Help Me rid of the 100k virus..

View previous topic View next topic Go down

Help Me rid of the 100k virus..

Post by doinitright6 on Sat 30 Jul 2011, 9:52 am

I am completely ignorant as to remove virusses.. AVG is still running, I can't shut it down, in the icon tray, i can't close it out.. strange.. and this thing is getting my angry, how can I remove it? please help!!!!

doinitright6

Unborn
Unborn

Posts : 4
Joined : 2011-07-30
Operating System : windows xp

View user profile

Back to top Go down

Re: Help Me rid of the 100k virus..

Post by Sneakyone on Sat 30 Jul 2011, 5:14 pm

Hi,

Please download aswMBR from here


  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below




Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives


  • Once the scan finishes click Save log to save the log to your Desktop


  • Copy and paste the contents of aswMBR.txt back here for review


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Help Me rid of the 100k virus..

Post by doinitright6 on Sun 31 Jul 2011, 4:19 am

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-07-30 13:18:21
-----------------------------
13:18:21.122 OS Version: Windows 5.1.2600 Service Pack 3
13:18:21.122 Number of processors: 1 586 0xD06
13:18:21.122 ComputerName: T42-AA8EFE7979D UserName: T42 User
13:18:21.782 Initialize success
13:18:28.252 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:18:28.252 Disk 0 Vendor: HTS541040G9AT00 MB2IA5BJ Size: 34274MB BusType: 3
13:18:30.275 Disk 0 MBR read successfully
13:18:30.275 Disk 0 MBR scan
13:18:30.275 Disk 0 Windows XP default MBR code
13:18:30.275 Disk 0 scanning sectors +70187040
13:18:30.345 Disk 0 scanning C:\WINDOWS\system32\drivers
13:18:36.073 File: C:\WINDOWS\system32\drivers\fips.sys **SUSPICIOUS**
13:18:40.720 Service scanning
13:18:41.791 Modules scanning
13:18:50.013 Disk 0 trace - called modules:
13:18:50.023 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x88a89aa0]<<
13:18:50.023 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89820ab8]
13:18:50.023 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x89466920]
13:18:50.344 \Driver\00002388[0x88c35500] -> IRP_MJ_CREATE -> 0x88a89aa0
13:18:50.354 Scan finished successfully
13:19:16.822 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\T42 User\Desktop\MBR.dat"
13:19:16.822 The log file has been saved successfully to "C:\Documents and Settings\T42 User\Desktop\aswMBRdoinitright6.txt"


doinitright6

Unborn
Unborn

Posts : 4
Joined : 2011-07-30
Operating System : windows xp

View user profile

Back to top Go down

Re: Help Me rid of the 100k virus..

Post by Sneakyone on Sun 31 Jul 2011, 3:01 pm

Hi,

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Help Me rid of the 100k virus..

Post by doinitright6 on Sun 31 Jul 2011, 4:33 pm

ComboFix 11-07-31.01 - T42 User 07/31/2011 1:08.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.975 [GMT -4:00]
Running from: c:\documents and settings\T42 User\My Documents\Downloads\commy.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\T42 User\Application Data\PriceGong
c:\documents and settings\T42 User\Application Data\PriceGong\Data\1.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\a.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\b.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\c.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\d.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\e.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\f.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\g.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\h.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\i.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\J.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\k.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\l.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\m.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\n.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\o.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\p.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\q.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\r.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\s.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\t.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\u.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\v.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\w.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\x.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\y.xml
c:\documents and settings\T42 User\Application Data\PriceGong\Data\z.xml
c:\documents and settings\T42 User\GoToAssistDownloadHelper.exe
c:\documents and settings\T42 User\WINDOWS
c:\program files\Mighty Magoo
c:\program files\Mighty Magoo\ars.cfg
c:\program files\Mighty Magoo\icon.ico
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\$NtUninstallKB20311$\1603576911
c:\windows\$NtUninstallKB20311$\918390293\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB20311$\918390293\click.tlb
c:\windows\$NtUninstallKB20311$\918390293\L\rmhzbiua
c:\windows\$NtUninstallKB20311$\918390293\loader.tlb
c:\windows\$NtUninstallKB20311$\918390293\U\@00000001
c:\windows\$NtUninstallKB20311$\918390293\U\@000000c0
c:\windows\$NtUninstallKB20311$\918390293\U\@000000cb
c:\windows\$NtUninstallKB20311$\918390293\U\@000000cf
c:\windows\$NtUninstallKB20311$\918390293\U\@80000000
c:\windows\$NtUninstallKB20311$\918390293\U\@800000c0
c:\windows\$NtUninstallKB20311$\918390293\U\@800000cb
c:\windows\$NtUninstallKB20311$\918390293\U\@800000cf
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\system32\Thumbs.db
c:\windows\$NtUninstallKB20311$ . . . . Failed to delete
.
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-31 )))))))))))))))))))))))))))))))
.
.
2011-07-29 22:48 . 2011-07-29 22:48 -------- d--h--w- c:\windows\PIF
2011-07-29 22:44 . 2011-07-29 22:44 -------- d-----w- c:\documents and settings\T42 User\Application Data\Malwarebytes
2011-07-29 22:44 . 2011-07-29 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-29 22:10 . 2011-07-29 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-07-29 22:10 . 2011-07-29 22:10 -------- d-----w- c:\program files\Common Files\iS3
2011-07-29 17:03 . 2005-04-04 03:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2011-07-29 17:03 . 2005-04-04 03:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2011-07-29 17:03 . 2005-04-04 03:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2011-07-29 17:03 . 2011-07-29 17:03 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2011-07-29 17:03 . 2005-04-04 03:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2011-07-29 17:03 . 2011-07-29 17:03 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2011-07-29 16:17 . 2011-07-29 17:01 -------- d-----w- c:\program files\SimTheme Park
2011-07-29 02:01 . 2011-07-29 17:02 -------- d-----w- c:\program files\GrandBilliards
2011-07-29 00:11 . 2011-07-29 00:11 -------- d-----w- c:\documents and settings\T42 User\Application Data\Unity
2011-07-29 00:09 . 2011-07-29 00:09 -------- d-----w- c:\documents and settings\T42 User\Local Settings\Application Data\Unity
2011-07-28 20:32 . 2002-11-11 20:00 118832 ----a-w- c:\windows\system32\SHW32.DLL
2011-07-20 16:31 . 2011-07-20 16:35 -------- d-----w- c:\program files\Advanced Sound Recorder
2011-07-20 16:28 . 2011-07-20 16:29 -------- d-----w- C:\My Recordings
2011-07-20 16:27 . 2001-03-13 13:49 140288 ----a-w- c:\windows\system32\comdlg32.ocx
2011-07-20 16:27 . 2011-07-20 16:35 -------- d-----w- c:\program files\FREE Hi-Q Recorder
2011-07-20 16:27 . 2002-01-05 13:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2011-07-10 14:18 . 2011-07-10 14:18 -------- d-----w- c:\documents and settings\T42 User\Application Data\Sincell
2011-07-10 14:17 . 2011-07-10 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Sincell
2011-07-10 14:17 . 2011-07-10 14:17 -------- d-----w- c:\program files\Sincell
2011-07-08 11:51 . 2011-07-08 11:51 53248 ----a-r- c:\documents and settings\T42 User\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-07-08 11:51 . 2011-07-08 11:51 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-07-08 11:51 . 2008-11-07 22:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-07-08 11:50 . 2011-04-30 11:59 12184 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2011-07-08 11:49 . 2011-07-08 11:50 -------- d-----w- c:\program files\Logitech
2011-07-08 11:49 . 2011-07-08 11:51 -------- d-----w- c:\program files\Common Files\Logishrd
2011-07-08 11:47 . 2011-07-08 11:52 -------- d-----w- c:\documents and settings\T42 User\Application Data\Logitech
2011-07-08 11:47 . 2011-07-08 11:48 -------- d-----w- c:\documents and settings\T42 User\Application Data\Logishrd
2011-07-08 01:34 . 2011-07-29 14:28 -------- d-----w- c:\documents and settings\All Users\Dl_cats
2011-07-08 01:30 . 2011-07-08 01:31 -------- d-----w- c:\program files\Dell Toolbar
2011-07-08 01:30 . 2011-07-08 01:30 -------- d-----w- c:\program files\Dell PC Fax
2011-07-08 01:30 . 2011-07-08 01:30 -------- d-----w- c:\program files\Dell Printable Web
2011-07-07 15:34 . 2011-07-07 15:46 -------- d-----w- c:\documents and settings\T42 User\Application Data\Free Audio Editor
2011-07-07 15:34 . 2005-05-18 15:52 1212416 ----a-w- c:\windows\system32\NCTAudioInformation2.dll
2011-07-07 15:34 . 2005-05-17 16:37 1986560 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2011-07-07 15:34 . 2005-04-25 17:01 458752 ----a-w- c:\windows\system32\NCTAudioRecord2.dll
2011-07-07 15:34 . 2005-04-25 17:01 458752 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll
2011-07-07 15:34 . 2005-04-15 16:08 880640 ----a-w- c:\windows\system32\NCTAudioEditor2.dll
2011-07-07 15:34 . 2005-04-04 21:21 602112 ----a-w- c:\windows\system32\NCTAudioTransform2.dll
2011-07-07 15:34 . 2005-03-28 19:54 479232 ----a-w- c:\windows\system32\NCTAudioVisualization2.dll
2011-07-07 15:34 . 2005-03-28 19:52 417792 ----a-w- c:\windows\system32\NCTTextToAudio2.dll
2011-07-07 15:34 . 2005-02-24 15:51 348160 ----a-w- c:\windows\system32\NCTWMAFile2.dll
2011-07-07 15:34 . 2004-11-04 17:31 835584 ----a-w- c:\windows\system32\NCTAudioCDGrabber2.dll
2011-07-07 02:37 . 2011-07-07 02:37 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2011-07-06 13:04 . 2011-07-06 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2011-07-05 15:57 . 2011-07-05 15:57 -------- d-----w- c:\documents and settings\T42 User\AppData
2011-07-05 15:57 . 2011-07-05 15:57 -------- d-----w- c:\documents and settings\T42 User\Application Data\imeshbandmltbpi
2011-07-05 15:55 . 2011-07-07 14:01 -------- d-----w- c:\documents and settings\T42 User\Application Data\mediabarim
2011-07-05 15:55 . 2011-07-08 12:20 -------- d-----w- c:\documents and settings\T42 User\Local Settings\Application Data\iMesh
2011-07-05 15:54 . 2011-07-17 14:15 -------- d-----w- c:\program files\iMesh Applications
2011-07-03 17:30 . 2011-07-03 17:30 -------- d-----w- c:\documents and settings\T42 User\Application Data\GRETECH
2011-07-03 17:29 . 2011-07-03 17:29 -------- d-----w- c:\program files\GRETECH
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-08 14:55 . 2011-06-19 15:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2011-06-08 14:54 . 2011-06-19 15:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-06-08 14:53 . 2011-06-20 12:28 10915840 ----a-w- c:\windows\system32\libmfxhw32.dll
2011-06-08 14:53 . 2011-06-20 12:28 10833920 ----a-w- c:\windows\system32\libmfxsw32.dll
2011-06-02 14:02 . 2008-04-14 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-04 08:52 . 2010-06-09 02:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2010-06-05 06:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2010-06-05 03:14 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]
2011-05-30 13:35 89008 ----a-w- c:\progra~1\IMESHA~1\MediaBar\Datamngr\ToolBar\imeshdtxmltbpi.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{474597C5-AB09-49d6-A4D5-2E8D7341384E}]
2011-06-01 17:17 1236360 ----a-w- c:\progra~1\IMESHA~1\MediaBar\Datamngr\IEBHO.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{28387537-e3f9-4ed7-860c-11e69af4a8a0}"= "c:\progra~1\IMESHA~1\MediaBar\Datamngr\ToolBar\imeshdtxmltbpi.dll" [2011-05-30 89008]
.
[HKEY_CLASSES_ROOT\clsid\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-06-04 822384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-07 344064]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"dleamon.exe"="c:\program files\Dell V310-V510 Series\dleamon.exe" [2010-08-09 770728]
"EzPrint"="c:\program files\Dell V310-V510 Series\ezprint.exe" [2010-08-09 139944]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-06-23 1386776]
.
c:\documents and settings\T42 User\Start Menu\Programs\Startup\
Socialbox.lnk - c:\program files\Socialbox\Socialbox.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-06-17 07:33 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
backup=c:\windows\pss\Lotus Organizer EasyClip.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk
backup=c:\windows\pss\Lotus QuickStart.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SmartCenter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus SmartCenter.lnk
backup=c:\windows\pss\Lotus SmartCenter.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SuiteStart.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus SuiteStart.lnk
backup=c:\windows\pss\Lotus SuiteStart.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iMesh Applications\\MediaBar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\WINDOWS\\system32\\dleacoms.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
"c:\\Program Files\\The Weather Channel FW\\Desktop\\DesktopWeather.exe"=
"c:\\Documents and Settings\\T42 User\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Documents and Settings\\T42 User\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Documents and Settings\\T42 User\\My Documents\\Downloads\\STOPzilla_Setup.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\PhotoScape\\PhotoScape.exe"=
"c:\\Documents and Settings\\T42 User\\Desktop\\aswMBR.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 3:49 AM 297168]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [6/5/2010 3:33 AM 16384]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [7/8/2011 7:50 AM 12184]
R2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [4/8/2010 5:46 PM 117288]
R2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [4/8/2010 5:46 PM 117288]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 27216]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]
S2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe -service --> c:\windows\system32\dleacoms.exe -service [?]
S2 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dleaserv.exe [7/7/2011 9:32 PM 193192]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2011 12:10 AM 136176]
S2 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [4/8/2010 5:46 PM 154152]
S3 cpuz130;cpuz130;\??\c:\docume~1\T42USE~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\T42USE~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2011 12:10 AM 136176]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys --> c:\windows\system32\drivers\hpfxfax.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 5:05 AM 1389400]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 5:05 AM 15264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2010-08-13 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2010-06-05 08:38]
.
2011-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-20 04:10]
.
2011-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-20 04:10]
.
2011-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-688789844-1343024091-1003Core.job
- c:\documents and settings\T42 User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-24 22:46]
.
2011-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-688789844-1343024091-1003UA.job
- c:\documents and settings\T42 User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-24 22:46]
.
.
------- Supplementary Scan -------
.

uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 192.168.10.1
DPF: {2FD395CB-BD93-4BA9-AA4B-D725754E20D1} -
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
WebBrowser-{DD662A0C-12FE-4B38-BA53-247F7EC82F46} - (no file)
HKLM-Run-PAC7302_Monitor - c:\windows\PixArt\PAC7302\Monitor.exe
Notify-TPSvc - TPSvc.dll
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-Wubi - f:\ubuntu\uninstall-wubi.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2011-07-31 01:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,9d,5e,cc,40,b8,bf,49,b8,26,b3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,9d,5e,cc,40,b8,bf,49,b8,26,b3,\
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG10\avgchsvx.exe
c:\progra~1\AVG\AVG10\avgrsx.exe
c:\windows\system32\RunDll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\IMESHA~1\MediaBar\Datamngr\DATAMN~1.EXE
c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2011-07-31 01:19:12 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-31 05:19
.
Pre-Run: 19,870,576,640 bytes free
Post-Run: 20,487,135,232 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 34C9F88C5C47A8BEE1410E26C90656C6

doinitright6

Unborn
Unborn

Posts : 4
Joined : 2011-07-30
Operating System : windows xp

View user profile

Back to top Go down

Re: Help Me rid of the 100k virus..

Post by Sneakyone on Mon 01 Aug 2011, 4:43 pm

Hi,

Please download Malwarebytes Anti-Malware from Here.


Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Help Me rid of the 100k virus..

Post by doinitright6 on Mon 01 Aug 2011, 10:22 pm

Good Morning, before I do that... I had problems temporarily disabling AVG11, prior to running the combofix, couldn't even uninstall the darn thing. So I ran combofix anyway and when it was all done and said it removed this or that, and restored this or that, I posted the results like you asked. Well upon reboots of the system and 24 hours of testing, it seems everything is fixed and the 100K virus is removed, I reinstalled AVG11 repair from the net, and that is running alright too now. **do you recommend i continue with the Malaware download you just posted?????**, Thanks again for all the help you all do.

doinitright6

Unborn
Unborn

Posts : 4
Joined : 2011-07-30
Operating System : windows xp

View user profile

Back to top Go down

Re: Help Me rid of the 100k virus..

Post by Sneakyone on Tue 02 Aug 2011, 3:08 pm

Hi,

I'm confident ComboFix removed and fixed most if not all of the infected, but in my opinion it would be best to go ahead and proceed with the checks and fixes.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Help Me rid of the 100k virus..

Post by Sponsored content Today at 4:40 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum