my computer is infected?

View previous topic View next topic Go down

my computer is infected?

Post by milko on Thu Jul 22, 2010 11:18 am

Recently a new window is opened automatically while using internet. I would like to know my computer is infected with virus or something.
I was going to post my logs with this message but I could not download OTL.

Could you give me advise please.


milko
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-04-29
OS OS : XP
Points Points : 24249
# Likes # Likes : 0

View user profile

Back to top Go down

Re: my computer is infected?

Post by Dr Jay on Fri Jul 23, 2010 6:35 am

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see [You must be registered and logged in to see this link.].

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Download [You must be registered and logged in to see this link.] to your desktop.
  • Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  • It will show a black screen with some data on it.
  • A report called MBRcheckxxxx.txt will be on your desktop
  • Open this report and post its content in your next reply.


Please download [You must be registered and logged in to see this link.] by me, and save to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.cmd to start.
  • It will finish quickly and launch a log.
  • Post the contents of it in your next reply.


4. In your next reply, please post the following logs for my review:
  • MBRCheck log
  • Cheetah log


Thanks! Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

Re: my computer is infected?

Post by milko on Fri Jul 23, 2010 9:11 am

Here is my logs


* MBRCheck log[/b]


MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Windows XP MBR code detected





Done! Press ENTER to exit...



* Cheetah log

Cheetah-Anti-Rogue v1.5.1
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 23/07/2010 - Time: 18:39:25 - Arch.: x86


-- Malware removal tools check --
Trend Micro HijackThis 2.0.2
Malwarebytes' Anti-Malware
SUPERAntiSpyware

milko
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-04-29
OS OS : XP
Points Points : 24249
# Likes # Likes : 0

View user profile

Back to top Go down

Re: my computer is infected?

Post by Dr Jay on Fri Jul 23, 2010 6:35 pm

Please open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

Re: my computer is infected?

Post by milko on Fri Jul 23, 2010 11:20 pm

here is my logs.

Thank you for your help.


Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4342

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

24/07/2010 8:45:35 AM
mbam-log-2010-07-24 (08-45-35).txt

Scan type: Quick scan
Objects scanned: 167582
Time elapsed: 11 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b5657d6b-0914-fa51-caf8-38b9d7287557} (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PLayMP3z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SuperiorBrandingSystem (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WinBlueSoft (Rogue.WinBlueSoft) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxbngvif (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\6.371749721516777E8.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\JlmG.exe (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\VIP\Local Settings\temp\pdfupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\VIP\Local Settings\Application Data\syssvc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

milko
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-04-29
OS OS : XP
Points Points : 24249
# Likes # Likes : 0

View user profile

Back to top Go down

Re: my computer is infected?

Post by Dr Jay on Sat Jul 24, 2010 2:02 am

Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

Re: my computer is infected?

Post by milko on Sat Jul 24, 2010 5:26 am

Here is my logs after running combofix.

regards,


ComboFix 10-07-23.02 - VIP 24/07/2010 14:42:47.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1983.1659 [GMT 9.5:30]
Running from: c:\documents and settings\VIP\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-22 12:17 . 2010-07-22 12:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-22 10:45 . 2010-07-22 10:45 503808 ----a-w- c:\documents and settings\VIP\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a4f5ce0-n\msvcp71.dll
2010-07-22 10:45 . 2010-07-22 10:45 499712 ----a-w- c:\documents and settings\VIP\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a4f5ce0-n\jmc.dll
2010-07-22 10:45 . 2010-07-22 10:45 348160 ----a-w- c:\documents and settings\VIP\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a4f5ce0-n\msvcr71.dll
2010-07-22 10:45 . 2010-07-22 10:45 61440 ----a-w- c:\documents and settings\VIP\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-782f3a25-n\decora-sse.dll
2010-07-22 10:45 . 2010-07-22 10:45 12800 ----a-w- c:\documents and settings\VIP\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-782f3a25-n\decora-d3d.dll
2010-07-22 10:45 . 2010-07-22 10:57 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-14 08:22 . 2008-04-13 20:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-14 08:22 . 2001-08-17 13:06 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-08 08:14 . 2010-07-08 08:27 -------- d-----w- c:\program files\etax2010

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 05:09 . 2009-10-05 07:43 -------- d-----w- c:\documents and settings\VIP\Application Data\Skype
2010-07-23 09:03 . 2009-05-03 11:55 -------- d-----w- c:\documents and settings\VIP\Application Data\skypePM
2010-07-22 23:08 . 2009-03-16 02:30 -------- d-----w- c:\program files\Java
2010-07-22 10:56 . 2009-03-16 02:30 -------- d-----w- c:\program files\Common Files\Java
2010-07-22 10:56 . 2010-07-22 10:56 0 ----a-w- c:\windows\system32\REN6A6.tmp
2010-07-22 10:56 . 2010-07-22 10:56 0 ----a-w- c:\windows\system32\REN6A5.tmp
2010-07-22 10:56 . 2010-07-22 10:56 0 ----a-w- c:\windows\system32\REN6A4.tmp
2010-06-24 01:59 . 2010-06-24 01:59 50354 ----a-w- c:\documents and settings\VIP\Application Data\Facebook\uninstall.exe
2010-06-24 01:59 . 2010-06-24 01:59 -------- d-----w- c:\documents and settings\VIP\Application Data\Facebook
2010-06-21 08:07 . 2010-06-21 08:07 -------- d-----w- c:\program files\Google
2010-06-21 08:07 . 2010-06-21 08:07 -------- d-----w- c:\program files\Common Files\Skype
2010-06-21 08:07 . 2009-10-05 07:43 -------- d-----r- c:\program files\Skype
2010-06-21 07:45 . 2010-06-21 07:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-21 07:45 . 2010-06-21 07:43 -------- d-----w- c:\program files\Microsoft
2010-06-21 07:45 . 2009-05-03 11:32 -------- d-----w- c:\program files\Windows Live
2010-06-21 07:45 . 2010-06-21 07:45 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-06-14 14:37 . 2009-05-05 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\VIP\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-06-08 06:45 . 2009-08-01 01:16 -------- d-----w- c:\documents and settings\VIP\Application Data\HPAppData
2010-06-02 13:58 . 2010-06-02 13:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-02 13:58 . 2010-06-02 13:58 -------- d-----w- c:\program files\Realtek
2010-06-02 10:35 . 2010-06-02 10:35 -------- d-----w- c:\documents and settings\VIP\Application Data\Uniblue
2010-05-26 10:48 . 2009-06-03 09:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 09:39 . 2010-05-02 01:07 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-25 12:25 . 2010-05-25 12:25 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-29 06:09 . 2009-06-03 09:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 06:09 . 2009-06-03 09:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-02-28 04:34 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"nwiz"="nwiz.exe" [2006-10-31 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-03-25 570664]
"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe" [2008-02-28 2049320]
"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2008-02-28 1083176]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-09 18063872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\VIP\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [28/02/2008 2:04 PM 53032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 04:36 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 03:04]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {4E83142E-0E70-467C-BD5D-14B626DC23E7} = 203.21.20.20,203.10.1.9
FF - ProfilePath - c:\documents and settings\VIP\Application Data\Mozilla\Firefox\Profiles\7i0fknmx.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\VIP\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-24 14:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-24 14:50:24
ComboFix-quarantined-files.txt 2010-07-24 05:20
ComboFix2.txt 2009-06-12 10:55

Pre-Run: 142,211,497,984 bytes free
Post-Run: 143,239,815,168 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - DE7920C92B0AE46894DE9E252C166AFA

milko
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-04-29
OS OS : XP
Points Points : 24249
# Likes # Likes : 0

View user profile

Back to top Go down

Re: my computer is infected?

Post by Dr Jay on Sun Jul 25, 2010 10:12 am

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Download the CFScript from the attachment below. Save it to your Desktop.
  • Drag the downloaded CFScript.txt in to ComboFix


  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

Re: my computer is infected?

Post by milko on Sun Jul 25, 2010 10:50 am

i disabled anti virus programs (i think) called windows security center. but i am not sure if i have other anti virus programs on this pc.

anyhow, here is my logs after run the combofix.

Thank you.


ComboFix 10-07-24.03 - VIP 25/07/2010 20:10:30.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1983.1336 [GMT 9.5:30]
Running from: c:\documents and settings\VIP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\VIP\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-22 12:17 . 2010-07-22 12:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-22 10:45 . 2010-07-22 10:45 503808 ----a-w- c:\documents and settings\VIP\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a4f5ce0-n\msvcp71.dll
2010-07-22 10:45 . 2010-07-22 10:45 499712 ----a-w- c:\documents and settings\VIP\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a4f5ce0-n\jmc.dll
2010-07-22 10:45 . 2010-07-22 10:45 348160 ----a-w- c:\documents and settings\VIP\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a4f5ce0-n\msvcr71.dll
2010-07-22 10:45 . 2010-07-22 10:45 61440 ----a-w- c:\documents and settings\VIP\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-782f3a25-n\decora-sse.dll
2010-07-22 10:45 . 2010-07-22 10:45 12800 ----a-w- c:\documents and settings\VIP\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-782f3a25-n\decora-d3d.dll
2010-07-22 10:45 . 2010-07-22 10:57 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-14 08:22 . 2008-04-13 20:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-14 08:22 . 2001-08-17 13:06 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-08 08:14 . 2010-07-08 08:27 -------- d-----w- c:\program files\etax2010

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 06:33 . 2009-05-03 11:55 -------- d-----w- c:\documents and settings\VIP\Application Data\skypePM
2010-07-24 22:33 . 2009-10-05 07:43 -------- d-----w- c:\documents and settings\VIP\Application Data\Skype
2010-07-22 23:08 . 2009-03-16 02:30 -------- d-----w- c:\program files\Java
2010-07-22 10:56 . 2009-03-16 02:30 -------- d-----w- c:\program files\Common Files\Java
2010-07-22 10:56 . 2010-07-22 10:56 0 ----a-w- c:\windows\system32\REN6A6.tmp
2010-07-22 10:56 . 2010-07-22 10:56 0 ----a-w- c:\windows\system32\REN6A5.tmp
2010-07-22 10:56 . 2010-07-22 10:56 0 ----a-w- c:\windows\system32\REN6A4.tmp
2010-06-24 01:59 . 2010-06-24 01:59 50354 ----a-w- c:\documents and settings\VIP\Application Data\Facebook\uninstall.exe
2010-06-24 01:59 . 2010-06-24 01:59 -------- d-----w- c:\documents and settings\VIP\Application Data\Facebook
2010-06-21 08:07 . 2010-06-21 08:07 -------- d-----w- c:\program files\Google
2010-06-21 08:07 . 2010-06-21 08:07 -------- d-----w- c:\program files\Common Files\Skype
2010-06-21 08:07 . 2009-10-05 07:43 -------- d-----r- c:\program files\Skype
2010-06-21 07:45 . 2010-06-21 07:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-21 07:45 . 2010-06-21 07:43 -------- d-----w- c:\program files\Microsoft
2010-06-21 07:45 . 2009-05-03 11:32 -------- d-----w- c:\program files\Windows Live
2010-06-21 07:45 . 2010-06-21 07:45 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-06-14 14:37 . 2009-05-05 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\VIP\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-06-08 06:45 . 2009-08-01 01:16 -------- d-----w- c:\documents and settings\VIP\Application Data\HPAppData
2010-06-02 13:58 . 2010-06-02 13:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-02 13:58 . 2010-06-02 13:58 -------- d-----w- c:\program files\Realtek
2010-06-02 10:35 . 2010-06-02 10:35 -------- d-----w- c:\documents and settings\VIP\Application Data\Uniblue
2010-05-26 10:48 . 2009-06-03 09:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 09:39 . 2010-05-02 01:07 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-25 12:25 . 2010-05-25 12:25 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-29 06:09 . 2009-06-03 09:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 06:09 . 2009-06-03 09:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\REN6A6.tmp ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 0
Created time: 2010-07-22 10:56
Modified time: 2010-07-22 10:56
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709


((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-24 22:33 . 2010-07-24 22:33 16384 c:\windows\Temp\Perflib_Perfdata_198.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-02-28 04:34 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"nwiz"="nwiz.exe" [2006-10-31 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-03-25 570664]
"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe" [2008-02-28 2049320]
"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2008-02-28 1083176]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-09 18063872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\VIP\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [28/02/2008 2:04 PM 53032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 04:36 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 03:04]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {4E83142E-0E70-467C-BD5D-14B626DC23E7} = 203.21.20.20,203.10.1.9
FF - ProfilePath - c:\documents and settings\VIP\Application Data\Mozilla\Firefox\Profiles\7i0fknmx.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\VIP\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-25 20:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2900)
c:\windows\system32\WININET.dll
c:\program files\Nero\Nero8\InCD\NBHShx.dll
c:\program files\Nero\Nero8\InCD\NBHStr.dll
c:\program files\Common Files\Nero\Shared\NL3\AdvrCntr3.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-07-25 20:14:36
ComboFix-quarantined-files.txt 2010-07-25 10:44
ComboFix2.txt 2010-07-24 05:20
ComboFix3.txt 2009-06-12 10:55

Pre-Run: 143,359,668,224 bytes free
Post-Run: 143,346,331,648 bytes free

- - End Of File - - F1151CF76CF91D595E18B44085908DE0

milko
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-04-29
OS OS : XP
Points Points : 24249
# Likes # Likes : 0

View user profile

Back to top Go down

Re: my computer is infected?

Post by Dr Jay on Sun Jul 25, 2010 10:57 am

Please run the [You must be registered and logged in to see this link.]

  • Follow the Instruction [You must be registered and logged in to see this link.] for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

Re: my computer is infected?

Post by milko on Sun Jul 25, 2010 2:27 pm

here is the report.

Regards,



Scanning Report
Sunday, July 25, 2010 23:18:13 - 23:54:46

Computer name: VIP-PC
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\
9 malware found
TrackingCookie.Questionmarket (spyware)

* System (Disinfected)

TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

TrackingCookie.Webtrends (spyware)

* System (Disinfected)

Rootkit.Patched.TDSS.Gen (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{05F17BCB-EAED-48F8-8418-E3C9715DE758}\RP308\A0036352.SYS (Disinfected & Submitted)

Email-Worm:W32/Zhelatin.YO (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{05F17BCB-EAED-48F8-8418-E3C9715DE758}\RP307\A0036188.EXE (Renamed & Submitted)

Trojan.FakeSpyPro.C (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{05F17BCB-EAED-48F8-8418-E3C9715DE758}\RP274\A0031222.EXE (Renamed & Submitted)

Trojan:W32/Agent.DJCT (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{05F17BCB-EAED-48F8-8418-E3C9715DE758}\RP252\A0021405.EXE (Renamed & Submitted)

Email-Worm:W32/Zhelatin.YO (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{05F17BCB-EAED-48F8-8418-E3C9715DE758}\RP252\A0021414.EXE (Renamed & Submitted)

Statistics
Scanned:

* Files: 39517
* System: 3300
* Not scanned: 10

Actions:

* Disinfected: 5
* Renamed: 4
* Deleted: 0
* Not cleaned: 0
* Submitted: 5

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
* C:\DOCUMENTS AND SETTINGS\VIP\APPLICATION DATA\SKYPE\ETILQS_NRPKOSLEHWMO6RCMDLZ0
* C:\DOCUMENTS AND SETTINGS\VIP\APPLICATION DATA\SKYPE\ETILQS_ZKBT8XV2U40NVOM89ATJ

Options
Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use advanced heuristics

Copyright 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.


milko
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-04-29
OS OS : XP
Points Points : 24249
# Likes # Likes : 0

View user profile

Back to top Go down

Re: my computer is infected?

Post by Dr Jay on Mon Jul 26, 2010 8:00 am

Hiya! Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Security Check

Please download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran TFC
  • Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

Re: my computer is infected?

Post by milko on Mon Jul 26, 2010 11:16 am

Thank you for your help.

I have an issue - I can not find System Restore after System tools. I can find only System Information.

Kind regards,

milko
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-04-29
OS OS : XP
Points Points : 24249
# Likes # Likes : 0

View user profile

Back to top Go down

Re: my computer is infected?

Post by Dr Jay on Tue Jul 27, 2010 4:38 am

Go to Start > Run, type this in and hit OK:

c:\windows\system32\rstrui.exe


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

Re: my computer is infected?

Post by milko on Tue Jul 27, 2010 8:39 am

Hello. I typed this - c:\windows\system32\rstrui.exe - in the box then error message comes up - 'Windows can not find c:\windows\system32\rstrui.exe'

Please advise.

THank you


milko
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-04-29
OS OS : XP
Points Points : 24249
# Likes # Likes : 0

View user profile

Back to top Go down

Re: my computer is infected?

Post by Dr Jay on Tue Jul 27, 2010 6:18 pm

Oh I see. System Restore has been deleted.

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:
    :filefind
    rstrui.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302059
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum