INFECTED ... Internet Security 2010 ... of course...lol HELP please

View previous topic View next topic Go down

Re: INFECTED ... Internet Security 2010 ... of course...lol HELP please

Post by Belahzur on 1st January 2010, 11:22 pm

Hello.
It has hȋdden attributes.


  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to hȋdden files and folders.
  5. Select Show hȋdden files and folders.
  6. Uncheck (untick) Hide extensions of known file types.
  7. Uncheck (untick) Hide protected operating system files (Recommended).
  8. Click Yes when prompted.
  9. Click OK.
  10. Close My Computer.

Now can you see it?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: INFECTED ... Internet Security 2010 ... of course...lol HELP please

Post by Dragoness00 on 1st January 2010, 11:36 pm

yes.. So I am going to continue with the rest of the instructions now =)

Dragoness00
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-12-30
Gender Gender : Female
OS OS : Windows XP
Points Points : 25728
# Likes # Likes : 0

View user profile

Back to top Go down

Re: INFECTED ... Internet Security 2010 ... of course...lol HELP please

Post by Dragoness00 on 1st January 2010, 11:40 pm

ok I did it, it scanned and I saw nothing that said results just these two things

Scan finished. 9 out of 20 scanners reported malware.

and


Additional info
File size: 16384 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 85bec1004ed4bcc406f38f9537fbddd6
SHA1: 9a484650fa05d343c27b6202a0adb7276b82acb6

plus a huge list of different scanners and what they found but those wont paste here because of the pics in the names

Dragoness00
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-12-30
Gender Gender : Female
OS OS : Windows XP
Points Points : 25728
# Likes # Likes : 0

View user profile

Back to top Go down

Re: INFECTED ... Internet Security 2010 ... of course...lol HELP please

Post by Belahzur on 2nd January 2010, 12:06 am

Hello.
Delete this file in bold:
c:\windows\system32\sonewibu.exe

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: INFECTED ... Internet Security 2010 ... of course...lol HELP please

Post by Dragoness00 on 2nd January 2010, 12:31 am

hmm it still seems a little sluggish and now I have these on my desktop, 2 data base files used by my operating system ( at least thats what they say if I click on them ) ehthumbs.db and Thumbs.db and they have never been there before =/


and I still have AVG not running or working but it is still in my pc..

Dragoness00
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-12-30
Gender Gender : Female
OS OS : Windows XP
Points Points : 25728
# Likes # Likes : 0

View user profile

Back to top Go down

Re: INFECTED ... Internet Security 2010 ... of course...lol HELP please

Post by Belahzur on 2nd January 2010, 12:42 am

Yeah, just leftover folders, we'll remove them soon.
Please post a new Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: INFECTED ... Internet Security 2010 ... of course...lol HELP please

Post by Dragoness00 on 2nd January 2010, 10:58 pm

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 3:56:22 PM, on 1/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dldncoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [combofix] "C:\Combo-Fix\CF19193.cfxxe" /c "C:\Combo-Fix\C.bat"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: dldn_device - - C:\WINDOWS\system32\dldncoms.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6265 bytes

Dragoness00
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-12-30
Gender Gender : Female
OS OS : Windows XP
Points Points : 25728
# Likes # Likes : 0

View user profile

Back to top Go down

Re: INFECTED ... Internet Security 2010 ... of course...lol HELP please

Post by Belahzur on 3rd January 2010, 12:09 am

Hello.

You can delete those two .db files.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [combofix] "C:\Combo-Fix\CF19193.cfxxe" /c "C:\Combo-Fix\C.bat"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe



  • Press "Fix Checked"
  • Close Hijack This.

I recommend you remove the Java Quick Starter because it's not needed.
To do so, follow these instructions.

Go to Start > Control Panel > Java.
In the Java control panel, open the click the Advanced tab. Click the + in front of Miscellaneous and uncheck the Java Quick Starter box.

See [You must be registered and logged in to see this link.] for more info.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\documents and settings\All Users\Application Data\avg9
    c:\documents and settings\Vangie\Application Data\AVG8
    c:\documents and settings\All Users\Application Data\McAfee
    c:\program files\Common Files\Symantec Shared
    c:\documents and settings\All Users\Application Data\Symantec
    c:\program files\AVG


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: INFECTED ... Internet Security 2010 ... of course...lol HELP please

Post by Dragoness00 on 3rd January 2010, 3:32 am

========== FILES ==========
c:\documents and settings\All Users\Application Data\avg9\Log folder moved successfully.
c:\documents and settings\All Users\Application Data\avg9 folder moved successfully.
c:\documents and settings\Vangie\Application Data\AVG8 folder moved successfully.
c:\documents and settings\All Users\Application Data\McAfee\Supportability\MVT folder moved successfully.
c:\documents and settings\All Users\Application Data\McAfee\Supportability folder moved successfully.
c:\documents and settings\All Users\Application Data\McAfee\MSC\Cache folder moved successfully.
c:\documents and settings\All Users\Application Data\McAfee\MSC folder moved successfully.
c:\documents and settings\All Users\Application Data\McAfee\MBK\92948b65-08a6-4ac1-8cea-513bfa06ca9d folder moved successfully.
c:\documents and settings\All Users\Application Data\McAfee\MBK folder moved successfully.
c:\documents and settings\All Users\Application Data\McAfee\dspwrp folder moved successfully.
c:\documents and settings\All Users\Application Data\McAfee folder moved successfully.
c:\program files\Common Files\Symantec Shared\VirusDefs\TextHub folder moved successfully.
c:\program files\Common Files\Symantec Shared\VirusDefs\incoming folder moved successfully.
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub folder moved successfully.
c:\program files\Common Files\Symantec Shared\VirusDefs\20071026.021 folder moved successfully.
c:\program files\Common Files\Symantec Shared\VirusDefs\20071025.021 folder moved successfully.
c:\program files\Common Files\Symantec Shared\VirusDefs\20061116.036 folder moved successfully.
c:\program files\Common Files\Symantec Shared\VirusDefs folder moved successfully.
c:\program files\Common Files\Symantec Shared\SPManifests folder moved successfully.
c:\program files\Common Files\Symantec Shared\EENGINE folder moved successfully.
c:\program files\Common Files\Symantec Shared\CCPD-LC folder moved successfully.
c:\program files\Common Files\Symantec Shared folder moved successfully.
c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\{6A90DE7F-6F89-4703-ABD9-CEBAD0C38E93} folder moved successfully.
c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine folder moved successfully.
c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus folder moved successfully.
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate folder moved successfully.
c:\documents and settings\All Users\Application Data\Symantec folder moved successfully.
c:\program files\AVG\AVG8\log folder moved successfully.
c:\program files\AVG\AVG8\avgam folder moved successfully.
c:\program files\AVG\AVG8 folder moved successfully.
c:\program files\AVG folder moved successfully.

OTM by OldTimer - Version 3.1.4.0 log created on 01022010_203223

Dragoness00
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-12-30
Gender Gender : Female
OS OS : Windows XP
Points Points : 25728
# Likes # Likes : 0

View user profile

Back to top Go down

Re: INFECTED ... Internet Security 2010 ... of course...lol HELP please

Post by Belahzur on 3rd January 2010, 9:32 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: INFECTED ... Internet Security 2010 ... of course...lol HELP please

Post by Dragoness00 on 4th January 2010, 3:00 am

appears to be better... Thank you so much.. and I dont know what that file was you had me remove that was part of my zboard when we first started this but it is working fine also so it didnt seem to effect it =).. I love this site and am recommending it to all my friends.. I thank you so very much.. I would have thrown it out the window if it wasnt for you Hooray!

Dragoness00
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-12-30
Gender Gender : Female
OS OS : Windows XP
Points Points : 25728
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum