Virus in my computer

Self made / NONE
February 6, 2009 at 22:49:29
Specs: Windows XP, 1gb
Ive got a virus on my computer, its a Windows XP and i have AVG i think the virus may be a trojan dialer virus but im not sure, my computer has random popups from a "www.anykuy.com" and keeps giving me false warnings from somthing on my tool bar at the bottom of the screen. I Am unable to go into my computer and restore it to a previous date and i am unable to go into Drive C:\ to locate what was downloaded. any searches in my computer make it freeze and force me to restart. if anyone can give me a hand i would appriciate it greatly. please give me a contact at bountyhunter31@msn.com

See More: Virus in my computer

Report •


#1
February 7, 2009 at 09:18:09
Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
February 7, 2009 at 23:54:10
Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

08/02/2009 1:42:16 AM
mbam-log-2009-02-08 (01-42-16).txt

Scan type: Quick Scan
Objects scanned: 64148
Time elapsed: 8 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 6
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\msxml71.dll (Trojan.Siggen) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5005e229-cd42-4ec9-9006-072a8dfd4ab4}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5005e229-cd42-4ec9-9006-072a8dfd4ab4}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5005e229-cd42-4ec9-9006-072a8dfd4ab4}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090206164631921.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Devon Boege\Local Settings\Temp\perce.jpg.exe (Trojan.FakeAlert) -> Delete on reboot.


Report •

#3
February 7, 2009 at 23:55:43
Everythings running Great now. Thanks alot for the help.

Report •

Related Solutions

#4
February 8, 2009 at 00:04:11
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:52 AM, on 08/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Devon Boege\My Documents\HJTInstall.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Documents and Settings\Devon Boege\Application Data\IMVUClient\IMVUClient.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Devon Boege\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JS...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9955 bytes


Report •

#5
February 8, 2009 at 00:05:40
and this is the log of Hijackthis. Really everythings fixed now. the only thing thats still happening are the freezes.

Report •

#6
February 8, 2009 at 07:21:41
LimeWire is a probable cause of your infection, you should uninstall it and find a better tool or at least uninstall it until you can your computer back to 100%.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, and any other antispyware that you may have.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

#7
February 8, 2009 at 21:07:59
So i should totally disconnect my internet? then do the scans? and please list what things to turn off.

Report •

#8
February 9, 2009 at 03:39:42
Yes, disconnect from the internet and all I see that needs to be turned off is AVG.

Report •

#9
February 10, 2009 at 08:06:51
ComboFix 09-02-08.02 - Devon Boege 2009-02-09 9:46:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.566 [GMT -6:00]
Running from: c:\documents and settings\Devon Boege\Desktop\toolsb.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated)
FW: AVG Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-7-2-69-100006299-100025973-100027289-4626.com
c:\windows\system32\drivers\gaopdxhomqxeht.sys
c:\windows\system32\drivers\gaopdxppxmoqvs.sys
c:\windows\system32\drivers\gaopdxxylqbuwn.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxdpuegsxk.dll

----- BITS: Possible infected sites -----

hxxp://au.j+|Cv+@J:NGD_DQ{zcxLJS@p-8EM?;
[color=blue]Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe[/COLOR]

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-08 23:14 . 2009-02-08 23:15 <DIR> d-------- C:\toolb
2009-02-08 17:23 . 2009-02-08 17:23 <DIR> d-------- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-02-08 01:25 . 2009-02-08 01:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-08 01:25 . 2009-02-08 01:25 <DIR> d-------- c:\documents and settings\Devon Boege\Application Data\Malwarebytes
2009-02-08 01:25 . 2009-02-08 01:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-08 01:25 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-08 01:25 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-31 01:34 . 2009-02-02 20:36 24 --a------ C:\url_history.xml
2009-01-29 03:00 . 2009-01-29 03:00 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-28 22:43 . 2009-01-28 22:43 <DIR> d-------- c:\program files\OGPlanet
2009-01-28 21:00 . 2009-01-28 21:00 <DIR> d-------- c:\documents and settings\Devon Boege\Application Data\Skinux
2009-01-28 20:59 . 2009-01-28 20:59 <DIR> d-------- c:\documents and settings\Devon Boege\Application Data\ArcSoft
2009-01-28 18:16 . 2009-01-28 18:16 <DIR> d-------- c:\documents and settings\Admin\Application Data\Skinux
2009-01-28 18:12 . 2009-01-28 18:13 <DIR> d--h----- c:\program files\InstallShield Installation Information
2009-01-28 18:12 . 2009-01-28 18:12 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-01-28 18:12 . 2009-01-28 18:12 <DIR> d-------- c:\program files\Common Files\ArcSoft
2009-01-28 18:12 . 2009-01-28 18:12 <DIR> d-------- c:\program files\ArcSoft
2009-01-28 18:12 . 2009-01-28 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\ArcSoft
2009-01-28 18:12 . 2009-01-28 18:12 <DIR> d-------- c:\documents and settings\Admin\Application Data\ArcSoft
2009-01-28 18:11 . 2008-04-13 18:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-28 18:11 . 2008-04-13 12:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-01-28 18:11 . 2008-04-13 12:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-01-28 18:11 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-28 18:10 . 2009-01-28 18:11 <DIR> d-------- c:\program files\Common Files\Kodak
2009-01-28 18:08 . 2009-01-28 18:11 <DIR> d-------- c:\program files\Kodak
2009-01-28 18:08 . 2008-05-02 07:25 465,920 --------- c:\windows\system32\imapi2fs.dll
2009-01-28 18:08 . 2008-05-02 07:25 465,920 -----c--- c:\windows\system32\dllcache\imapi2fs.dll
2009-01-28 18:08 . 2008-05-02 07:25 317,952 --------- c:\windows\system32\imapi2.dll
2009-01-28 18:08 . 2008-05-02 07:25 317,952 -----c--- c:\windows\system32\dllcache\imapi2.dll
2009-01-28 18:08 . 2008-05-02 04:49 62,976 -----c--- c:\windows\system32\dllcache\cdrom.sys
2009-01-28 18:03 . 2009-01-28 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kodak
2009-01-25 19:55 . 2009-01-25 19:55 <DIR> d-------- c:\documents and settings\Admin\Application Data\URSE Games
2009-01-21 18:16 . 2009-01-21 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\MSN6
2009-01-21 18:16 . 2009-02-08 20:18 <DIR> d-------- c:\documents and settings\Admin\Tracing
2009-01-21 18:16 . 2009-02-08 19:31 <DIR> d-------- c:\documents and settings\Admin\Application Data\MSN6
2009-01-21 17:54 . 2009-01-21 17:54 <DIR> d-------- c:\documents and settings\Admin\Application Data\Skype
2009-01-20 14:13 . 2009-01-20 14:13 21,840 --a------ c:\windows\system32\SIntfNT.dll
2009-01-20 14:13 . 2009-01-20 14:13 17,212 --a------ c:\windows\system32\SIntf32.dll
2009-01-20 14:13 . 2009-01-20 14:13 12,067 --a------ c:\windows\system32\SIntf16.dll
2009-01-20 14:01 . 2009-01-20 14:14 35,942 --a------ c:\windows\DIIUnin.dat
2009-01-20 14:00 . 2009-01-20 14:00 94,208 --a------ c:\windows\DIIUnin.exe
2009-01-20 14:00 . 2009-01-20 14:00 2,829 --a------ c:\windows\DIIUnin.pif
2009-01-20 13:53 . 2009-01-20 14:18 <DIR> d-------- c:\program files\Diablo II
2009-01-20 08:49 . 2009-01-26 20:47 <DIR> d-------- c:\documents and settings\Devon Boege\Application Data\IMVUClient
2009-01-20 08:49 . 2009-02-09 06:12 <DIR> d-------- c:\documents and settings\Devon Boege\Application Data\IMVU
2009-01-19 23:13 . 2009-01-19 23:13 <DIR> d-------- c:\documents and settings\Devon Boege\Application Data\Apple Computer
2009-01-19 23:12 . 2009-01-19 23:12 <DIR> d-------- c:\program files\iTunes
2009-01-19 23:12 . 2009-01-19 23:12 <DIR> d-------- c:\program files\iPod
2009-01-19 23:12 . 2009-01-19 23:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-19 23:12 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-19 23:12 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-19 23:11 . 2009-01-19 23:11 <DIR> d-------- c:\program files\Bonjour
2009-01-19 23:10 . 2009-01-19 23:12 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-01-19 23:10 . 2009-01-19 23:11 <DIR> d-------- c:\program files\QuickTime
2009-01-19 23:10 . 2009-01-19 23:10 <DIR> d-------- c:\program files\Apple Software Update
2009-01-19 23:10 . 2009-01-19 23:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-19 23:09 . 2009-01-19 23:12 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-19 23:09 . 2009-01-19 23:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-19 19:30 . 2009-02-09 09:36 <DIR> d-------- c:\documents and settings\Devon Boege\Application Data\skypePM
2009-01-19 19:30 . 2009-01-19 19:30 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-01-19 19:28 . 2009-02-09 09:36 <DIR> d-------- c:\documents and settings\Devon Boege\Application Data\Skype
2009-01-19 19:27 . 2009-01-19 19:27 <DIR> d-------- c:\program files\Skype
2009-01-19 19:27 . 2009-01-19 19:27 <DIR> d-------- c:\program files\Common Files\Skype
2009-01-19 19:25 . 2009-01-19 19:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-01-19 18:24 . 2009-02-08 22:56 <DIR> d-------- c:\documents and settings\Devon Boege\Incomplete
2009-01-19 18:23 . 2009-02-08 23:04 <DIR> d-------- c:\documents and settings\Devon Boege\Application Data\LimeWire
2009-01-19 17:59 . 2009-01-31 01:34 <DIR> d-------- c:\program files\SecondLife
2009-01-19 17:59 . 2009-01-19 18:00 <DIR> d-------- c:\documents and settings\Devon Boege\Application Data\SecondLife
2009-01-19 17:52 . 2009-02-09 09:53 <DIR> d-------- c:\documents and settings\Devon Boege\Tracing
2009-01-19 17:50 . 2009-01-19 17:50 <DIR> d-------- c:\program files\Microsoft Office Outlook Connector
2009-01-19 17:46 . 2009-01-19 17:46 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-01-19 17:46 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll
2009-01-19 17:44 . 2009-01-19 17:44 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-01-19 17:44 . 2009-01-19 17:50 <DIR> d-------- c:\program files\Windows Live
2009-01-19 17:44 . 2009-01-19 17:44 <DIR> d-------- c:\program files\Microsoft
2009-01-19 17:35 . 2009-01-19 17:35 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-01-19 17:33 . 2009-01-19 17:59 <DIR> d-------- c:\documents and settings\Devon Boege\Application Data\AVGTOOLBAR
2009-01-19 17:31 . 2009-01-19 18:24 <DIR> d-------- c:\documents and settings\Devon Boege
2009-01-19 17:31 . 2004-08-04 01:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-19 16:58 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-01-19 16:58 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2009-01-19 16:58 . 2008-04-13 12:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-01-19 16:58 . 2008-04-13 12:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2009-01-18 15:32 . 2001-08-17 13:28 224,802 --a------ c:\windows\system32\drivers\USR1807A.sys
2009-01-18 15:32 . 2001-08-17 13:28 224,802 --a--c--- c:\windows\system32\dllcache\usr1807a.sys
2009-01-18 15:32 . 2001-08-17 13:28 113,762 --a------ c:\windows\system32\drivers\USRpdA.sys
2009-01-18 15:32 . 2001-08-17 13:28 113,762 --a--c--- c:\windows\system32\dllcache\usrpda.sys
2009-01-18 15:32 . 2001-08-17 13:28 7,556 --a------ c:\windows\system32\drivers\USRoslbA.sys
2009-01-18 15:32 . 2001-08-17 13:28 7,556 --a--c--- c:\windows\system32\dllcache\usroslba.sys
2009-01-18 15:16 . 2009-01-18 15:16 <DIR> d-------- c:\windows\Sun
2009-01-18 15:13 . 2009-01-18 15:13 <DIR> d-------- c:\program files\Java
2009-01-18 15:13 . 2009-01-18 15:13 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-18 15:13 . 2009-01-18 15:13 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-18 15:02 . 2009-01-18 15:02 <DIR> d-------- c:\program files\Microsoft Works
2009-01-18 15:02 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-01-18 15:01 . 2009-01-18 15:01 <DIR> d-------- c:\program files\MSBuild
2009-01-18 14:56 . 2009-01-18 15:01 <DIR> d-------- c:\windows\SHELLNEW
2009-01-18 14:53 . 2009-01-20 03:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-18 14:49 . 2009-01-18 14:49 <DIR> dr-h----- C:\MSOCache
2009-01-18 12:00 . 2009-02-09 01:21 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-18 08:43 . 2009-01-18 08:43 <DIR> d-------- c:\windows\system32\Lang
2009-01-18 08:43 . 2009-01-18 08:43 940,794 --a------ c:\windows\system32\LoopyMusic.wav
2009-01-18 08:43 . 2009-01-18 08:43 146,650 --a------ c:\windows\system32\BuzzingBee.wav

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 23:54 --------- d-----w c:\documents and settings\Admin\Application Data\AVGTOOLBAR
2009-01-18 15:09 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-18 15:08 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-18 15:08 29,208 ----a-w c:\windows\system32\drivers\avgfwdx.sys
2009-01-18 15:08 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-01-18 15:08 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-18 12:03 --------- d-----w c:\program files\microsoft frontpage
2009-01-18 02:16 --------- d-----w c:\program files\Microsoft Silverlight
2009-01-18 00:07 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-17 23:54 --------- d-----w c:\program files\AVG
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-05 04:55 307,560 ----a-w c:\windows\WLXPGSS.SCR
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-18 1601304]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-18 136600]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2001-08-18 77891]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-19 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Devon Boege\Start Menu\Programs\Startup\
IMVU.lnk - c:\documents and settings\Devon Boege\Application Data\IMVUClient\IMVUClient.exe [2009-01-26 49408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-18 09:08 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-01-17 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-17 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-17 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-18 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-17 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-01-18 1339600]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-01-17 29208]
S0 eIqy;eIqy;c:\windows\system32\drivers\pdjcox.sys --> c:\windows\system32\drivers\pdjcox.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-01-17 29208]
S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F8B9E5C0-4DCC-CFCF-ABA5-00401D608516}]
c:\documents and settings\All Users\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-29 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.20.1.sxt _RegistrationOffer@16 []
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC} - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Devon Boege\Start Menu\Programs\IMVU\Run IMVU.lnk
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 09:52:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
r Running Proce
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\usrshuta.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-09 10:01:15 - machine was rebooted [Devon Boege]
ComboFix-quarantined-files.txt 2009-02-09 15:59:57

Pre-Run: 21,455,327,232 bytes free
Post-Run: 21,672,349,696 bytes free

253 --- E O F --- 2009-01-29 09:00:39


Report •

#10
February 10, 2009 at 08:08:12
this is the log

Report •

#11
February 10, 2009 at 10:14:46
Check this out.

Safe and Cheap Online Virus Removal
http://crossloop.com/AdwareSpwareTu...


Report •

#12
February 10, 2009 at 16:14:31
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\LoopyMusic.wav
c:\windows\system32\BuzzingBee.wav
c:\documents and settings\All Users\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F8B9E5C0-4DCC-CFCF-ABA5-00401D608516}]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#13
February 11, 2009 at 10:21:19
Do i unplug the internet and turn off AVG again?

Report •

#14
February 11, 2009 at 15:07:40
Yes, it would be best.

Report •


Ask Question