Total Security has infected computer

View previous topic View next topic Go down

Solved Total Security has infected computer

Post by ssaifull on Fri Sep 11, 2009 8:10 am

Total Security has infected my friend's computer and since GeekPolice did such a great job curing my computer of Antivirus System Pro, I volunteered to help my friend out by reaching out to GeekPolice once again...

I read the instructions for removing Total Security but the problems with the computer prevent me from doing any of the following: the computer is unable to connect to the internet. I then tried installing Malwarebytes of a USB jump drive but it would not let the program even start. I then tried to run HJT off the jump drive with the same result, it was not even able to start.

Please help! Thanks in advance.

ssaifull
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-09-06
OS OS : XP Professional
Points Points : 26723
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by ssaifull on Fri Sep 11, 2009 8:19 am

I am going to go out on a limb and guess that you are going to suggest that I download and run DDS.scr off my jump drive from reading other threads on this forum, BUT I am going to wait until you instruct me so.

ssaifull
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-09-06
OS OS : XP Professional
Points Points : 26723
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by Belahzur on Fri Sep 11, 2009 6:15 pm

Hello.
Try this renamed version of Hijack This, let me know if it will work.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by ssaifull on Sat Sep 12, 2009 4:35 am

The version that I was trying to run and the version that I downloaded from the link provided are one and the same: winlogon.scr.

Unfortunately, I am not able to run it. As soon as I click on it, Total Security shuts it down.

ssaifull
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-09-06
OS OS : XP Professional
Points Points : 26723
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by Origin on Sat Sep 12, 2009 5:21 am

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    scecli.dll
    netlogon.dll
    eventlog.dll
    cngaudit.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by ssaifull on Sat Sep 12, 2009 7:02 am

I tried to run SystemLook.exe off of the jump drive but to no avail -- like all the other programs it will not run as it is shut down immediately.

One more note, I just noticed on the desktop there are icons for AntivirusPro 2010 and Advanced Virus Remover as well as Total Security 2009. The others are inactive and Total Security seems to be running the show (as I see no pop ups or warnings from the other programs).

ssaifull
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-09-06
OS OS : XP Professional
Points Points : 26723
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by Origin on Sat Sep 12, 2009 5:32 pm

Lets try something in safe mode with networking:

Please do the following in Safe Mode with Networking: as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then do the following instructions:

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by ssaifull on Sat Sep 12, 2009 8:06 pm

I was able to run ComboFix with the instructions provided while in Safe mode with networking. I was unable to disable AVG before running ComboFix, but it still seemed to work just fine. The log is posted below.

ComboFix 09-09-11.05 - Muhammad 09/12/2009 15:32.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.351 [GMT -4:00]
Running from: c:\documents and settings\Muhammad\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\12015624
c:\documents and settings\All Users\Application Data\12015624\12015624
c:\documents and settings\All Users\Application Data\12015624\12015624.exe
c:\documents and settings\All Users\Application Data\12015624\pc12015624ins
c:\documents and settings\All Users\Application Data\jyty._sy
c:\documents and settings\All Users\Application Data\pape.inf
c:\documents and settings\All Users\Application Data\vidam.ban
c:\documents and settings\All Users\Documents\nonetuky.reg
c:\documents and settings\All Users\Documents\tecahefo.dll
c:\documents and settings\Muhammad\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\Muhammad\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Muhammad\Application Data\rexikuny.dll
c:\documents and settings\Muhammad\Cookies\obos._dl
c:\documents and settings\Muhammad\Cookies\sigo.bin
c:\documents and settings\Muhammad\Cookies\symobasyzy.scr
c:\documents and settings\Muhammad\Cookies\xadaxafa.ban
c:\documents and settings\Muhammad\Cookies\xotofino.com
c:\documents and settings\Muhammad\Desktop\Advanced Virus Remover.lnk
c:\documents and settings\Muhammad\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Muhammad\Desktop\Total Security 2009.lnk
c:\documents and settings\Muhammad\Local Settings\Application Data\cuhebi.bat
c:\documents and settings\Muhammad\Local Settings\Application Data\vebapi.vbs
c:\documents and settings\Muhammad\Local Settings\Application Data\vyga.ban
c:\documents and settings\Muhammad\Local Settings\Application Data\ziry.vbs
c:\documents and settings\Muhammad\Start Menu\Advanced Virus Remover.lnk
c:\documents and settings\Muhammad\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Muhammad\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Muhammad\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Muhammad\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
c:\documents and settings\Muhammad\Start Menu\Programs\Total Security
c:\documents and settings\Muhammad\Start Menu\Programs\Total Security\Total Security 2009.lnk
C:\kqbvc.exe
C:\p2hhr.bat
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\Common Files\abyj.dl
c:\program files\Common Files\dokoci.bat
c:\program files\Mozilla Firefox\plc4.dll
c:\windows\Installer\21bf64.msp
c:\windows\Installer\21bf6e.msp
c:\windows\Installer\21bf79.msp
c:\windows\Installer\c1937f.msp
c:\windows\Installer\c19380.msp
c:\windows\Installer\c19381.msp
c:\windows\Installer\c19382.msp
c:\windows\Installer\c19383.msp
c:\windows\Installer\c19384.msp
c:\windows\Installer\c19385.msp
c:\windows\Installer\c19386.msp
c:\windows\Installer\c19387.msp
c:\windows\Installer\c6c407.msp
c:\windows\Installer\c6c408.msp
c:\windows\Installer\c6c409.msp
c:\windows\Installer\c6c40a.msp
c:\windows\Installer\c6c40b.msp
c:\windows\Installer\c6c40c.msp
c:\windows\Installer\c6c40d.msp
c:\windows\Installer\c6c40e.msp
c:\windows\Installer\c6c40f.msp
c:\windows\Installer\c6c410.msp
c:\windows\oqidetymyl.sys
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\41.exe
c:\windows\system32\ajyvyx.sys
c:\windows\system32\braviax.exe
c:\windows\system32\fyvano.dl
c:\windows\system32\gumunijo.dll
c:\windows\system32\lazahuji.exe
c:\windows\system32\lepefihi.exe
c:\windows\system32\metigime.dll
c:\windows\system32\mojujebu.dll
c:\windows\system32\nacukahe.bin
c:\windows\system32\sipudabube.inf
c:\windows\system32\taJF83ikdmf.dll
c:\windows\system32\tapi.nfo
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wisdstr.exe
c:\windows\system32\zohevanim.scr
c:\windows\xice.inf
c:\windows\ygycimi.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))
.

2009-09-11 07:08 . 2009-09-11 07:08 -------- d-----w- c:\documents and settings\Muhammad\Application Data\U3
2009-09-10 01:32 . 2009-09-10 01:32 17470 ----a-w- c:\windows\qotedo.com
2009-09-10 01:32 . 2009-09-10 01:32 15478 ----a-w- c:\windows\yworolymo.dat
2009-09-10 01:26 . 2009-09-12 19:46 80256 ----a-w- c:\windows\system32\drivers\d4f31910.sys
2009-09-10 01:24 . 2009-09-10 01:24 49664 ----a-w- C:\scmhux.exe
2009-09-10 01:24 . 2009-09-10 01:24 22016 ----a-w- C:\udtcnn.exe
2009-08-28 21:28 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-08-28 21:28 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-08-28 21:28 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-28 21:28 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-24 21:07 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-24 21:07 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-24 21:07 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-24 21:07 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-24 21:07 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-24 21:07 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-24 21:07 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-24 21:07 . 2009-08-24 21:07 -------- d-----w- C:\fbcd292a309e8114d9b8a77e
2009-08-24 17:40 . 2009-08-24 17:40 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-21 07:12 . 2009-08-24 21:08 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 07:12 . 2009-08-21 07:12 -------- d-----w- c:\program files\MSBuild
2009-08-21 07:12 . 2009-08-21 07:12 -------- d-----w- c:\program files\Reference Assemblies
2009-08-13 21:30 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-12 19:47 . 2008-05-13 07:27 65857824 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-12 19:13 . 2008-05-18 03:23 -------- d-----w- c:\documents and settings\Muhammad\Application Data\Move Networks
2009-09-12 07:12 . 2008-05-13 07:27 882980 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-10 01:32 . 2009-06-10 01:32 88576 --sha-w- c:\windows\system32\gabuwuwo.dll
2009-09-10 01:32 . 2009-09-10 01:32 16233 ----a-w- c:\documents and settings\Muhammad\Application Data\wavuvykatu.dat
2009-09-10 01:32 . 2009-09-10 01:32 10566 ----a-w- c:\program files\Common Files\terevalyzu._sy
2009-09-10 01:30 . 2008-05-16 18:07 -------- d-----w- c:\documents and settings\Muhammad\Application Data\OpenOffice.org2
2009-08-26 04:59 . 2008-06-05 05:17 21168 ----a-w- c:\documents and settings\Muhammad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 17:35 . 2008-05-13 11:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 01:05 . 2009-07-15 01:05 -------- d-----w- c:\program files\MSECache
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-22 02:24 . 2008-05-17 05:06 664 ----a-w- c:\documents and settings\Muhammad\Local Settings\Application Data\d3d9caps.dat
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-10 01:25 . 2009-06-10 01:25 49664 --sha-w- c:\windows\system32\vajozesi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f4734c9-393c-42c7-8d37-eb2c26d9530e}]
2009-06-10 01:25 49664 --sha-w- c:\windows\system32\vajozesi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"Google Update"="c:\documents and settings\Muhammad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-26 133104]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-05-04 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-09 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-09 126976]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"zowuhidot"="c:\windows\system32\gabuwuwo.dll" [2009-09-10 88576]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\Muhammad\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{da0d7c43-fe69-4ce3-8ced-c9bb76fda2ca}"= "c:\windows\system32\gabuwuwo.dll" [2009-09-10 88576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"gudarobad"= {da0d7c43-fe69-4ce3-8ced-c9bb76fda2ca} - c:\windows\system32\gabuwuwo.dll [2009-09-10 88576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-21 02:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Muhammad\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Muhammad\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/13/2008 7:44 AM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/13/2008 7:44 AM 108552]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1897051121-682003330-1006Core.job
- c:\documents and settings\Muhammad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-26 03:57]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1897051121-682003330-1006UA.job
- c:\documents and settings\Muhammad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-26 03:57]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Muhammad\Application Data\Mozilla\Firefox\Profiles\gldkb2wh.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Muhammad\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Muhammad\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\Muhammad\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Muhammad\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
HKLM-Run-12015624 - c:\documents and settings\All Users\Application Data\12015624\12015624.exe
HKLM-Run-tenasunume - metigime.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-12 15:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\d4f31910]
"ImagePath"="\SystemRoot\System32\drivers\d4f31910.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1456)
c:\windows\system32\WININET.dll
c:\windows\system32\gabuwuwo.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2009-09-12 15:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-12 19:50

Pre-Run: 15,446,548,480 bytes free
Post-Run: 16,023,154,688 bytes free

284 --- E O F --- 2009-09-02 00:10

ssaifull
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-09-06
OS OS : XP Professional
Points Points : 26723
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by Belahzur on Sat Sep 12, 2009 10:45 pm

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\qotedo.com
c:\windows\yworolymo.dat
c:\windows\system32\drivers\d4f31910.sys
C:\scmhux.exe
C:\udtcnn.exe
c:\windows\system32\gabuwuwo.dll
c:\documents and settings\Muhammad\Application Data\wavuvykatu.dat
c:\program files\Common Files\terevalyzu._sy
c:\windows\system32\vajozesi.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f4734c9-393c-42c7-8d37-eb2c26d9530e}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zowuhidot"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{da0d7c43-fe69-4ce3-8ced-c9bb76fda2ca}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"gudarobad"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\d4f31910]

Driver::
d4f31910

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by ssaifull on Sun Sep 13, 2009 8:11 am

ComboFix 09-09-11.05 - Muhammad 09/12/2009 19:08.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.113 [GMT -4:00]
Running from: c:\documents and settings\Muhammad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Muhammad\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\documents and settings\Muhammad\Application Data\wavuvykatu.dat"
"c:\program files\Common Files\terevalyzu._sy"
"C:\scmhux.exe"
"C:\udtcnn.exe"
"c:\windows\qotedo.com"
"c:\windows\system32\drivers\d4f31910.sys"
"c:\windows\system32\gabuwuwo.dll"
"c:\windows\system32\vajozesi.dll"
"c:\windows\yworolymo.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Muhammad\Application Data\wavuvykatu.dat
c:\program files\Common Files\terevalyzu._sy
C:\scmhux.exe
C:\udtcnn.exe
c:\windows\qotedo.com
c:\windows\system32\drivers\d4f31910.sys
c:\windows\system32\gabuwuwo.dll
c:\windows\system32\vajozesi.dll
c:\windows\yworolymo.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_d4f31910


((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))
.

2009-09-11 07:08 . 2009-09-11 07:08 -------- d-----w- c:\documents and settings\Muhammad\Application Data\U3
2009-08-28 21:28 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-08-28 21:28 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-08-28 21:28 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-28 21:28 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-24 21:07 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-24 21:07 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-24 21:07 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-24 21:07 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-24 21:07 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-24 21:07 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-24 21:07 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-24 21:07 . 2009-08-24 21:07 -------- d-----w- C:\fbcd292a309e8114d9b8a77e
2009-08-24 17:40 . 2009-08-24 17:40 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-21 07:12 . 2009-08-24 21:08 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 07:12 . 2009-08-21 07:12 -------- d-----w- c:\program files\MSBuild
2009-08-21 07:12 . 2009-08-21 07:12 -------- d-----w- c:\program files\Reference Assemblies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-12 23:23 . 2008-05-13 07:27 65936672 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-12 23:21 . 2008-05-13 07:27 884084 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-12 19:47 . 2008-05-16 18:07 -------- d-----w- c:\documents and settings\Muhammad\Application Data\OpenOffice.org2
2009-09-12 19:13 . 2008-05-18 03:23 -------- d-----w- c:\documents and settings\Muhammad\Application Data\Move Networks
2009-08-26 04:59 . 2008-06-05 05:17 21168 ----a-w- c:\documents and settings\Muhammad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 17:35 . 2008-05-13 11:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 01:05 . 2009-07-15 01:05 -------- d-----w- c:\program files\MSECache
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-04 12:00 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-22 02:24 . 2008-05-17 05:06 664 ----a-w- c:\documents and settings\Muhammad\Local Settings\Application Data\d3d9caps.dat
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-12 23:22 . 2008-07-26 13:25 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
- 2009-09-12 19:45 . 2008-07-26 13:25 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"Google Update"="c:\documents and settings\Muhammad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-26 133104]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-05-04 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-09 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-09 126976]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"tenasunume"="metigime.dll" [BU]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\Muhammad\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-21 02:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Muhammad\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Muhammad\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\iFrmewrk.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/13/2008 7:44 AM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/13/2008 7:44 AM 108552]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1897051121-682003330-1006Core.job
- c:\documents and settings\Muhammad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-26 03:57]

2009-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1897051121-682003330-1006UA.job
- c:\documents and settings\Muhammad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-26 03:57]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Muhammad\Application Data\Mozilla\Firefox\Profiles\gldkb2wh.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Muhammad\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Muhammad\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\Muhammad\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Muhammad\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-12 19:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2556)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-12 19:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-12 23:27
ComboFix2.txt 2009-09-12 19:50

Pre-Run: 16,037,191,680 bytes free
Post-Run: 16,007,483,392 bytes free

189 --- E O F --- 2009-09-02 00:10

ssaifull
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-09-06
OS OS : XP Professional
Points Points : 26723
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by Belahzur on Mon Sep 14, 2009 12:48 am

Hello.
Post a new Hijack This log now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved HJT log file

Post by ssaifull on Mon Sep 14, 2009 8:08 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:28 PM, on 9/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Muhammad\Desktop\winlogon.scr

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [tenasunume] Rundll32.exe "metigime.dll",s
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Muhammad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 6320 bytes

ssaifull
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-09-06
OS OS : XP Professional
Points Points : 26723
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by Belahzur on Mon Sep 14, 2009 9:14 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by ssaifull on Mon Sep 14, 2009 9:35 pm

Malwarebytes' Anti-Malware 1.41
Database version: 2797
Windows 5.1.2600 Service Pack 3

9/14/2009 5:34:51 PM
mbam-log-2009-09-14 (17-34-51).txt

Scan type: Quick Scan
Objects scanned: 95601
Time elapsed: 7 minute(s), 24 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Documents and Settings\Muhammad\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tenasunume (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Muhammad\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

ssaifull
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-09-06
OS OS : XP Professional
Points Points : 26723
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by Belahzur on Mon Sep 14, 2009 11:11 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by ssaifull on Tue Sep 15, 2009 11:02 pm

The system is running fine and fast. THANKS A LOT ONCE AGAIN GEEKPOLICE!!!

ssaifull
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-09-06
OS OS : XP Professional
Points Points : 26723
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Total Security has infected computer

Post by Dr Jay on Wed Sep 16, 2009 9:49 pm

Since this issue appears to be solved, this topic is now closed and being marked solved.

If you need the topic reopened, PM an administrator, moderator, or staff.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum