"server is busy" or some other virus

View previous topic View next topic Go down

"server is busy" or some other virus

Post by omer on 11th December 2009, 12:49 pm

Hi - I have run the hijackthis and this is the logfile. Computer is still messed up - impossible to browse. With server is busy pop ups.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:14 AM, on 12/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
c:\drivers\audio\r205445\stacsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\IE8-WindowsXP-x86-ENU.exe
c:\619c75069adbca74067b\update\iesetup.exe
C:\WINDOWS\system32\mrt.exe
C:\Documents and Settings\omar\Desktop\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe /T:NTRU12
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [EmbassySecurityCheck] "C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe"
O4 - HKLM\..\Run: [DellControlPoint] "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe"
O4 - HKLM\..\Run: [DCPstrApp] C:\Program Files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Wjamekafomohuxe] rundll32.exe "C:\WINDOWS\usagowel.dll",Startup
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\essledv.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Dell ControlPoint System Manager.lnk = C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} (Photo Upload Plugin Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Program Files\Fingerprint Sensor\AtService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dell ControlPoint Button Service (buttonsvc32) - Dell Inc. - C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
O23 - Service: Dell ControlPoint Button Service buttonsvc32KodakCCS (buttonsvc32KodakCCS) - Unknown owner - C:\DOCUME~1\omar\LOCALS~1\Temp\1.tmp.exe (file missing)
O23 - Service: Dell ControlPoint System Manager (dcpsysmgrsvc) - Dell Inc. - C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r205445\stacsv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.27 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13087 bytes

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by Dr Jay on 11th December 2009, 2:15 pm

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 12th December 2009, 1:05 am

Hi - I had downloaded this malwarebytes anti-malware 2 weeks ago and I ran it a few times. The first 2 times it noted infected stuff which I deleted. But since last few days - whenever i run it it says nothing bad found - but im sure there are more viruses. The computer is totally stuck! It takes an hour just to open and type this. Should i install the antimalware again?

And from today - this new "Privacy Center" logo is coming and it pops up. Is that a virus ??? or part of the microsoft updates. Im posting all of the malwarebytes scans.
Thanks!!

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 12th December 2009, 1:40 am

Latest- quick scan:


Malwarebytes' Anti-Malware 1.41
Database version: 3240
Windows 5.1.2600 Service Pack 3

12/11/2009 8:39:37 PM
mbam-log-2009-12-11 (20-39-36).txt

Scan type: Quick Scan
Objects scanned: 127572
Time elapsed: 1 hour(s), 11 minute(s), 40 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 17

Memory Processes Infected:
C:\Documents and Settings\LocalService\Application Data\PC\agent.exe (Trojan.FakeAlert) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\privacy-components (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\agent.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\LocalService\Application Data\PC\faq (Rogue.ControlCenter) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\PC\faq\images (Rogue.ControlCenter) -> Delete on reboot.

Files Infected:
C:\WINDOWS\Temp\flash_player_update.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\PC\faq\guide.html (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\PC\faq\images\gimg1.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\PC\faq\images\gimg10.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\PC\faq\images\gimg2.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\PC\faq\images\gimg3.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\PC\faq\images\gimg4.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\PC\faq\images\gimg5.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\PC\faq\images\gimg6.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\PC\faq\images\gimg7.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\PC\faq\images\gimg8.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\PC\faq\images\gimg9.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\PC\pc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\PC\agent.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\PC\settings.ini (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\PC\Uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\omar\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 12th December 2009, 2:05 am

Malwarebytes' Anti-Malware 1.41
Database version: 3240
Windows 5.1.2600 Service Pack 3

11/26/2009 10:49:37 PM
mbam-log-2009-11-26 (22-49-37).txt

Scan type: Quick Scan
Objects scanned: 118616
Time elapsed: 10 minute(s), 6 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\39799138\39799138.exe (Rogue.SecurityTool) -> Unloaded process successfully.
C:\WINDOWS\Temp\_ex-08.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\39799138 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\promoreg (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RList (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\39799138 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\39799138\39799138.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\_ex-08.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\omar\Local Settings\Temp\ndqahv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\omar\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\omar\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\omar\Local Settings\Temp\plugtmp\plugin-pfqe.php (Exploit.Java) -> Quarantined and deleted successfully.

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 12th December 2009, 2:06 am

Malwarebytes' Anti-Malware 1.41
Database version: 3240
Windows 5.1.2600 Service Pack 3

12/8/2009 12:48:39 PM
mbam-log-2009-12-08 (12-48-39).txt

Scan type: Quick Scan
Objects scanned: 125311
Time elapsed: 30 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ykda.sxo (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: kbsndm.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe ykda.sxo ukqbtms) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\kbsndm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ykda.sxo (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\2C.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\omar\Local Settings\Temp\2C.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 12th December 2009, 4:30 am

I ran a FULL SCAN just now:

Malwarebytes' Anti-Malware 1.42
Database version: 3348
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/11/2009 11:05:49 PM
mbam-log-2009-12-11 (23-05-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 198073
Time elapsed: 1 hour(s), 56 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\LocalService\Application Data\PC\faq (Rogue.ControlCenter) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\12.tmp (Rootkit.MBR) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\13.tmp (Rootkit.MBR) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\14.tmp (Rootkit.MBR) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\2D.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\ygwmcu.dll (Rootkit.MBR) -> Quarantined and deleted successfully.
C:\Documents and Settings\omar\Local Settings\Temp\7F.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\omar\Local Settings\Temp\ygwmcu.dll (Rootkit.MBR) -> Quarantined and deleted successfully.
C:\Documents and Settings\omar\Local Settings\Temp\2D.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\her001.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 12th December 2009, 4:32 am

when i open the computer - a window comes up "RUNDLL" - it says that one of the windows modules is not found. Does anyone know what that means/ Did I delete something while removing the virus??

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by Dr Jay on 12th December 2009, 8:24 am

Please download [You must be registered and logged in to see this link.] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 12th December 2009, 4:03 pm

Hey -
I downloaded the SDX - but
I cant open my computer in safe mode - it gives an error.

*** STOP: OX0000007E

or something like this. Is there anything I can do ??

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by Dr Jay on 12th December 2009, 11:04 pm

Please download RootRepeal from [You must be registered and logged in to see this link.].

  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 13th December 2009, 5:33 pm

Hi - Thanks for your help!
Im posting the root repeal report. Will wait for the next step.
Computer is still the same, no better.



ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/12/13 09:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9CADF000 Size: 851968 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9B609000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_dfc.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\system32\drivers\avg\incavi.avm.prepare
Status: Allocation size mismatch (API: 46542848, Raw: 0)

Path: c:\documents and settings\all users\application data\avg8\update\prepare\incavi.avm
Status: Size mismatch (API: 18220393, Raw: 17565033)

==EOF==

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by Dr Jay on 13th December 2009, 6:46 pm

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

[You must be registered and logged in to see this link.]

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.

    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • hȋdden Files << Selected

  • At the bottom of the page

    • hȋdden Objects Only << Selected

  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The
    log will be saved automatically in the same folder Sysprot.exe was
    extracted to. Open the text file and copy/paste the log here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 13th December 2009, 8:17 pm

Hi -
Heres the sysprot log.
Will wait for the next step.
Thanks!!



SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\verclsid.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
hȋdden: Yes
Window Visible: No

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: 9D004000
Module End: 9D0D4000
hȋdden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
hȋdden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}
Status: Access denied

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by Dr Jay on 13th December 2009, 8:36 pm

This is getting hard to find. Let me think

Please download the [You must be registered and logged in to see this link.] and save it to your desktop.

You will need to enter your name, e-mail address and location in order to access the download page.

  • Once you have downloaded the file, double click the sarsfx icon
  • Review the licence agreement and click on the Accept button
  • The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button

  • Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
  • Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
  • Allow the program to scan your computer - please be patient as it may take some time
  • Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  • In the main window, you will see each of the entries found by the scan (if any)

    • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
    • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you

  • If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
  • To clean up these entries click on the Clean up checked items button
  • If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
  • Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
  • When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 13th December 2009, 10:40 pm

well - ive downloaded and started the scan. its seems to be stuck at the same place for the last 50 minutes - im guessing its still scanning?
Does it take hours??
I ll just let it run .

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 13th December 2009, 11:56 pm

the scan is showing up a lot of "unknown hȋdden files" which it says :

Removable [but cleanup not recommended]

should i remove these or not?

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 14th December 2009, 3:22 am

1. Area: Windows registry
Description: Hidden registry value
Location: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\UnableToDetectTime
Removable: No
Notes: (type 1, length 40) "2 0 0 9 - 1 2 - 1 3 1 7 : 0 2 : 4 9 "

2. Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\I386\AUTOFMT.EXE
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

3. Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\I386\NTFS.SYS
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

4. Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

5. Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP281\A0018743.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

6. Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\NlsLexicons0009.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail availabl

7. Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\Program Files\InstallShield Installation Information\{FF1DDCF4-3A28-4F7F-96D8-E3F4BD1C1702}\ISSetup.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

8. Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\WINDOWS\system32\win32spl.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available

9. Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\WINDOWS\system32\mui\0401\xpsp2res.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

10. Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\WINDOWS\system32\mui\040D\xpsp2res.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

11. Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\mfc71.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

12. Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\mfc71u.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

13. Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\Program Files\Common Files\Roxio Shared\DLLShared\CDDBControlRoxio.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 14th December 2009, 3:48 am

Hi - there are like at leasta nother 30 or 40 such entries of unknown hȋdden files - a lot of them temporary internet files. The scan is still going on. Im going to leave it running and get some sleep.

Please let me know if I should clean these or not [just as it says "not recommended'. Or should i post the description for each of them here???

I can run the scan again tomorrow.
Thanks!

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by Dr Jay on 16th December 2009, 2:31 pm

You have a Master Boot Record infection .

This infection installs its own code in to the MBR of your filesystem. This is described as a rootkit. It is called Mebroot.

Please download Stealth MBR Rootkit Detector by GMER from [You must be registered and logged in to see this link.], and save to your Desktop.
  • Double-click mbr.exe to start the program.
  • When done scanning, it will save a log on the Desktop called mbr.log.
  • Please post the contents of that log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 18th December 2009, 12:40 am

Hi -
This took only 5 seconds! The log reads:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 18th December 2009, 1:29 am

Also i ran the sar-sfz scan . it found 300 hȋdden files but all of them were "clean up not recommended".

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by Dr Jay on 18th December 2009, 4:00 am

Please download ComboFix from here: [You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 19th December 2009, 2:17 am

Hey. my computer seems to be remarkably fixed!! I downloaded this combofix and ran it. There was some problem it seemed like downloading the microsoft windows recovery console but it ran anyway. Then it said rootkit detected and rebooted. Then it scanned and then for 30 minutes or so it just read "deleting file c/windows/system32 somethingggg". It was nt changing so I rebooted and now everythings running almost back to normal! I cant find the log . Im not sure if I closed the computer too early. Im going to run combo fix again to see what happens. Thanks! Let me know if i need to do something.

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by Dr Jay on 19th December 2009, 3:07 am

Please post the ComboFix log, so I may make sure.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 19th December 2009, 3:16 am

So the first time the combo fix did a partial job but didnt save any log.

So I deleted it, downloaded & ran it again. This time it downloaded the windows recovery console ok. Then scanned it and fixed it. Then rebooted. Then it got stuck saying "preparing log". Then i rebooted it.

Anyhow heres the log now!!

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 19th December 2009, 3:16 am

ComboFix 09-12-18.01 - omar 12/18/2009 21:25:12.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2003.1555 [GMT -5:00]
Running from: C:\Documents and Settings\omar\desktop\commy.exe
Command switches used :: /stepdel
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\omar\LOCALS~1\Temp\1.tmp
C:\Documents and Settings\LocalService\Application Data\PC
C:\WINDOWS\system32\2182919196.dat
C:\WINDOWS\system32\st326124.dll

.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BUTTONSVC32KODAKCCS
-------\Service_buttonsvc32KodakCCS


((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 )))))))))))))))))))))))))))))))
.

2009-12-16 01:00:18 . 2009-12-16 01:00:18 -------- d-----w- C:\Documents and Settings\HelpAssistant\PrivacIE
2009-12-16 00:56:26 . 2009-12-16 00:56:26 -------- d-----w- C:\Documents and Settings\HelpAssistant\IETldCache
2009-12-16 00:55:35 . 2009-12-16 00:55:35 -------- d-----w- C:\Documents and Settings\HelpAssistant\.SunDownloadManager
2009-12-16 00:52:56 . 2009-12-16 00:52:56 -------- d-sh--w- C:\Documents and Settings\LocalService\IETldCache
2009-12-13 20:56:49 . 2009-12-13 20:56:49 -------- d-----w- C:\Program Files\Sophos
2009-12-12 15:06:17 . 2008-11-06 07:03:27 -------- d-----w- C:\SDFix
2009-12-12 00:17:20 . 2009-12-12 00:17:20 -------- d-sh--w- C:\Documents and Settings\omar\PrivacIE
2009-12-11 23:54:37 . 2009-12-11 23:54:37 -------- d-sh--w- C:\WINDOWS\system32\config\systemprofile\IETldCache
2009-12-11 23:47:55 . 2009-12-11 23:47:55 -------- d-sh--w- C:\Documents and Settings\omar\IETldCache
2009-12-11 14:19:03 . 2009-10-29 07:45:38 12800 -c----w- C:\WINDOWS\system32\dllcache\xpshims.dll
2009-12-11 14:19:02 . 2009-10-29 07:45:34 246272 -c----w- C:\WINDOWS\system32\dllcache\ieproxy.dll
2009-12-11 14:13:36 . 2009-12-11 14:13:36 -------- d-----w- C:\WINDOWS\ie8updates
2009-12-11 14:08:48 . 2009-10-02 04:44:07 92160 -c----w- C:\WINDOWS\system32\dllcache\iecompat.dll
2009-12-11 13:12:48 . 2009-12-11 13:32:26 -------- dc-h--w- C:\WINDOWS\ie8
2009-12-11 01:38:31 . 2009-12-11 01:37:05 411368 ----a-w- C:\WINDOWS\system32\deploytk.dll
2009-12-09 03:30:46 . 2009-12-09 03:37:04 -------- d-----w- C:\Documents and Settings\omar\.SunDownloadManager
2009-12-08 04:25:41 . 2009-12-08 04:25:41 -------- d-----w- C:\Documents and Settings\HelpAssistant\UserData
2009-12-08 04:25:41 . 2009-12-08 04:25:41 -------- d-----w- C:\Documents and Settings\HelpAssistant\Tracing
2009-12-08 04:25:24 . 2009-12-08 04:25:24 -------- d-----w- C:\Documents and Settings\HelpAssistant\LocalLow
2009-12-06 21:37:00 . 2009-12-06 21:37:00 -------- d-----w- C:\Documents and Settings\omar\Local Settings\Application Data\{3AF4E12B-6A95-48D5-9F38-F552B26EB99B}
2009-12-05 00:35:52 . 2009-12-08 16:10:39 120 ----a-w- C:\WINDOWS\Ikoxegigusobogi.dat
2009-12-05 00:35:52 . 2009-12-08 13:27:00 0 ----a-w- C:\WINDOWS\Fhutohoma.bin
2009-11-27 03:30:36 . 2009-11-27 03:30:36 -------- d-----w- C:\Documents and Settings\omar\Application Data\Malwarebytes
2009-11-27 03:30:30 . 2009-12-03 21:14:06 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-11-27 03:30:29 . 2009-12-12 02:00:02 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-27 03:30:29 . 2009-12-03 21:13:56 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2009-11-27 03:30:29 . 2009-11-27 03:30:29 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-11-22 20:07:37 . 2009-05-18 19:17:00 26600 ----a-w- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2009-11-22 20:07:37 . 2008-04-17 18:12:54 107368 ----a-w- C:\WINDOWS\system32\GEARAspi.dll
2009-11-22 20:07:17 . 2009-11-22 20:07:17 -------- d-----w- C:\Program Files\iPod
2009-11-22 20:07:13 . 2009-11-22 20:07:35 -------- d-----w- C:\Program Files\iTunes
2009-11-22 20:07:13 . 2009-11-22 20:07:35 -------- d-----w- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-22 20:07:00 . 2009-11-22 20:07:00 -------- d-----w- C:\Program Files\Bonjour
2009-11-22 20:06:28 . 2009-11-22 20:06:49 -------- d-----w- C:\Program Files\QuickTime
2009-11-22 20:06:27 . 2009-11-22 20:07:13 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-11-22 20:05:29 . 2009-11-22 20:07:15 -------- d-----w- C:\Program Files\Common Files\Apple
2009-11-22 20:04:13 . 2009-11-22 20:04:28 93234472 ----a-w- C:\iTunesSetup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-19 02:31:33 . 2009-04-22 13:21:28 720 ----a-w- C:\Documents and Settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-12-19 02:31:26 . 2009-02-26 23:52:16 0 ----a-w- C:\Documents and Settings\omar\Local Settings\Application Data\WavXMapDrive.bat
2009-12-14 10:36:31 . 2009-02-14 01:23:00 318488 ----a-w- C:\WINDOWS\system32\drivers\iaStor.sys
2009-12-12 14:53:52 . 2009-12-13 14:44:48 1143064 ----a-w- C:\Documents and Settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-12-12 14:50:25 . 2009-12-13 14:44:43 1478936 ----a-w- C:\Documents and Settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-12-12 14:46:40 . 2009-12-13 14:44:39 759064 ----a-w- C:\Documents and Settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-12-12 01:59:08 . 2009-12-12 01:59:07 4844296 ----a-w- C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-11 02:35:02 . 2009-02-13 23:37:16 -------- d-----w- C:\Program Files\Java
2009-12-11 01:31:04 . 2009-12-11 01:31:03 152576 ----a-w- C:\Documents and Settings\omar\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-11 01:29:39 . 2009-12-11 01:29:39 79488 ----a-w- C:\Documents and Settings\omar\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-10 02:31:04 . 2009-02-27 00:07:22 -------- d-----w- C:\Documents and Settings\All Users\Application Data\avg8
2009-12-05 03:51:16 . 2009-02-27 00:10:26 1 ----a-w- C:\Documents and Settings\omar\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-02 13:02:40 . 2009-03-01 10:11:13 -------- d-----w- C:\Documents and Settings\omar\Application Data\ICAClient
2009-11-29 17:15:00 . 2009-03-22 15:19:47 0 ----a-w- C:\WINDOWS\system32\drivers\lvuvc.hs
2009-11-25 23:20:40 . 2009-12-13 17:06:28 2063640 ----a-w- C:\Documents and Settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-25 23:20:38 . 2009-12-13 17:06:21 3514648 ----a-w- C:\Documents and Settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-25 23:20:36 . 2009-12-13 17:06:17 2029336 ----a-w- C:\Documents and Settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-22 20:09:07 . 2009-10-01 01:18:20 -------- d-----w- C:\Documents and Settings\omar\Application Data\Apple Computer
2009-11-12 22:07:12 . 2009-11-12 22:07:12 79144 ----a-w- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-11 16:54:42 . 2009-02-28 22:20:39 -------- d-----w- C:\Program Files\Windows Live
2009-11-11 16:52:17 . 2009-11-11 16:52:17 -------- d-----w- C:\Program Files\Microsoft
2009-10-29 07:45:38 . 2008-04-25 16:16:28 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
2009-10-21 05:38:36 . 2008-04-25 16:16:26 75776 ----a-w- C:\WINDOWS\system32\strmfilt.dll
2009-10-21 05:38:36 . 2008-04-25 16:16:16 25088 ----a-w- C:\WINDOWS\system32\httpapi.dll
2009-10-20 22:34:58 . 2009-02-13 23:40:01 -------- d--h--w- C:\Program Files\InstallShield Installation Information
2009-10-20 16:20:16 . 2008-04-14 00:23:54 265728 ----a-w- C:\WINDOWS\system32\drivers\http.sys
2009-10-13 10:30:16 . 2008-04-25 16:16:21 270336 ----a-w- C:\WINDOWS\system32\oakley.dll
2009-10-12 13:38:19 . 2008-04-25 16:16:22 149504 ----a-w- C:\WINDOWS\system32\rastls.dll
2009-10-12 13:38:18 . 2008-04-25 16:16:22 79872 ----a-w- C:\WINDOWS\system32\raschap.dll
2009-03-01 09:03:52 . 2009-03-01 09:03:40 35124856 ----a-w- C:\Program Files\AdbeRdr90_en_US.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{022F2F51-CDDA-4873-8A29-72C66C808A3F}"
[HKEY_CLASSES_ROOT\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F}]
2008-07-25 16:16:58 282112 ----a-w- C:\WINDOWS\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"
[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]
2008-07-25 16:16:58 282112 ----a-w- C:\WINDOWS\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 10:40:32 218032]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 21:44:34 3883856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 17:42:30 1695232]
"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 22:50:30 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2008-10-28 01:16:42 200704]
"SysTrayApp"="C:\Program Files\IDT\WDM\sttray.exe" [2008-12-01 21:24:36 483420]
"AESTFltr"="C:\WINDOWS\system32\AESTFltr.exe" [2008-12-01 21:24:22 471040]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-08-13 00:34:42 143360]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-08-13 00:34:28 170520]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-08-13 00:34:32 141848]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-12-11 01:37:08 149280]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-15 12:12:18 178712]
"ChangeTPMAuth"="C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-05-30 15:37:50 180224]
"WavXMgr"="C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-05-14 23:42:16 105472]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2008-06-24 13:16:50 243000]
"EmbassySecurityCheck"="C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2008-06-24 13:16:44 79160]
"DellControlPoint"="C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-08-18 17:12:42 598016]
"DCPstrApp"="C:\Program Files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe" [2008-08-04 23:21:56 6656]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2008-10-28 22:09:20 2220032]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 20:06:08 128296]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-12-13 15:04:43 2043160]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 07:38:00 34672]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 05:12:48 488984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 05:13:48 774168]
"ArcSoft Connection Service"="C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 17:32:18 203264]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 21:22:02 3739648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2009-11-11 04:08:18 417792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2009-11-12 21:33:10 141600]

C:\Documents and Settings\omar\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2008-8-1 1201432]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-19 15:22:51 11952 ----a-w- C:\WINDOWS\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 19th December 2009, 3:17 am

Is it all good?
Thanks!!

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by Dr Jay on 19th December 2009, 6:19 am

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    C:\WINDOWS\Ikoxegigusobogi.dat
    C:\WINDOWS\Fhutohoma.bin

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


Last edited by DragonMaster Jay on 21st December 2009, 9:03 am; edited 1 time in total


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 20th December 2009, 7:42 pm

Well my computer crashed!

It was running beautifully - back to normal.
And then I followed the above instructions to re-run to combifix.
It scanned.
Then said 'deleting files'.
Then 'creating log' - & just at that time this blue screen came saying 'windows has been shut down to prevent harm to your system'.

Now the windows wont open at all - if i try to open it normal, open it in safe mode, open it through the windows recovery console - it doesnt open. The same blue screen comes on saying it has been automatically shut down!

Please guide me as soon as possible. Can anything be done?

If I hadnt re-run the combifix it wdve been just fine!

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by omer on 20th December 2009, 8:06 pm

please give me advice - im paralyzed without my computer.
can i simply somehow reformat and intsall XP again???

omer
Novice
Novice

Posts Posts : 37
Joined Joined : 2009-12-09
Gender Gender : Male
OS OS : XP Professional
Points Points : 26079
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "server is busy" or some other virus

Post by Dr Jay on 21st December 2009, 9:05 am

If you would like to, that is possible.

However, we might be able to recover it. There was an infection in a system file, and instead of disinfecting it, ComboFix may have deleted it. This was the reason why the program was taken offline the other day. I will report it.

==

Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore.
  • Download The Avira AntiVir Rescue System from [You must be registered and logged in to see this link.].
  • Just double-click on the rescue system package to burn it to a CD/DVD.
  • Then please use that CD/DVD with Avira Rescue System to boot your computer.
You'll get a boot option to either boot from hard drive or AntiVir Rescue System.


Press the number 2 on your keyboard to boot into AntiVir Rescue System.

Please wait until drivers are loaded and Main menu shows. Then please select the second option “Scan your system with AntiVir” and hit Enter.


Under Configuration, please select Scan all files, Try to repair infected files and Rename files if they cannot be removed?.


Then please start the scan.

The Avira AntiVir Rescue System wil now

  • repair a damaged system,
  • rescue data,
  • scan the system for virus infections.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum