Terrible virus 36 days and counting

Computing.Net > Forums > Security and Virus > Terrible virus 36 days and counting

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Terrible virus 36 days and counting

Name: Cowboys0814
Date: October 26, 2008 at 14:41:26 Pacific
OS: Windows XP
CPU/Ram: 2.4 ghz pentium and 768 m

Comment:

I received this google virus that redirects me to wrong websites when i click on the links. It slows my computer down, as well as not letting me use most tech support sites. Luckily I found this site, please help me out asap thank you!

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: October 26, 2008 at 14:55:38 Pacific

Reply:

Please download HostsXpert from the following link:
HostsXpert
Extract the HostsXpert.zip by doing the following:Right-click HostsXpert.zip and select extract all – Follow the wizard and extract it to your DesktopClick Finish. Double-click the HostsXpert folder and then double-click HostsXpert.exe. Click “ Restore MS Hosts File” and press OK.Exit the program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.
Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.
1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
Please download Malwarebytes' Anti-Malware from one of these sites:
MalwareBytes1
MalwareBytes2
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 2

Name: Cowboys0814
Date: October 26, 2008 at 14:59:49 Pacific

Reply:

Okay, I got hostsxpert and ran the program, but this virus is blocking me from downloading sdfix.exe. I have however downloaded malbytes and hijack this. What should I do?

Response Number 3

Name: Cowboys0814
Date: October 26, 2008 at 15:18:46 Pacific

Reply:

also, when i run mbam-setup, i click run and nothing happens

Response Number 4

Name: Cowboys0814
Date: October 26, 2008 at 15:21:02 Pacific

Reply:

i got mbam to work

Response Number 5

Name: jabuck
Date: October 26, 2008 at 15:21:20 Pacific

Reply:

Run them and post their logs please.

linksys wusb11 ver 2.6 driver google virus google virus	virus moving cursor and clicks windows activation days and counting virus disables keyboard and mouse
See More

Response Number 6

Name: Cowboys0814
Date: October 26, 2008 at 16:06:31 Pacific

Reply:

After running the Malwarebytes I received this log.
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2
10/26/2008 5:27:47 PM
mbam-log-2008-10-26 (17-27-47).txt
Scan type: Quick Scan
Objects scanned: 46570
Time elapsed: 4 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{05c08379-f723-4d23-ac60-69a07a43d107} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e0e17a61-7aca-45e6-ac82-cc955b04805c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31de3194-c748-48bb-b620-2d0156b5e1ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b4069f9d-db70-4166-8fb8-feb68e884876} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssadw.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSerrors.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSl.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf1.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Rootkit.Agent) -> Delete on reboot.
After running this it then allowed me to download SDFix.exe
I ran SDFix in safe mode and it ran then went to a black screen and never prompted me to restart, so i manually restarted and then ran hijack this
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [LtcyCfgApply] "C:\Documents and Settings\Cody\Desktop\Unused\games\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 5650 bytes

Response Number 7

Name: jabuck
Date: October 26, 2008 at 16:36:03 Pacific

Reply:

Go to start> control panel>add/remove programs and uninstall "Viewpoint".
Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 10 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your Trend Micro antivirus, and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Response Number 8

Name: Cowboys0814
Date: October 26, 2008 at 17:35:33 Pacific

Reply:

ComboFix 08-10-25.01 - Cody 2008-10-26 19:20:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.431 [GMT -5:00]
Running from: C:\Documents and Settings\Cody\Desktop\ComboFix.exe
[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\windows_update.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV
-------\Service_TDSSserv

((((((((((((((((((((((((( Files Created from 2008-09-27 to 2008-10-27 )))))))))))))))))))))))))))))))
.
2008-10-26 19:13 . 2008-10-26 19:13 <DIR> d-------- C:\Program Files\Java
2008-10-26 19:13 . 2008-10-26 19:13 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-10-26 19:13 . 2008-10-26 19:13 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-26 17:43 . 2008-10-26 17:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-26 17:39 . 2008-10-26 17:39 <DIR> d-------- C:\Documents and Settings\Administrator.SEESPAW
2008-10-26 17:29 . 2008-10-26 17:29 61,440 --a------ C:\WINDOWS\system32\drivers\jtfu.sys
2008-10-26 17:21 . 2008-10-26 17:21 <DIR> d-------- C:\Documents and Settings\Cody\Application Data\Malwarebytes
2008-10-26 17:21 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-26 17:21 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-26 17:20 . 2008-10-26 17:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-26 17:20 . 2008-10-26 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-26 16:06 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-10-26 16:06 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-10-26 16:06 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-10-26 16:06 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-10-26 16:06 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-10-15 13:16 . 2008-10-15 13:16 29,552 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-10-14 23:20 . 2008-10-14 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Blizzard
2008-10-14 19:29 . 2008-10-14 19:29 <DIR> d-------- C:\Program Files\Safari
2008-10-14 19:29 . 2008-10-14 19:29 <DIR> d-------- C:\Program Files\Apple Software Update
2008-10-14 19:29 . 2008-10-14 19:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-10-04 14:53 . 2008-02-16 00:07 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-04 14:53 . 2008-02-16 00:07 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-10-04 14:53 . 2008-02-16 00:07 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-10-04 14:52 . 2008-10-04 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-10-04 14:37 . 2008-10-04 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-04 14:24 . 2008-10-04 14:24 <DIR> d-------- C:\!KillBox
2008-10-04 14:09 . 2008-10-26 16:10 <DIR> d-------- C:\fixwareout
2008-10-03 16:37 . 2008-10-03 17:02 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-03 16:34 . 2008-05-01 09:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-02 18:07 . 2008-10-09 17:37 810 --a------ C:\WINDOWS\system32\CTHELPER.RPT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 00:02 --------- d-----w C:\Program Files\Viewpoint
2008-10-27 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-10-26 22:13 --------- d-----w C:\Program Files\Trend Micro
2008-10-26 21:14 2,098 ----a-w C:\WINDOWS\system32\tmp.reg
2008-10-21 17:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-21 17:25 --------- d-----w C:\Program Files\Norton Security Scan
2008-10-21 01:35 --------- d-----w C:\Program Files\World of Warcraft
2008-10-15 10:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-15 00:30 --------- d-----w C:\Documents and Settings\Cody\Application Data\Apple Computer
2008-10-04 18:46 --------- d-----w C:\Documents and Settings\Cody\Application Data\skypePM
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-10 17:22 --------- d-----w C:\Program Files\PartyGaming
2008-09-10 17:21 --------- d-----w C:\Program Files\PokerStars
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2007-03-07 02:28 1,568 -c--a-w C:\Documents and Settings\Cody\Application Data\mpauth.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-06-02 67160]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="C:\WINDOWS\UpdReg.exe" [2000-05-11 90112]
"LtcyCfgApply"="C:\Documents and Settings\Cody\Desktop\Unused\games\LtcyCfg2-[guru3d]\LtcyCfg.exe" [2005-01-24 22:04 265216]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-09 7561216]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-03-09 86016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-29 185632]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 1398024]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-26 136600]
"CTHelper"="CTHELPER.EXE" [2003-10-06 C:\WINDOWS\system32\CTHELPER.EXE]
"nwiz"="nwiz.exe" [2006-03-09 C:\WINDOWS\system32\nwiz.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2007-05-13 217088]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Safari\\Safari.exe"=
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-26 152984]
R2 PfDetNT;PfDetNT;C:\WINDOWS\System32\drivers\PfModNT.sys [2003-03-05 15840]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys [2002-02-19 72576]
.
Contents of the 'Scheduled Tasks' folder
2008-10-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
2008-10-24 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2007-09-19 00:42]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Cody\Application Data\Mozilla\Firefox\Profiles\eyysc7s5.tae\
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-26 19:27:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\CTSVCCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-10-26 19:32:55 - machine was rebooted [Cody]
ComboFix-quarantined-files.txt 2008-10-27 00:32:51
Pre-Run: 38,626,508,800 bytes free
Post-Run: 38,629,343,232 bytes free
158 --- E O F --- 2008-10-24 06:50:42

Response Number 9

Name: jabuck
Date: October 26, 2008 at 17:48:19 Pacific

Reply:

Its looking better.
Please go to Virus Total and upload the following file (one at the time) for analysis:
C:\WINDOWS\system32\drivers\jtfu.sys
C:\WINDOWS\system32\mlfcache.dat
Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".
Post the results in your reply.

Response Number 10

Name: Cowboys0814
Date: October 26, 2008 at 18:02:14 Pacific

Reply:

File jtfu.sys received on 10.27.2008 01:57:31 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 9/36 (25%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.10.24.3 2008.10.27 Win-Trojan/Avenger.61440
AntiVir 7.9.0.9 2008.10.27 -
Authentium 5.1.0.4 2008.10.26 -
Avast 4.8.1248.0 2008.10.27 -
AVG 8.0.0.161 2008.10.27 -
BitDefender 7.2 2008.10.27 -
CAT-QuickHeal 9.50 2008.10.25 Hoax.Agent.fz (Not a Virus)
ClamAV 0.93.1 2008.10.26 -
DrWeb 4.44.0.09170 2008.10.26 -
eSafe 7.0.17.0 2008.10.26 Hoax.Win32.Agent.fu
eTrust-Vet 31.6.6168 2008.10.25 -
Ewido 4.0 2008.10.26 -
F-Prot 4.4.4.56 2008.10.26 -
F-Secure 8.0.14332.0 2008.10.27 -
Fortinet 3.113.0.0 2008.10.26 PossibleThreat
GData 19 2008.10.27 -
Ikarus T3.1.1.44.0 2008.10.26 -
K7AntiVirus 7.10.508 2008.10.26 Trojan.Win32.Malware.2
Kaspersky 7.0.0.125 2008.10.27 -
McAfee 5415 2008.10.25 -
Microsoft 1.4005 2008.10.27 -
NOD32 3557 2008.10.26 -
Norman 5.80.02 2008.10.24 W32/Agent.HHSF
Panda 9.0.0.4 2008.10.26 Trj/Downloader.MDW
PCTools 4.4.2.0 2008.10.26 -
Prevx1 V2 2008.10.27 Malicious Software
Rising 21.00.62.00 2008.10.26 -
SecureWeb-Gateway 6.7.6 2008.10.27 -
Sophos 4.35.0 2008.10.26 -
Sunbelt 3.1.1753.1 2008.10.25 -
Symantec 10 2008.10.27 -
TheHacker 6.3.1.1.130 2008.10.27 -
TrendMicro 8.700.0.1004 2008.10.24 -
VBA32 3.12.8.8 2008.10.25 -
ViRobot 2008.10.24.1436 2008.10.24 Hoax..Agent.61440
VirusBuster 4.5.11.0 2008.10.26 -
Additional information
File size: 61440 bytes
MD5...: 589312a3b46721c5a751e4d5222a89be
SHA1..: 3a497d3968a4f6e3c648d196da38e5f98e75ec30
SHA256: 03cbe6df7f5605a3659ffe27a1184a8d9066436a17d7bac9cceb122de74f69ae
SHA512: c8abe050c97efe34541c3ef293a750e34b82117ae41f41d83db1f1489eb5d776
a1d59d0b4a1e13536e5bebda630693daf4be66cc386f587a69288c76df98cf7b
PEiD..: -
TrID..: File type identification
Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1d394
timedatestamp.....: 0x476b398b (Fri Dec 21 03:56:59 2007)
machinetype.......: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x400 0xd756 0xd780 5.52 e0dc8fff10e3a7c6343455cd02a67954
.rdata 0xdb80 0x10e 0x180 3.44 d2fd0bc28e070ccc67879e04b7cd5302
.data 0xdd00 0xc0 0x100 0.04 66a415a49d751cb335895306ecfb3389
INIT 0xde00 0x376 0x380 5.17 79cc3d62ef3ba8053786e08dc9b6cddc
.reloc 0xe180 0xe2c 0xe80 6.60 4f845320301140370066cbceee4c5e4c
( 1 imports )
> ntoskrnl.exe: ZwWriteFile, wcslen, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, wcscat, wcscpy, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePoolWithTag, RtlPrefixUnicodeString, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwOpenFile, ZwSetInformationFile, KeTickCount, ZwQueryInformationFile, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion
( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramt...
ThreatExpert info: http://www.threatexpert.com/report....
C:\WINDOWS\system32\mlfcache.dat was not in the folder. I ran a search for it and it could not find the file on my computer.

Response Number 11

Name: jabuck
Date: October 26, 2008 at 18:29:18 Pacific

Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\WINDOWS\system32\drivers\jtfu.sys

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.
Then search at VirusTotal for C:\WINDOWS\system32\mlfcache.dat again please.

Response Number 12

Name: Cowboys0814
Date: October 26, 2008 at 18:59:26 Pacific

Reply:

mlfcache log from virustotal
File mlfcache.dat received on 10.27.2008 02:55:46 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/36 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.10.24.3 2008.10.27 -
AntiVir 7.9.0.9 2008.10.27 -
Authentium 5.1.0.4 2008.10.26 -
Avast 4.8.1248.0 2008.10.27 -
AVG 8.0.0.161 2008.10.27 -
BitDefender 7.2 2008.10.27 -
CAT-QuickHeal 9.50 2008.10.25 -
ClamAV 0.93.1 2008.10.26 -
DrWeb 4.44.0.09170 2008.10.26 -
eSafe 7.0.17.0 2008.10.26 -
eTrust-Vet 31.6.6168 2008.10.25 -
Ewido 4.0 2008.10.26 -
F-Prot 4.4.4.56 2008.10.26 -
F-Secure 8.0.14332.0 2008.10.27 -
Fortinet 3.113.0.0 2008.10.26 -
GData 19 2008.10.27 -
Ikarus T3.1.1.44.0 2008.10.27 -
K7AntiVirus 7.10.508 2008.10.26 -
Kaspersky 7.0.0.125 2008.10.27 -
McAfee 5415 2008.10.25 -
Microsoft 1.4005 2008.10.27 -
NOD32 3557 2008.10.26 -
Norman 5.80.02 2008.10.24 -
Panda 9.0.0.4 2008.10.26 -
PCTools 4.4.2.0 2008.10.26 -
Prevx1 V2 2008.10.27 -
Rising 21.00.62.00 2008.10.26 -
SecureWeb-Gateway 6.7.6 2008.10.27 -
Sophos 4.35.0 2008.10.26 -
Sunbelt 3.1.1753.1 2008.10.25 -
Symantec 10 2008.10.27 -
TheHacker 6.3.1.1.130 2008.10.27 -
TrendMicro 8.700.0.1004 2008.10.24 -
VBA32 3.12.8.8 2008.10.25 -
ViRobot 2008.10.24.1436 2008.10.24 -
VirusBuster 4.5.11.0 2008.10.26 -
Additional information
File size: 29552 bytes
MD5...: 558b3bedd62b929136c5e829250f17a0
SHA1..: 97877032b9145f589910956521dbfd97ed9bb130
SHA256: 53d71e238aaccf67ab37ee25c0eabf66924f031cddc8040ee28d6761ec17bffc
SHA512: 5202ce6f37275b611dc91eee15f43d3e80d72b7cd53373ee952452e3c466050a
bd709220ac4443a808a41a8abccbd317ef96056c385e8f16ec48a5b134d50ed6
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -

Response Number 13

Name: jabuck
Date: October 26, 2008 at 19:05:45 Pacific

Reply:

Very good, now for some cleanup and a double check.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Please run Esets online scanner from this link:
ESET
1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( Iwant to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.

Response Number 14

Name: Cowboys0814
Date: October 26, 2008 at 20:41:06 Pacific

Reply:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3557 (20081026)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=7d9965cccd926e4da9f725ec3fd6a196
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-10-27 03:23:13
# local_time=2008-10-26 10:23:13 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=234525
# found=2
# scan_time=4136
C:\Documents and Settings\Cody\Desktop\Unused\programs\Azureus_2.3.0.4_Win32.setup.exe a variant of Win32/Adware.Webdir application A980E1AB79D6D2E7A561F605524D7AB6
C:\Documents and Settings\Cody\Desktop\Unused\programs\Azureus_2.3.0.4_Win32.setup.exe »NSIS »pxwma.dll a variant of Win32/Adware.Webdir application 00000000000000000000000000000000

Response Number 15

Name: jabuck
Date: October 27, 2008 at 03:35:59 Pacific

Reply:

Navigate to ans delete this file if found:
C:\Documents and Settings\Cody\Desktop\Unused\programs\Azureus_2.3.0.4_Win32.setup.exe
You computer appears to be clean

Empty the recycle bin.
Go to start> run> combofix /u (mote the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.
Go to start> control panel> add/remove programs and uninstall these programs:
Hijack This
Malwarebytes
Eset
You should keep AFT Cleaner and run it weekly.
Make sure your Trend Micro realtime scanner (it should have started with the antivirus).
You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster
Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
How is the computer operating?

Response Number 16

Name: Cowboys0814
Date: October 27, 2008 at 10:16:22 Pacific

Reply:

My computer is running great! I cannot thank you enough for the help you have given me. I hope you're getting payed.

Response Number 17

Name: jabuck
Date: October 27, 2008 at 18:29:07 Pacific

Reply:

Glad we could help.

Sponsored Link

Ads by Google

Really Bad Virus

XPAntivirus 20009

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Terrible virus 36 days and counting

VERY bad virus problem...

Summary

www.computing.net/answers/security/very-bad-virus-problem/22951.html

Search Engine Pop-Up Virus

Summary

www.computing.net/answers/security/search-engine-popup-virus/24084.html

Virus- sound system and internet

Summary

www.computing.net/answers/security/virus-sound-system-and-internet-/25105.html

From the Geek Dictionary
database - The place where software and web services store huge amounts of data. Think...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Recent Posts
Artifacts in all games

my sd memory card not formatting

Support windows 7

Windows Media Player

RH6.1 - Fine in VPC 5 Mac but not 2007

All Awaiting Reply

Tom's News
Man Arrested for Refusing to Tweet at Crowd

Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Leaked: File Sharing in UK Could Bring Jail Time

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE