-17 00:33 87,608 ----a-w C:\Documents and Settings\Family\Application Data\ezpinst.exe
.((((((((((((((((((((((((((((( snapshot@2008-10-07_ 7.52.51.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.exe
+ 2008-10-07 23:36:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_134.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-15 579584]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-02 140696][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-28 219136][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.DIV3"= DivXc32.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-09-07 19:01 43008 C:\Program Files\BitTorrent\bittorrent.exe[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:File Sharing : Port 6881
"6882:TCP"= 6882:TCP:File Sharing : Port 6882
"6883:TCP"= 6883:TCP:File Sharing : Port 6883
"6884:TCP"= 6884:TCP:File Sharing : Port 6884
"6885:TCP"= 6885:TCP:File Sharing : Port 6885
"6886:TCP"= 6886:TCP:File Sharing : Port 6886
"6887:TCP"= 6887:TCP:File Sharing : Port 6887
"6889:TCP"= 6889:TCP:File Sharing : Port 6889
"6888:TCP"= 6888:TCP:File Sharing : Port 6888R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-02 152984]
S3 OASIS;OASIS;C:\WINDOWS\system32\drivers\oasisusb.sys [2000-06-20 27734]
.
Contents of the 'Scheduled Tasks' folder2008-10-07 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe []
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = https://connect.brucepower.com/Citrix/MetaFrame/auth/login.aspx
O18 -: Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - %~$path:i
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 19:37:08
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
r Running Proce
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-10-07 19:42:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-07 23:42:49
ComboFix2.txt 2008-10-07 11:53:21Pre-Run: 10,206,257,152 bytes free
Post-Run: 10,136,846,336 bytes free134 --- E O F --- 2008-09-21 01:36:34
0
Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\WINDOWS\SYSTEM32\tdssserf1.dllDirLook::
C:\327882R2FWJFW
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".Post a new Combofix log following the previous directions.
0
new log:
XXXXXXXXXXXXXXXXXXX
ComboFix 08-10-06.05 - Family 2008-10-09 20:17:24.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.871 [GMT -4:00]
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))
.2008-10-06 20:56 . 2008-10-06 20:56 <DIR> d----c--- C:\327882R2FWJFW
2008-10-03 12:39 . 2008-10-03 12:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-03 12:39 . 2008-10-03 12:39 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Malwarebytes
2008-10-03 12:39 . 2008-10-03 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-03 12:39 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-10-03 12:39 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-10-02 15:51 . 2008-10-02 15:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 10:23 . 2008-10-02 10:22 410,976 --a------ C:\WINDOWS\SYSTEM32\deploytk.dll
2008-10-02 09:03 . 2008-10-02 15:42 <DIR> d-------- C:\Documents and Settings\Family\.SunDownloadManager
2008-09-21 15:44 . 2008-09-21 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-14 15:53 . 2008-09-14 15:55 2,833 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2008-09-14 15:50 . 2008-09-14 15:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-09-14 15:50 . 2008-09-14 15:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-09-14 15:50 . 2008-09-14 15:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-09-14 15:50 . 2008-09-14 15:50 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-14 15:48 . 2008-09-14 15:48 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-14 15:42 . 2008-09-14 15:42 <DIR> d-------- C:\WINDOWS\EHome
2008-09-12 00:20 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\SYSTEM32\ati3duag.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-09 13:33 --------- d-----w C:\Documents and Settings\Family\Application Data\BitTorrent
2008-10-09 08:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-10-02 19:49 --------- d-----w C:\Program Files\Java
2008-09-30 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-30 20:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-24 23:58 --------- d-----w C:\Documents and Settings\Family\Application Data\Vso
2008-09-21 19:44 --------- d-----w C:\Program Files\Lavasoft
2008-09-21 19:44 --------- d-----w C:\Documents and Settings\Family\Application Data\Lavasoft
2008-09-21 19:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-26 20:44 --------- d-----w C:\Program Files\Sun
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-01-08 20:30 47,360 ----a-w C:\Documents and Settings\Family\Application Data\pcouffin.sys
2007-01-17 00:33 87,608 ----a-w C:\Documents and Settings\Family\Application Data\ezpinst.exe
.((((((((((((((((((((((((((((( snapshot@2008-10-07_ 7.52.51.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.exe
+ 2008-10-09 20:25:04 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-15 579584]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-02 140696][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-28 219136][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.DIV3"= DivXc32.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-09-07 19:01 43008 C:\Program Files\BitTorrent\bittorrent.exe[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:File Sharing : Port 6881
"6882:TCP"= 6882:TCP:File Sharing : Port 6882
"6883:TCP"= 6883:TCP:File Sharing : Port 6883
"6884:TCP"= 6884:TCP:File Sharing : Port 6884
"6885:TCP"= 6885:TCP:File Sharing : Port 6885
"6886:TCP"= 6886:TCP:File Sharing : Port 6886
"6887:TCP"= 6887:TCP:File Sharing : Port 6887
"6889:TCP"= 6889:TCP:File Sharing : Port 6889
"6888:TCP"= 6888:TCP:File Sharing : Port 6888R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-02 152984]
S3 OASIS;OASIS;C:\WINDOWS\system32\drivers\oasisusb.sys [2000-06-20 27734]
.
Contents of the 'Scheduled Tasks' folder2008-10-10 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe []
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = https://connect.brucepower.com/Citrix/MetaFrame/auth/login.aspx
O18 -: Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - %~$path:i
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 20:18:43
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-10-09 20:20:48
ComboFix-quarantined-files.txt 2008-10-10 00:20:26
ComboFix2.txt 2008-10-09 23:59:28
ComboFix3.txt 2008-10-07 23:42:54
ComboFix4.txt 2008-10-07 11:53:21Pre-Run: 9,343,897,600 bytes free
Post-Run: 9,336,115,200 bytes free135 --- E O F --- 2008-09-21 01:36:34
0
Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.Now navigate to and delete this folder but retain it in the recycle for a few days, if any problems arise just restore ot from the recycle bin.
C:\327882R2FWJFW
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select everything except recycle bin
Click the Empty Selected button.Please run Esets online scanner from this link:
1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( I want to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.
0
log requested as below:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3511 (20081010)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=c877d737519f884e9453a1bda8902410
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-10-10 01:37:21
# local_time=2008-10-10 09:37:21 (-0500, Eastern Daylight Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 3
# scanned=488542
# found=10
# scan_time=3703
C:\Documents and Settings\Family\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-7ac79348 Java/TrojanDownloader.OpenStream.NAB trojan CEC0DD504B18CCC2D97A22CECE9C96E7
C:\Documents and Settings\Family\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-7ac79348 »ZIP »OP.class Java/TrojanDownloader.OpenStream.NAB trojan 00000000000000000000000000000000
C:\Documents and Settings\Family\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-7779c29d multiple infiltrations DC10ED327513AF15710C0686B9CDD429
C:\Documents and Settings\Family\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-7779c29d »ZIP »BnnnnBaa.class Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Family\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-7779c29d »ZIP »VaannnaaBaa.class Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Family\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-7779c29d »ZIP »Dnnny.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Family\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-7779c29d »ZIP »Bnnnnn.class Java/ClassLoader.AS trojan 00000000000000000000000000000000
C:\Documents and Settings\Family\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-7779c29d »ZIP »Den.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Family\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-7779c29d »ZIP »Din.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Family\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-7779c29d »ZIP »Dun.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
0
Go to start> control panel> java> general> settings> delete files> ok.
That should get rid of the trojan in your java cache.
Then update java. Go to java in the control panel> click update> update now.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
