sav.exe and b.exe infection

Computing.Net > Forums > Security and Virus > sav.exe and b.exe infection

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

sav.exe and b.exe infection

Name: ricmeyer
Date: September 8, 2008 at 16:30:17 Pacific
OS: xp pro 5.1.2600.xpsp.0804
CPU/Ram: P4 2.4ghz 512 ram
Product: gateway4000

Comment:

i finally did the wrong thing and got these two viruses. i used avg7.5, greatis.com's regrun suite and spybot s&d to get the computer running a little better, but still get all kinds of pop-up about security and disinfection from windows security alert and protection-wizard.com, and attempts to install M$ office from disc 2... i have done a hijackthis scan. i renamed b.exe to bbbb.exe, and no longer find sav.exe except in the recycle bin. any suggestions?

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: September 9, 2008 at 15:38:20 Pacific

Reply:

Please run these scans and post there logs.
Please download Malwarebytes' Anti-Malware from one of these sites:
MalwareBytes1
MalwareBytes2
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 2

Name: ricmeyer
Date: September 9, 2008 at 16:59:15 Pacific

Reply:

hello.
since i first wrote (last night) with my problem, i've nearly gotten rid of it on my own. i went to bed with no problems on the computer, but today, after going to a few of the websites you suggested i stated getting another, infrequent, pop-up which looks like the windows security alert' boxs, but with some garbled copy in it which is from my isp (tds.net) it says it "cannot find www.antispyware-review.info/a/b4.html?wmid=4663&pwebmid=911cj4&a=:". it has the 'windows security alert' border, and goes away and stays gone until i click an antimalware type link. i have a screenshot if you want it.
here's what i've done to get back to an almost pristine state.
LAST NIGHT
1. AVG 7.5 -- scan and fix
2. Spybot S & D -- scan and fix
3 install and run RegRun from greatis.com. things much better, but different, regrun, pop ups started.
4. uninstall regrun.
TODAY
5. ran atf cleaner
6. ran drweb cureit
7. ran HJT (log below)
8. ran MBAM (log below and remove selected)
9. restart due to several files unable to be removed.
============================================
============================================
HJT LOG
unique message:23380 @computing.net forum
Logfile of HijackThis v1.99.1
Scan saved at 6:47:35 PM, on 9/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Documents and Settings\All Users\Application Data\tofkdyzo\zctwvudo.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7E7.tmp.exe
C:\WINDOWS\system32\xmtcdgjw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\b.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tvlistings.zap2it.com/tvlist...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Somefox] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7E7.tmp.exe
O4 - HKCU\..\Run: [webmsgcmd] C:\WINDOWS\system32\xmtcdgjw.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [infocmd] C:\WINDOWS\system32\wdglkpan.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/pl...
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
===========================================
===========================================
MBAM LOG
Malwarebytes' Anti-Malware 1.27
Database version: 1133
Windows 5.1.2600 Service Pack 3
9/9/2008 7:05:11 PM
mbam-log-2008-09-09 (19-05-04).txt
Scan type: Quick Scan
Objects scanned: 61274
Time elapsed: 10 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 48
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\toolbar.tb (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\toolbar.tb.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{9233c3c0-1472-4091-a505-5580a23bb4ac} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{b0e43034-50f5-1f84-8098-824b44f2dbc3} (Adware.AdMedia) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webmsgcmd (Trojan.FakeAlert.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\infocmd (Trojan.FakeAlert.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\am5xlv2yqt (Trojan.FakeAlert.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\All Users\Application Data\tofkdyzo (Trojan.FakeAlert.H) -> No action taken.
C:\Program Files\WinBudget (Adware.AdMedia) -> No action taken.
C:\Program Files\WinBudget\bin (Adware.AdMedia) -> No action taken.
C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> No action taken.
Files Infected:
C:\WINDOWS\system32\xmtcdgjw.exe (Trojan.FakeAlert.H) -> No action taken.
C:\WINDOWS\system32\wdglkpan.exe (Trojan.FakeAlert.H) -> No action taken.
C:\Documents and Settings\All Users\Application Data\tofkdyzo\zctwvudo.exe (Trojan.FakeAlert.H) -> No action taken.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\b.exe (Trojan.FakeAlert) -> No action taken.
C:\Program Files\WinBudget\bin\matrix.dat (Adware.AdMedia) -> No action taken.
C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\bsva-egihsg52.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\emesx.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\medup012.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\msnbho.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\msvchost.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\psof1.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\regc64.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\sncntr.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ssurf022.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ssvchost.com (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\thun.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\thun32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\vcatchpi.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\WINWGPX.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\vbsys2.dll (Trojan.Clicker) -> No action taken.
phew! haven't downloaded this much this fast in a long time! kinda proud i'm following your directions -- and they're written in a very understandable manner.
thanks very much.
my computer is very usable... i await further instructions.
rich m.
corinna, maine

Response Number 3

Name: jabuck
Date: September 9, 2008 at 19:18:28 Pacific

Reply:

Run Malwarebytes again and be sure to follow the directions in step 6 after the scan has run. Then post the new log.

Response Number 4

Name: ricmeyer
Date: September 10, 2008 at 06:58:02 Pacific

Reply:

clean bill of health! Thanks.
i'm gonna do a deep scan for the hell of it. (too much time on my hands 8>) )
rich
MBAM LOG
=========================================
=========================================
Malwarebytes' Anti-Malware 1.27
Database version: 1133
Windows 5.1.2600 Service Pack 3
9/10/2008 9:54:48 AM
mbam-log-2008-09-10 (09-54-48).txt
Scan type: Quick Scan
Objects scanned: 61356
Time elapsed: 10 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Response Number 5

Name: ricmeyer
Date: September 10, 2008 at 07:45:32 Pacific

Reply:

even a cleaner scan! thanks again.
rich m.
MBAM FULL SCAN
==========================================
==========================================
Malwarebytes' Anti-Malware 1.27
Database version: 1133
Windows 5.1.2600 Service Pack 3
9/10/2008 10:42:41 AM
mbam-log-2008-09-10 (10-42-41).txt
Scan type: Full Scan (C:\|)
Objects scanned: 126783
Time elapsed: 43 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

xpnetdiag.exe b.exe b.exe removal tool	b.exe removal msxml71.dll b.exe
See More

Response Number 6

Name: jabuck
Date: September 10, 2008 at 14:22:51 Pacific

Reply:

Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, Windows Defender, Spybot and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Response Number 7

Name: ricmeyer
Date: September 10, 2008 at 18:30:21 Pacific

Reply:

but i thought i was done?

Response Number 8

Name: jabuck
Date: September 10, 2008 at 18:51:24 Pacific

Reply:

Most likely you are still infectd. We will need the scans before we could possibly tell.

Response Number 9

Name: ricmeyer
Date: September 10, 2008 at 18:54:33 Pacific

Reply:

i don't have an 'AVG Control Center' because i have the free version.
My windows security center says avg 7.5.524 is up to date and 'virus scanning is on'.
how can i turn it off?

Response Number 10

Name: ricmeyer
Date: September 10, 2008 at 19:10:25 Pacific

Reply:

COMBOFIX LOG
=========================================
=========================================
ComboFix 08-09-10.02 - Administrator 2008-09-10 21:57:37.1 - NTFSx86
Running from: C:\Program Files\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Cookies\administrator@myheritage[1].txt
C:\RECYCLER\P1010001.JPG
C:\RECYCLER\P1010006.JPG
C:\RECYCLER\P1010008.JPG
C:\RECYCLER\P1010009.JPG
C:\RECYCLER\P1010012.JPG
C:\RECYCLER\P1010013.JPG
C:\RECYCLER\P1010014.JPG
C:\RECYCLER\P1010015.JPG
C:\RECYCLER\P1010016.JPG
C:\RECYCLER\P1010056.JPG
C:\RECYCLER\Picasa.ini
C:\RECYCLER\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2008-08-11 to 2008-09-11 )))))))))))))))))))))))))))))))
.
2008-09-10 21:37 . 2008-09-10 21:37 2,848,029 -ra------ C:\Program Files\ComboFix.exe
2008-09-09 19:15 . 2008-09-09 19:15 19,600 --a------ C:\cant save002.jpg
2008-09-09 19:15 . 2008-09-09 19:15 19,600 --a------ C:\cant save001.jpg
2008-09-09 19:15 . 2008-09-09 19:15 1,952 --a------ C:\cant save003.jpg
2008-09-09 18:51 . 2008-09-09 18:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-09 18:51 . 2008-09-08 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-09 18:50 . 2008-09-09 19:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-09 18:50 . 2008-09-09 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-09 18:50 . 2008-09-08 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 18:49 . 2008-09-09 18:49 2,182,640 --a------ C:\Program Files\mbam-setup.exe
2008-09-09 18:45 . 2008-09-09 18:45 401,720 --a------ C:\Program Files\HiJackThis.exe
2008-09-09 09:26 . 2008-09-09 09:26 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-09-09 08:31 . 2008-09-09 08:31 90,112 --a------ C:\WINDOWS\system32\nyzsxalk.exe
2008-09-08 11:03 . 2008-09-08 11:03 <DIR> d-------- C:\Play Mahjong Forever
2008-09-08 08:43 . 2008-09-08 08:43 77,824 --a------ C:\WINDOWS\system32\mvapofsj.exe
2008-09-08 08:34 . 2008-09-08 08:34 <DIR> d-------- C:\WINDOWS\RestoreSafeDeleted
2008-09-08 08:31 . 2008-09-09 11:44 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2008-09-08 08:26 . 2008-09-08 08:26 <DIR> d-------- C:\Program Files\Greatis
2008-09-08 08:25 . 2008-07-18 15:03 6,904,537 --a------ C:\Program Files\regruns580.exe
2008-09-07 19:07 . 2008-09-07 19:07 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-07 18:01 . 2008-09-07 18:01 (2) -rahs-ot- C:\WINDOWS\winstart.bat
2008-09-07 18:00 . 2008-09-04 13:46 6,594,560 --a------ C:\reanimator.exe
2008-09-07 18:00 . 2008-09-04 11:00 6,581,271 --a------ C:\database.rdb
2008-09-07 18:00 . 2005-09-13 16:21 91 --a------ C:\reanimator.bat
2008-09-05 09:18 . 2008-09-05 09:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-09-05 09:17 . 2008-09-05 09:17 <DIR> d-------- C:\Program Files\VideoLAN
2008-09-05 09:14 . 2008-09-05 09:15 9,501,920 --a------ C:\Program Files\vlc-0.8.6i-win32.exe
2008-09-05 09:06 . 2008-09-05 09:06 1,471,960 --a------ C:\Program Files\MediaFixer.exe
2008-09-01 08:35 . 2008-09-01 08:36 <DIR> d-------- C:\Program Files\HP
2008-08-23 12:24 . 2008-08-23 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\JollyBear
2008-08-23 12:23 . 2008-08-23 12:23 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-08-21 16:51 . 2008-08-21 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-21 16:51 . 2008-08-22 22:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-08-20 22:33 . 2008-08-20 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-20 22:31 . 2008-08-20 22:32 <DIR> d-------- C:\Program Files\Yahoo!
2008-08-20 22:27 . 2008-08-20 22:30 449,888 --a------ C:\Program Files\msgr8us.exe
2008-08-20 22:13 . 2008-08-20 22:46 <DIR> d-------- C:\Program Files\Trillian
2008-08-20 22:12 . 2008-08-20 22:12 9,064,104 --a------ C:\Program Files\trillian-v3.1.10.0.exe
2008-08-16 00:02 . 2008-08-16 00:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
2008-08-13 10:15 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-13 10:15 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-09 22:46 8,962 ----a-w C:\Program Files\hijackthis.log
2008-09-09 13:42 14,848 --sha-w C:\Program Files\Thumbs.db
2008-09-09 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-09-08 16:06 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-09-08 03:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-08 03:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-05 11:12 --------- d-----w C:\Program Files\BitComet
2008-09-04 21:12 --------- d-----w C:\Program Files\DivX
2008-09-04 14:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-08-21 11:49 --------- d-----w C:\Program Files\Opera
2008-08-21 11:45 --------- d-----w C:\Program Files\McAfee
2008-08-03 17:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-08-02 15:20 --------- d-----w C:\Program Files\Winamp
2008-08-02 14:40 166,144 ----a-w C:\Program Files\DECCHECKSetup.exe
2008-07-31 02:45 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SACore
2008-07-30 21:40 --------- d-----w C:\Program Files\Common Files\McAfee
2008-07-30 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-17 13:22 --------- d-----w C:\Program Files\Windows Defender
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 04:25 4,960,184 ----a-w C:\Program Files\vso_image_resizer2_setup.exe
2008-06-11 00:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-06-11 00:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-06-11 00:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-06-05 15:09 1,495,112 ----a-w C:\Program Files\install_flash_player.exe
2008-05-14 03:37 21,898,288 ----a-w C:\Program Files\setupwwt.exe
2008-03-14 16:26 6,029,648 ----a-w C:\Program Files\Firefox Setup 2.0.0.12.exe
2008-03-09 21:21 5,174,440 ----a-w C:\Program Files\SFTPMSI.exe
2008-03-03 02:24 8,317,891 ----a-w C:\Program Files\pfs-setup-en.exe
2008-02-28 19:46 54,682,112 ----a-w C:\Program Files\ArtCAMInsigniaDemo.exe
2008-02-19 20:37 13,413,048 ----a-w C:\Program Files\Google_Earth_BZXV.exe
2008-02-16 16:30 1,171,800 ----a-w C:\Program Files\dlsetup.exe
2008-02-10 23:09 4,922,104 ----a-w C:\Program Files\Opera_9.25_Eng_Setup.exe
2008-01-02 15:03 479,152 ----a-w C:\Program Files\install - Howies Screen Capture.exe
2007-12-29 22:17 720,280 ----a-w C:\Program Files\goodsync-lock2.exe
2007-12-05 00:39 35,378,168 ----a-w C:\Program Files\Avery_Wizard_Holiday.exe
2007-11-12 19:23 109,737 ----a-w C:\Program Files\Abs4650.jpg
2007-11-11 23:11 54,326,568 ----a-w C:\Program Files\iTunes75Setup.exe
2007-11-11 22:53 21,321,008 ----a-w C:\Program Files\QuickTimeInstaller.exe
2007-10-24 04:33 287,592 ----a-w C:\Documents and Settings\Administrator\Application Data\dxwebsetup.exe
2007-10-14 21:46 2,162,688 ----a-w C:\Program Files\Retarget.exe
2007-10-14 21:46 12,848 ----a-w C:\Program Files\retarget.htb
2007-10-14 21:46 1,245,184 ----a-w C:\Program Files\Retarget_upd_0.67.exe
2007-09-07 14:41 1,145,064 ----a-w C:\Program Files\ptcount2-setup.exe
2007-09-07 05:33 265 ----a-w C:\Program Files\ResHacker.ini
2007-09-07 05:22 554,899 ----a-w C:\Program Files\ResHack.zip
2007-09-07 00:22 6,221,304 ----a-w C:\Program Files\winamp535_full_emusic-7plus.exe
2007-09-07 00:04 7,467,056 ----a-w C:\Program Files\spybotsd15.exe
2007-08-29 05:14 147,451 ----a-w C:\Program Files\palm.jpg
2006-12-02 10:23 1,869 ----a-w C:\Program Files\Microsoft.VC80.CRT.manifest
2006-12-02 04:46 65,536 ----a-w C:\Program Files\vcomp.dll
2006-12-02 04:46 468 ----a-w C:\Program Files\Microsoft.VC80.OpenMP.manifest
2006-12-02 02:54 479,232 ----a-w C:\Program Files\msvcm80.dll
2005-10-21 03:31 540,672 ----a-w C:\Program Files\msvcp80.dll
2005-09-23 12:29 626,688 ----a-w C:\Program Files\msvcr80.dll
2002-03-25 06:45 467,640 ----a-w C:\Program Files\ResHacker.hlp
2002-03-25 06:44 4,910 ----a-w C:\Program Files\ReadMe.txt
2002-03-25 06:42 15,850 ----a-w C:\Program Files\Version_History.txt
2002-03-25 03:23 881,664 ----a-w C:\Program Files\ResHacker.exe
2002-01-27 05:46 14,781 ----a-w C:\Program Files\Dialogs.def
2001-01-28 05:37 267 ----a-w C:\Program Files\ResHacker.cnt
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 40,048 2007-05-11 10:06:32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 39,792 2008-01-12 02:16:38 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
----a-w 579,072 2007-12-21 14:21:00 C:\Program Files\Grisoft\AVG7\bak\avgcc.exe
----a-w 267,048 2007-11-03 02:36:42 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 286,720 2007-10-20 04:16:26 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 1,460,560 2007-08-31 23:46:28 C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe
------w 1,832,272 2008-08-18 22:41:00 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
----a-w 114,688 2006-08-21 22:02:15 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 155,648 2006-08-21 22:02:22 C:\WINDOWS\system32\bak\igfxtray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector" [X]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-03-31 16384]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 35328]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-04-26 C:\WINDOWS\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2007-10-29 573440]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\Alien Arena 2008\\crx.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7614:TCP"= 7614:TCP:BitComet 7614 TCP
"7614:UDP"= 7614:UDP:BitComet 7614 UDP
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-08-18 211232]
S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [ ]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-09-09 25773]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{433a0a10-6174-11dc-801f-0007e97d0f0c}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
*Newly Created Service* - NMSCFG
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pw4hwtjj.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-10 22:03:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-10 22:06:43
ComboFix-quarantined-files.txt 2008-09-11 02:05:41
Pre-Run: 58,245,746,688 bytes free
Post-Run: 58,906,087,424 bytes free
224 --- E O F --- 2008-09-03 05:04:27

Response Number 11

Name: ricmeyer
Date: September 19, 2008 at 15:14:17 Pacific

Reply:

how'd i do?

Response Number 12

Name: Canoro
Date: September 28, 2008 at 16:18:17 Pacific

Reply:

I eliminated this virus in Windows Vista with these steps:
I went to the start menu and went to "Run..."
then I typed "regedit" in the Run window and press enter.
once inside the regedit window, i went to the folder called: HKEY_LOCAL_MACHINE
once there, i went to the subfolder called: SOFTWARE
under that folder, i went to the folder called: Microsoft
under that folder i went to the folder called: Windows
under that folder i went to the folder called: CurrentVersion
and under that folder, I went to the folder called: Run
(some programs get into this folder to run when windows starts)
then i erased the thing called: Antivirus
(because i discovered that the virus used that name to disguise itself, so you wont delete it.)
i deleted it by right clicking on it, a menu came out, and i choosed the option: Delete
and then i closed the regedit program
i went again to the start menu and clicked the "Run..." option again
this time, when the Run window came out, i wrote "msconfig" and hit enter
a window appeared that had a tab called: Startup
there i saw a list of applications (those usually are the ones that start when you start windows) and i unchecked the one that had this name: Antivirus
(one thing curious, is that this supposed antivirus, under the column "Manufacturer" it said "Unknown", every application identifies itself, except this one. suspicious huh?)
well, i unchecked the box at the left of this supposed antivirus.
i restarted my computer.
after that, everything went faster, but i noticed that after going to the "msconfig" window thru the start menu and the option "Run..." the antivirus got itself again checked, ready to strike again when i do my next restart.
i went to the start menu, and went to control panel to see if i could uninstall it, and went to "Programs and Features" icon, there's were i usually uninstall everything i want to uninstall. but there was no uninstaller for the sav.exe virus
but, i also notice an icon in control panel called System Antivirus 2008 with an ugly icon. usually control panel icons are more detailed. Microsoft wouldnt put an ugly icon in there.
ok, so the options we see in Control Panel, usually are little programs that end up in: .cpl
so that System Antivirus 2008 option should end in .cpl as well
so i went to the start menu and went to the option: Search
and i specified in my search, everything that ended in .cpl, by writing in the search box: *.cpl
(the * is like a wildcard, it means everthing)
i found sav.cpl
i decided to open it, by right clicking on it, and it showed me a menu.
from that menu, instead of choosing the first option, that is to run it with control panel, i choosed from the menu the option: Open With
from there, i decided to open it with the program called Wordpad
to see what it had inside.
the program "Wordpad" was located in my hard drive ( drive C ) under the folder named "Windows" and under the folder named "System32"
like this: "C:\Windows\System32"
and the name of the program was: write.exe
i finally open the program "sav.cpl" and i saw a bunch of stuff i didnt understand.
so i went to the menu called: Edit
then i went to the option in that Edit menu called: Select All
and it seems all those things got selected, that text changed color.
i press the key: Del
on my keyboard
that erased all those things i couldnt understand in there
then i went to the menu "File"
and Choosed the option "Save"
(ups, i just killed the virus.)
i closed the WordPad program
to make sure it didnt start again when i reboot, i checked by going to the start menu, and choosing the option "Run..."
i wrote "msconfig" in the window and pressed enter.
the "Run" window appeared again, i was curious if the programs was going to install itself again when i start my computer some other time.
so i went to the Startup tab, and saw that, that suspicious program was not selected to start when windows start, because the little square at its left was unchecked.
its the best thing you can have, that square on the left of the suppoused "Antivirus" unchecked.
so i restarted my computer.
and the virus dissapeared.
my computer doesnt have that virus anymore.
i guess the program sav.cpl was the activator of the virus. once you kill whats inside of it, it doesnt work anymore.
well, that's what i found. hope it will help some of you, or all of you :)
be happy :)

Response Number 13

Name: ricmeyer
Date: September 28, 2008 at 17:12:58 Pacific

Reply:

other than letting some of these preorams screw around with the registry, i stay out it. after i was done with this treatment, eveything was great! i happy as a bug in a rug!
rich

Response Number 14

Name: Hiffny
Date: October 2, 2008 at 08:26:35 Pacific

Reply:

I got infected by Sav.exe after believing to fake link. I dont know how to solve this problem. I search around and finally i found way to clear my pc from that infection. What i do i download free software from http://www.superantispyware.com/ and run scan on your pc. Just download the free software. It can use as removal too. Thanks to that software developer. My problem solve without need me to reinstall my operating system. Cheers.

Response Number 15

Name: ricmeyer
Date: October 2, 2008 at 18:11:28 Pacific

Reply:

thank you hiffny...
my problem is all cleared up. i followed the instruction given me by jabuck here on computing.net and it worked perfectly.
these guys are great.
rich

Sponsored Link

Ads by Google

Virus' and 1 messed up co...

VIRUS ALERT! and other fu...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: sav.exe and b.exe infection

b.exe and a.exe? possibly c.exe?

Summary

www.computing.net/answers/security/bexe-and-aexe-possibly-cexe/26924.html

b.exe msa.exe antiviruses disabled

Summary

www.computing.net/answers/security/bexe-msaexe-antiviruses-disabled/27838.html

b.exe related and still infected

Summary

www.computing.net/answers/security/bexe-related-and-still-infected/27916.html

From the Geek Dictionary
spawn camping - In internet multi player shooting games, this would be when you sit and wai...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 7 Days.
Discuss in The Lounge
Poll History

Recent Posts
plug and play not working

how much i can gat mother boared

Port 80/8080 open and listening on all machin

Overclocking help

Google Won't Load!

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE