My computer caught System Guard Virus - Please Help!!!!!!!!!!!!!!!!

View previous topic View next topic Go down

My computer caught System Guard Virus - Please Help!!!!!!!!!!!!!!!!

Post by newyorkgirl1982 on 27th April 2010, 1:26 am

I keep on getting messages from Antivirus software Alert - Threat: Win32/Nuqel.E and BankerFox.A I tried downloading an intivurus software from a legit company, but I can't install it. I can' open Control Panel. Please let me know how I an get rid of it.


Thanks!!!

newyorkgirl1982
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2010-04-27
Gender Gender : Female
OS OS : Vista
Points Points : 24233
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer caught System Guard Virus - Please Help!!!!!!!!!!!!!!!!

Post by Dr Jay on 27th April 2010, 4:07 am

RKill by Grinler
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
This only kills the active infection, the actual infection will not be gone.

=============================

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]


Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: My computer caught System Guard Virus - Please Help!!!!!!!!!!!!!!!!

Post by newyorkgirl1982 on 28th April 2010, 12:45 am

Here the Log:
ComboFix 10-04-26.05 - ANNA 04/27/2010 20:28:31.1.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1982.1416 [GMT -4:00]
Running from: c:\users\ANNA\Desktop\commy.exe
Command switches used :: /stepdel
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
c:\users\ANNA\AppData\Local\yoyhvjutw
c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500\desktop.ini
c:\program files\gamevance\gamevancelib32.dll
c:\program files\Gamevance\gvtl.dll
c:\program files\Mail.Ru\Agent\Mra\dll\newmrasearch.dll
c:\users\ANNA\AppData\Local\Microsoft\Windows\Temporary Internet Files\pse_350_enu.exe
c:\users\ANNA\AppData\Local\yoyhvjutw\mwuyrcxtssd.exe
c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
.

2010-04-28 00:36 . 2010-04-28 00:37 -------- d-----w- c:\users\ANNA\AppData\Local\temp
2010-04-28 00:36 . 2010-04-28 00:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-20 01:01 . 2010-04-20 01:01 -------- d-----w- c:\users\ANNA\AppData\Local\Yahoo!
2010-04-05 22:38 . 2010-04-05 22:38 -------- d-----w- c:\programdata\McAfee
2010-04-04 15:47 . 2009-11-24 21:39 1093064 ----a-w- c:\users\ANNA\AppData\Roaming\Mozilla\Firefox\Profiles\2ysnm7na.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
2010-04-03 16:47 . 2010-04-03 16:47 -------- d-----w- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 00:28 . 2009-11-30 16:57 -------- d-----w- c:\program files\Gamevance
2010-04-28 00:23 . 2009-06-28 16:13 -------- d-----w- c:\users\ANNA\AppData\Roaming\ICQ
2010-04-25 18:20 . 2009-06-28 16:07 67400 ----a-w- c:\programdata\nvModes.dat
2010-04-25 17:47 . 2009-06-28 07:16 -------- d-----w- c:\users\ANNA\AppData\Roaming\Skype
2010-04-25 14:26 . 2009-06-28 07:19 -------- d-----w- c:\users\ANNA\AppData\Roaming\skypePM
2010-03-11 08:43 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-11 08:24 . 2009-11-14 18:25 -------- d-----w- c:\programdata\Microsoft Help
2010-02-24 14:16 . 2009-10-02 23:04 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 08:21 . 2009-06-28 16:05 123968 ----a-w- c:\users\ANNA\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-20 23:54 . 2010-03-11 08:12 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:51 . 2010-03-11 08:12 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:30 . 2010-03-11 08:12 396800 ----a-w- c:\windows\system32\drivers\http.sys
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 21:24 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45F160E9-48B5-41C8-8093-CE70CEAE8F80}]
2009-06-29 07:18 753664 ----a-w- c:\windows\System32\wownetb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-06-29 1232896]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
"Google Update"="c:\users\ANNA\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-04-10 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2009-06-29 1006264]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-09 148888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"MAgent"="c:\program files\Mail.Ru\Agent\MAgent.exe" [2009-12-08 7975608]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [2010-01-24 862208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Lanhtm"= {24A19C32-2C71-4DE7-8389-442D326AA4DD} - c:\windows\system32\svrsql.dll [2009-06-29 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-26 721904]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2144488369-2711709791-3128680860-1000Core.job
- c:\users\ANNA\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-10 02:25]

2010-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2144488369-2711709791-3128680860-1000UA.job
- c:\users\ANNA\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-10 02:25]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Block frame with Ad Muncher - [You must be registered and logged in to see this link.]
IE: Block image with Ad Muncher - [You must be registered and logged in to see this link.]
IE: Block link with Ad Muncher - [You must be registered and logged in to see this link.]
IE: Don't filter page with Ad Muncher - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Report page to the Ad Muncher developers - [You must be registered and logged in to see this link.]
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\Mail.Ru\Agent\magent.exe
FF - ProfilePath - c:\users\ANNA\AppData\Roaming\Mozilla\Firefox\Profiles\2ysnm7na.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\users\ANNA\AppData\Roaming\Mozilla\Firefox\Profiles\2ysnm7na.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\ANNA\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\ANNA\AppData\Local\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-geenjgom - c:\users\ANNA\AppData\Local\yoyhvjutw\mwuyrcxtssd.exe
HKLM-Run-Gamevance - c:\program files\Gamevance\gamevance32.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-27 20:37
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-27 20:40:13
ComboFix-quarantined-files.txt 2010-04-28 00:40

Pre-Run: 25,367,384,064 bytes free
Post-Run: 26,896,666,624 bytes free

- - End Of File - - 9FBCB7606BE68521E7D6E446BB947BC0

newyorkgirl1982
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2010-04-27
Gender Gender : Female
OS OS : Vista
Points Points : 24233
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer caught System Guard Virus - Please Help!!!!!!!!!!!!!!!!

Post by Dr Jay on 28th April 2010, 2:35 am

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    [You must be registered and logged in to see this link.]

    killall::

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45F160E9-48B5-41C8-8093-CE70CEAE8F80}]

    collect::
    c:\windows\System32\wownetb.dll

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: My computer caught System Guard Virus - Please Help!!!!!!!!!!!!!!!!

Post by newyorkgirl1982 on 29th April 2010, 4:23 am

Ok. I was able to do the second step. Here's my log:
ComboFix 10-04-28.03 - ANNA 04/28/2010 23:59:03.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1982.566 [GMT -4:00]
Running from: c:\users\ANNA\Desktop\ComboFix.exe
Command switches used :: c:\users\ANNA\Desktop\CFscript.txt
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\windows\System32\wownetb.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\ANNA\AppData\Local\asam.exe
c:\users\ANNA\AppData\Local\qtbndweam
c:\users\ANNA\AppData\Local\qtbndweam\gusamjntssd.exe
c:\users\ANNA\AppData\Local\syssvc.exe
c:\windows\System32\wownetb.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 04:04 . 2010-04-29 04:06 -------- d-----w- c:\users\ANNA\AppData\Local\temp
2010-04-29 04:04 . 2010-04-29 04:04 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-29 04:04 . 2010-04-29 04:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-29 03:02 . 2010-04-29 03:02 -------- d-----w- c:\windows\Sun
2010-04-28 01:15 . 2010-04-28 01:15 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-04-28 00:22 . 2010-04-28 00:40 -------- d-----w- C:\commy
2010-04-20 01:01 . 2010-04-20 01:01 -------- d-----w- c:\users\ANNA\AppData\Local\Yahoo!
2010-04-05 22:38 . 2010-04-05 22:38 -------- d-----w- c:\programdata\McAfee
2010-04-03 16:47 . 2010-04-03 16:47 -------- d-----w- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 03:58 . 2009-06-28 07:16 -------- d-----w- c:\users\ANNA\AppData\Roaming\Skype
2010-04-29 00:01 . 2009-06-28 07:19 -------- d-----w- c:\users\ANNA\AppData\Roaming\skypePM
2010-04-28 01:15 . 2009-06-28 16:13 -------- d-----w- c:\users\ANNA\AppData\Roaming\ICQ
2010-04-28 00:28 . 2009-11-30 16:57 -------- d-----w- c:\program files\Gamevance
2010-04-25 18:20 . 2009-06-28 16:07 67400 ----a-w- c:\programdata\nvModes.dat
2010-03-11 08:43 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-11 08:24 . 2009-11-14 18:25 -------- d-----w- c:\programdata\Microsoft Help
2010-02-24 14:16 . 2009-10-02 23:04 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 08:21 . 2009-06-28 16:05 123968 ----a-w- c:\users\ANNA\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-20 23:54 . 2010-03-11 08:12 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:51 . 2010-03-11 08:12 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:30 . 2010-03-11 08:12 396800 ----a-w- c:\windows\system32\drivers\http.sys
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-06-29 1232896]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
"Google Update"="c:\users\ANNA\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-04-10 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2009-06-29 1006264]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"MAgent"="c:\program files\Mail.Ru\Agent\MAgent.exe" [2009-12-08 7975608]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [2010-01-24 862208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Lanhtm"= {24A19C32-2C71-4DE7-8389-442D326AA4DD} - c:\windows\system32\svrsql.dll [2009-06-29 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-26 721904]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2144488369-2711709791-3128680860-1000Core.job
- c:\users\ANNA\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-10 02:25]

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2144488369-2711709791-3128680860-1000UA.job
- c:\users\ANNA\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-10 02:25]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
IE: Block frame with Ad Muncher - [You must be registered and logged in to see this link.]
IE: Block image with Ad Muncher - [You must be registered and logged in to see this link.]
IE: Block link with Ad Muncher - [You must be registered and logged in to see this link.]
IE: Don't filter page with Ad Muncher - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Report page to the Ad Muncher developers - [You must be registered and logged in to see this link.]
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\Mail.Ru\Agent\magent.exe
FF - ProfilePath - c:\users\ANNA\AppData\Roaming\Mozilla\Firefox\Profiles\2ysnm7na.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\users\ANNA\AppData\Roaming\Mozilla\Firefox\Profiles\2ysnm7na.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\ANNA\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\ANNA\AppData\Local\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-eponqlcq - c:\users\ANNA\AppData\Local\qtbndweam\gusamjntssd.exe
HKCU-Run-asam - c:\users\ANNA\AppData\Local\asam.exe
HKLM-Run-asam - c:\users\ANNA\AppData\Local\asam.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\conime.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-04-29 00:14:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-29 04:14
ComboFix2.txt 2010-04-28 00:40

Pre-Run: 26,014,109,696 bytes free
Post-Run: 25,794,093,056 bytes free

- - End Of File - - 5AEBA19C6F68B54772ABE427AFE6F95C
Upload was successful

newyorkgirl1982
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2010-04-27
Gender Gender : Female
OS OS : Vista
Points Points : 24233
# Likes # Likes : 0

View user profile

Back to top Go down

Re: My computer caught System Guard Virus - Please Help!!!!!!!!!!!!!!!!

Post by Dr Jay on 29th April 2010, 4:42 am

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::

    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "Lanhtm"=-

    File::
    c:\windows\system32\svrsql.dll

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum