GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

viruses help needed

View previous topic View next topic Go down

viruses help needed

Post by syntax0error on Mon Oct 26, 2009 1:12 pm

hello! I have problem with laptop! It continuously have annoying noice like i am connecting and disconnecting USB stick! it wont stop! Computer is working some processes it self, running slow and now i cant even start up nether firefox or IE! Can you please help me? I think i have some cind of virus on it! What i have to do?

THX


Last edited by syntax0error on Mon Oct 26, 2009 5:13 pm; edited 2 times in total

syntax0error
Novice
Novice

Status :
Online
Offline

Posts : 31
Joined : 2009-03-25
Gender : Male
OS : windows 10
Points : 28180
# Likes : 0

View user profile

Back to top Go down

Re: viruses help needed

Post by syntax0error on Mon Oct 26, 2009 1:13 pm

It is my girlfrend laptop and i dont have clue what did she have done with it!

syntax0error
Novice
Novice

Status :
Online
Offline

Posts : 31
Joined : 2009-03-25
Gender : Male
OS : windows 10
Points : 28180
# Likes : 0

View user profile

Back to top Go down

Re: viruses help needed

Post by syntax0error on Mon Oct 26, 2009 1:17 pm

here is hijack log file


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:16:24, on 26.10.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Security\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Security\Ad-Aware 2007\AAWTray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Security\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [FortKnoxPersonalFirewall] "C:\Program Files\NETGATE\FortKnox Personal Firewall 2008\FortKnoxGUI.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [zvb0dl2X8tt] C:\WINDOWS\system32\NVUKZ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [9UmxQPSiTJMbA] C:\WINDOWS\system32\NVUKZ.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Security\Ad-Aware 2007\aawservice.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FortKnox Personal Firewall (fortknox) - NETGATE Technologies s.r.o. - C:\Program Files\NETGATE\FortKnox Personal Firewall 2008\FortKnox.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O24 - Desktop Component 0: (no name) - [You must be registered and logged in to see this link.]

--
End of file - 7262 bytes

syntax0error
Novice
Novice

Status :
Online
Offline

Posts : 31
Joined : 2009-03-25
Gender : Male
OS : windows 10
Points : 28180
# Likes : 0

View user profile

Back to top Go down

Re: viruses help needed

Post by Belahzur on Mon Oct 26, 2009 5:54 pm

Hello.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [zvb0dl2X8tt] C:\WINDOWS\system32\NVUKZ.exe
    O4 - HKCU\..\Run: [9UmxQPSiTJMbA] C:\WINDOWS\system32\NVUKZ.exe



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: viruses help needed

Post by syntax0error on Mon Oct 26, 2009 6:16 pm

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

26.10.2009 19:04:48
mbam-log-2009-10-26 (19-04-48).txt

Scan type: Quick Scan
Objects scanned: 88841
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{g0np7z2v-b1zd-qhjb-52lr-oua3xrmoqgok} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\NVUKZ.exe (Generic.Bot.H) -> Quarantined and deleted successfully.
C:\SETUP\DATA\June.exe (Worm.AutoRun) -> Delete on reboot.
C:\Documents and Settings\User\o9n8e4i1m2d7.exe (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\q4g6v1r4k3h3.exe (Worm.AutoRun) -> Quarantined and deleted successfully.

syntax0error
Novice
Novice

Status :
Online
Offline

Posts : 31
Joined : 2009-03-25
Gender : Male
OS : windows 10
Points : 28180
# Likes : 0

View user profile

Back to top Go down

Re: viruses help needed

Post by Belahzur on Mon Oct 26, 2009 11:58 pm

Hello.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: viruses help needed

Post by syntax0error on Tue Oct 27, 2009 9:35 am

DDS (Ver_09-10-26.01) - NTFSx86
Run by User at 10:34:21,89 on uto 27.10.2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.1015.546 [GMT 1:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Security\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Security\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Documents and Settings\User\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [9UmxQPSiTJMbA] c:\windows\system32\NVUKZ.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [AAWTray] c:\program files\security\ad-aware 2007\AAWTray.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [MbWzdFPAP-EXL600] c:\windows\system32\fpap-exl600\PdtGuide.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [zvb0dl2X8tt] c:\windows\system32\NVUKZ.exe
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
mASetup: {14MAD6M8-1MAD-81AD-JIM6-26OP5G3369085} - c:\xavx\release\xAVy.exe
mASetup: {67KLN5J0-4OPM-33WE-AAX5-34KC2A3453431} - c:\setup\data\June.exe
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
mASetup: {G0NP7z2v-B1Zd-qHJB-52lr-OUa3XrMOqGOk} - c:\windows\system32\NVUKZ.exe
uASetup: {G0NP7z2v-B1Zd-qHJB-52lr-OUa3XrMOqGOk} - c:\windows\system32\NVUKZ.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\9d7hr5e5.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 iastor76;iastor76;c:\windows\system32\drivers\iastor76.sys [2007-12-15 305176]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-25 34824]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-10-25 468224]
R3 Fkndisf;FortKnox Firewall NDIS Filter Service;c:\windows\system32\drivers\fortknoxfw_ndisim.sys [2009-1-20 23248]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2009-1-19 36608]

=============== Created Last 30 ================

2009-10-27 08:36:43 90157 ----a-w- c:\documents and settings\user\h7j9f65w8.exe
2009-10-26 19:21:25 90157 ----a-w- c:\windows\system32\NVUKZ.exe
2009-10-26 18:54:13 0 d-----w- c:\program files\CCleaner
2009-10-26 17:53:14 90157 ----a-w- c:\documents and settings\user\z3x9c92v7.exe
2009-10-26 17:36:11 90157 ----a-w- c:\documents and settings\user\b4n9s95b8.exe
2009-10-26 17:22:46 0 d-----w- c:\windows\system32\appmgmt
2009-10-26 16:57:03 45056 ----a-w- c:\windows\system32\UTSCSI.EXE
2009-10-26 16:56:56 0 d-----w- c:\windows\system32\FPAP-EXL600
2009-10-26 16:56:55 0 d-----w- c:\docume~1\user\applic~1\ABIG
2009-10-26 14:26:01 90157 ----a-w- c:\documents and settings\user\s9u2n26x8.exe
2009-10-26 13:30:02 0 d-----r- c:\program files\Skype
2009-10-26 13:11:34 90157 ----a-w- c:\documents and settings\user\f2a8w344.exe
2009-10-26 13:07:23 0 d-----w- c:\program files\Trend Micro
2009-10-26 12:58:47 0 d-sh--r- C:\xAVx
2009-10-26 12:57:02 90157 ----a-w- c:\documents and settings\user\b1k5a35n3.exe

==================== Find3M ====================

2009-09-10 13:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-01-20 01:15:14 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-01-20 01:15:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-01-20 01:15:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011920090120\index.dat
2009-01-20 01:15:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 10:34:32,67 ===============

syntax0error
Novice
Novice

Status :
Online
Offline

Posts : 31
Joined : 2009-03-25
Gender : Male
OS : windows 10
Points : 28180
# Likes : 0

View user profile

Back to top Go down

Re: viruses help needed

Post by syntax0error on Tue Oct 27, 2009 9:36 am

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 20.1.2009 2:14:18
System Uptime: 27.10.2009 10:30:36 (0 hours ago)

Motherboard: Hewlett-Packard | | 30AA
Processor: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz | U10 | 1828/166mhz
Processor: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz | U10 | 1828/166mhz

==== Disk Partitions =========================

C: is fȋxed (NTFS) - 75 GiB total, 23,634 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/Wireless 3945ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_135C103C&REV_02\4&BF41672&0&00E0
Manufacturer: Intel Corporation
Name: Intel(R) PRO/Wireless 3945ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_135C103C&REV_02\4&BF41672&0&00E0
Service: NETw4x32

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_30AA103C&REV_00\4&2EC23395&0&32F0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_30AA103C&REV_00\4&2EC23395&0&32F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_104C&DEV_803D&SUBSYS_30AA103C&REV_00\4&2EC23395&0&34F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_104C&DEV_803D&SUBSYS_30AA103C&REV_00\4&2EC23395&0&34F0
Service:

==== System Restore Points ===================

RP1: 20.1.2009 2:18:00 - Installed Nero 8
RP2: 20.1.2009 2:33:26 - Installed Microsoft Office Professional Edition 2003
RP3: 20.1.2009 2:44:35 - Installed ESET NOD32 Antivirus
RP4: 20.1.2009 18:19:51 - Installed Adobe Reader 8.1.0
RP5: 20.1.2009 9:41:55 - Installed HP Integrated Module with Bluetooth wireless technology
RP6: 20.1.2009 9:42:45 - Installed Combined Modem Driver Installer
RP7: 20.1.2009 9:45:29 - Installed Combined Modem Driver Installer
RP8: 20.1.2009 9:47:58 - Installed MultiWLAN DrvInstall
RP9: 20.1.2009 9:49:25 - Installed Combined NIC Driver Installer
RP10: 20.1.2009 9:49:35 - Installed HP Wireless Assistant
RP11: 22.1.2009 11:20:50 - System Checkpoint
RP12: 24.1.2009 18:21:11 - System Checkpoint
RP13: 9.2.2009 19:09:36 - Installed Combined Modem Driver Installer
RP14: 9.2.2009 19:14:36 - Installed Combined Modem Driver Installer
RP15: 13.2.2009 21:20:24 - System Checkpoint
RP16: 14.2.2009 21:21:35 - System Checkpoint
RP17: 22.2.2009 13:23:57 - System Checkpoint
RP18: 2.3.2009 14:56:23 - System Checkpoint
RP19: 4.3.2009 20:08:47 - System Checkpoint
RP20: 16.3.2009 14:11:03 - System Checkpoint
RP21: 17.3.2009 15:30:20 - System Checkpoint
RP22: 19.3.2009 14:15:17 - System Checkpoint
RP23: 20.3.2009 14:32:18 - System Checkpoint
RP24: 21.3.2009 21:08:26 - System Checkpoint
RP25: 27.3.2009 12:20:13 - System Checkpoint
RP26: 28.3.2009 12:35:36 - System Checkpoint
RP27: 31.3.2009 14:20:20 - System Checkpoint
RP28: 1.4.2009 14:26:48 - System Checkpoint
RP29: 20.4.2009 17:15:13 - System Checkpoint
RP30: 22.4.2009 9:56:43 - System Checkpoint
RP31: 12.5.2009 20:18:37 - System Checkpoint
RP32: 27.5.2009 10:50:10 - System Checkpoint
RP33: 1.6.2009 14:57:20 - System Checkpoint
RP34: 3.6.2009 14:57:06 - System Checkpoint
RP35: 4.6.2009 17:57:41 - System Checkpoint
RP36: 6.6.2009 19:04:10 - System Checkpoint
RP37: 9.6.2009 8:15:07 - System Checkpoint
RP38: 26.10.2009 15:07:00 - System Checkpoint
RP39: 26.10.2009 18:21:38 - Removed Opera 9.24

==== Installed Programs ======================

Ad-Aware 2007
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.0
Agere Systems HDA Modem
Alky for Applications (Windows XP)
µTorrent
AuthenTec Fingerprint Sensor Minimum Install
Broadcom NetXtreme Ethernet Controller
CCleaner
Driver Genius Professional Edition 2007
ESET NOD32 Antivirus
GOM Player
HijackThis 2.0.2
HP Integrated Module with Bluetooth wireless technology
HP Wireless Assistant 2.00 E1
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 3
K-Lite Mega Codec Pack 4.1.4
Malwarebytes' Anti-Malware
Microsoft Office 2007 Recent Documents Gadget
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.0.10)
Nero 8
neroxml
SecureW2 TTLS Client 3.3.3 for Windows
Skype web features
Skype™ 4.1
Software Update for Web Folders
Spybot - Search & Destroy
VCRedistSetup
Winamp
Windows Sidebar
Windows Vista Games All In One
Your Uninstaller! 2008 Version 6.0

==== Event Viewer Messages From Past Week ========

26.10.2009 15:41:13, error: TermServDevices [1111] - Driver Send To Microsoft OneNote Driver required for printer Send To OneNote 2007 is unknown. Contact the administrator to install the driver before you log in again.
26.10.2009 15:41:12, error: TermServDevices [1111] - Driver Microsoft XPS Document Writer required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.
26.10.2009 15:41:12, error: TermServDevices [1111] - Driver HP Deskjet F2100 series required for printer HP Deskjet F2100 series is unknown. Contact the administrator to install the driver before you log in again.
26.10.2009 15:13:43, error: Service Control Manager [7034] - The FortKnox Personal Firewall service terminated unexpectedly. It has done this 1 time(s).
26.10.2009 13:54:56, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.

==== End Of File ===========================

syntax0error
Novice
Novice

Status :
Online
Offline

Posts : 31
Joined : 2009-03-25
Gender : Male
OS : windows 10
Points : 28180
# Likes : 0

View user profile

Back to top Go down

Re: viruses help needed

Post by syntax0error on Tue Oct 27, 2009 9:39 am

ANd now i have other problems! "Active desktop recovery! is now on my desktop! When windows boot, it wont boot normally! i have to choose "last known good configuration" to start windows! And it is slow!

syntax0error
Novice
Novice

Status :
Online
Offline

Posts : 31
Joined : 2009-03-25
Gender : Male
OS : windows 10
Points : 28180
# Likes : 0

View user profile

Back to top Go down

Re: viruses help needed

Post by Belahzur on Tue Oct 27, 2009 5:39 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: viruses help needed

Post by syntax0error on Wed Oct 28, 2009 10:50 am

ComboFix 09-10-27.07 - User 28.10.2009 11:34.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.1015.565 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\b1k5a35n3.exe
c:\documents and settings\User\b4i2y22b8.exe
c:\documents and settings\User\b4n9s95b8.exe
c:\documents and settings\User\f2a8w344.exe
c:\documents and settings\User\h7j9f65w8.exe
c:\documents and settings\User\r1p2j95k4.exe
c:\documents and settings\User\s9u2n26x8.exe
c:\documents and settings\User\v9r8v85b6.exe
c:\documents and settings\User\z3x9c92v7.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-26 19:21 . 2009-10-28 10:02 90157 ----a-w- c:\windows\system32\NVUKZ.exe
2009-10-26 18:54 . 2009-10-26 18:54 -------- d-----w- c:\program files\CCleaner
2009-10-26 16:57 . 2009-10-26 16:57 45056 ----a-w- c:\windows\system32\UTSCSI.EXE
2009-10-26 16:56 . 2009-10-26 16:56 -------- d-----w- c:\windows\system32\FPAP-EXL600
2009-10-26 16:56 . 2009-10-26 16:56 -------- d-----w- c:\documents and settings\User\Application Data\ABIG
2009-10-26 13:30 . 2009-10-28 09:59 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2009-10-26 13:30 . 2009-10-26 13:30 -------- d-----w- c:\program files\Common Files\Skype
2009-10-26 13:30 . 2009-10-26 13:30 -------- d-----r- c:\program files\Skype
2009-10-26 13:29 . 2009-10-26 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-26 13:07 . 2009-10-26 13:07 -------- d-----w- c:\program files\Trend Micro
2009-10-26 12:58 . 2009-10-26 12:58 -------- d-----r- C:\xAVx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 18:54 . 2009-01-20 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-26 18:00 . 2009-01-20 01:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-26 17:21 . 2009-01-20 01:11 -------- d-----w- c:\program files\Opera
2009-09-10 13:54 . 2009-01-20 01:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-01-20 01:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

------- Sigcheck -------

[-] 2007-12-15 . 409B44CE625776DB74EAA63F24E9D4E4 . 360704 . . [5.1.2600.3002] . . c:\windows\system32\drivers\tcpip.sys

[-] 2007-12-15 . 837E25C89935C3CB144DD757D7FFF719 . 2302464 . . [5.1.2600.3181] . . c:\windows\system32\ntoskrnl.exe

[-] 2007-12-15 . 3F57F13786678214051DF97A1423BDCC . 2182144 . . [5.1.2600.3181] . . c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlay1EXL600]
@="{BF9B13E4-FE9B-4121-853F-866F4E9E2830}"
[HKEY_CLASSES_ROOT\CLSID\{BF9B13E4-FE9B-4121-853F-866F4E9E2830}]
2008-04-16 13:55 599552 ----a-w- c:\windows\system32\FPAP-EXL600\FileptcIconOverlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2007-12-03 1230848]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"9UmxQPSiTJMbA"="c:\windows\system32\NVUKZ.exe" [2009-10-28 90157]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-05 137752]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"AAWTray"="c:\program files\Security\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-25 1451264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"MbWzdFPAP-EXL600"="c:\windows\system32\FPAP-EXL600\PdtGuide.exe" [2008-04-16 1030656]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"zvb0dl2X8tt"="c:\windows\system32\NVUKZ.exe" [2009-10-28 90157]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2007-12-15 124928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-1-18 581693]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 iastor76;iastor76;c:\windows\system32\drivers\iastor76.sys [15.12.2007 22:24 305176]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [25.10.2008 5:53 34824]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [25.10.2008 5:51 468224]
R3 Fkndisf;FortKnox Firewall NDIS Filter Service;c:\windows\system32\drivers\fortknoxfw_ndisim.sys [20.1.2009 2:45 23248]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [19.1.2009 17:49 36608]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{14MAD6M8-1MAD-81AD-JIM6-26OP5G3369085}]
c:\xavx\ReleAsE\xAVy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-33WE-AAX5-34KC2A3453431}]
c:\setup\DATA\June.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{G0NP7z2v-B1Zd-qHJB-52lr-OUa3XrMOqGOk}]
c:\windows\system32\NVUKZ.exe

[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{G0NP7z2v-B1Zd-qHJB-52lr-OUa3XrMOqGOk}]
c:\windows\system32\NVUKZ.exe
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\9d7hr5e5.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************
scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files:

**************************************************************************
.
Completion time: 2009-10-28 11:39
ComboFix-quarantined-files.txt 2009-10-28 10:38

Pre-Run: 25.284.194.304 bytes free
Post-Run: 25.259.462.656 bytes free

- - End Of File - - D8325F91E74DAA39D1448E691811E074

syntax0error
Novice
Novice

Status :
Online
Offline

Posts : 31
Joined : 2009-03-25
Gender : Male
OS : windows 10
Points : 28180
# Likes : 0

View user profile

Back to top Go down

Re: viruses help needed

Post by Belahzur on Wed Oct 28, 2009 9:10 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\NVUKZ.exe

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "9UmxQPSiTJMbA"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "zvb0dl2X8tt"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{14MAD6M8-1MAD-81AD-JIM6-26OP5G3369085}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-33WE-AAX5-34KC2A3453431}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{G0NP7z2v-B1Zd-qHJB-52lr-OUa3XrMOqGOk}]
    [-HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{G0NP7z2v-B1Zd-qHJB-52lr-OUa3XrMOqGOk}]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: viruses help needed

Post by syntax0error on Thu Oct 29, 2009 2:54 pm

ComboFix 09-10-27.07 - User 29.10.2009 15:47.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.1015.563 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\system32\NVUKZ.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\NVUKZ.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-28 14:54 . 2009-10-28 14:54 -------- d-----w- c:\windows\system32\xircom
2009-10-28 14:54 . 2009-10-28 14:54 -------- d-----w- c:\windows\system32\wbem\snmp
2009-10-28 14:54 . 2009-10-28 14:54 -------- d-----w- c:\program files\microsoft frontpage
2009-10-28 10:33 . 2009-10-28 10:39 -------- d-----w- C:\Combo-Fix
2009-10-26 18:54 . 2009-10-26 18:54 -------- d-----w- c:\program files\CCleaner
2009-10-26 16:57 . 2009-10-26 16:57 45056 ----a-w- c:\windows\system32\UTSCSI.EXE
2009-10-26 16:56 . 2009-10-26 16:56 -------- d-----w- c:\windows\system32\FPAP-EXL600
2009-10-26 16:56 . 2009-10-26 16:56 -------- d-----w- c:\documents and settings\User\Application Data\ABIG
2009-10-26 13:30 . 2009-10-29 14:29 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2009-10-26 13:30 . 2009-10-26 13:30 -------- d-----w- c:\program files\Common Files\Skype
2009-10-26 13:30 . 2009-10-26 13:30 -------- d-----r- c:\program files\Skype
2009-10-26 13:29 . 2009-10-26 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-26 13:07 . 2009-10-26 13:07 -------- d-----w- c:\program files\Trend Micro
2009-10-26 12:58 . 2009-10-26 12:58 -------- d-----r- C:\xAVx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 18:54 . 2009-01-20 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-26 18:00 . 2009-01-20 01:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-26 17:21 . 2009-01-20 01:11 -------- d-----w- c:\program files\Opera
2009-09-10 13:54 . 2009-01-20 01:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-01-20 01:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

------- Sigcheck -------

[-] 2007-12-15 . 409B44CE625776DB74EAA63F24E9D4E4 . 360704 . . [5.1.2600.3002] . . c:\windows\system32\drivers\tcpip.sys

[-] 2007-12-15 . 837E25C89935C3CB144DD757D7FFF719 . 2302464 . . [5.1.2600.3181] . . c:\windows\system32\ntoskrnl.exe

[-] 2007-12-15 . 3F57F13786678214051DF97A1423BDCC . 2182144 . . [5.1.2600.3181] . . c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 04:00 . 2009-10-28 10:03 40326 c:\windows\system32\perfc009.dat
+ 2004-08-04 04:00 . 2009-10-29 14:34 40326 c:\windows\system32\perfc009.dat
+ 2004-08-04 04:00 . 2009-10-29 14:34 311938 c:\windows\system32\perfh009.dat
- 2004-08-04 04:00 . 2009-10-28 10:03 311938 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlay1EXL600]
@="{BF9B13E4-FE9B-4121-853F-866F4E9E2830}"
[HKEY_CLASSES_ROOT\CLSID\{BF9B13E4-FE9B-4121-853F-866F4E9E2830}]
2008-04-16 13:55 599552 ----a-w- c:\windows\system32\FPAP-EXL600\FileptcIconOverlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2007-12-03 1230848]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-05 137752]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"AAWTray"="c:\program files\Security\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-25 1451264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"MbWzdFPAP-EXL600"="c:\windows\system32\FPAP-EXL600\PdtGuide.exe" [2008-04-16 1030656]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2007-12-15 124928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-1-18 581693]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 iastor76;iastor76;c:\windows\system32\drivers\iastor76.sys [15.12.2007 22:24 305176]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [25.10.2008 5:53 34824]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [25.10.2008 5:51 468224]
R3 Fkndisf;FortKnox Firewall NDIS Filter Service;c:\windows\system32\drivers\fortknoxfw_ndisim.sys [20.1.2009 2:45 23248]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [19.1.2009 17:49 36608]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\9d7hr5e5.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-29 15:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
Completion time: 2009-10-29 15:51
ComboFix-quarantined-files.txt 2009-10-29 14:51
ComboFix2.txt 2009-10-28 10:39

Pre-Run: 25.223.024.640 bytes free
Post-Run: 25.194.496.000 bytes free

- - End Of File - - C32FAE90082DE4032C95F9CF87C2328A

syntax0error
Novice
Novice

Status :
Online
Offline

Posts : 31
Joined : 2009-03-25
Gender : Male
OS : windows 10
Points : 28180
# Likes : 0

View user profile

Back to top Go down

Re: viruses help needed

Post by Belahzur on Thu Oct 29, 2009 5:43 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum