GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Virus - One note table of contents

View previous topic View next topic Go down

Virus - One note table of contents

Post by Dipsomaniac 69 on Mon Sep 26, 2011 5:56 pm

Hi,

I'm annoyed !! Keep getting 'thumbs' and 'onenote table of contents' in every folder I open, even on my desktop. Under 'my computer' the 'C' drive is blue with a whole lot of stuf that I have absolutely no idea what it is. There are also 'RECYCLE' folders that keep opening up. It also seems as if as I have two users - 'Ian' and 'IAN-BF3F9176CE7' - almost like a duplicate me. Frik PLEASE help me sort out this annoying persistent irritation.

Dipsomaniac 69
Beginner
Beginner

Status :
Online
Offline

Posts : 3
Joined : 2011-09-26
OS : Windows XP
Points : 18983
# Likes : 0

View user profile

Back to top Go down

Re: Virus - One note table of contents

Post by Belahzur on Mon Sep 26, 2011 6:01 pm

Hi,


Download Combofix from any of the links below, and save it to your desktop.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

When saving ComboFix rename it to Belahzur.exe to prevent it from being blocked by malware.


Refer to this image:

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [You must be registered and logged in to see this link.] for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click Belahzur.exe to run it.

    You will see the following image:


Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Virus - One note table of contents

Post by Dipsomaniac 69 on Mon Sep 26, 2011 6:57 pm

and this ??


ComboFix 11-09-26.01 - ian 2011/09/26 20:23:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.27.1033.18.447.130 [GMT 2:00]
Running from: c:\documents and settings\ian.IAN-BF3F9176CE7\Desktop\Belahzur.exe.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ian.IAN-BF3F9176CE7\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\ian.IAN-BF3F9176CE7\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\ian.IAN-BF3F9176CE7\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini
c:\documents and settings\ian.IAN-BF3F9176CE7\Local Settings\Application Data\ApplicationHistory\HpqDIA.exe.6faf1b3a.ini
c:\documents and settings\ian.IAN-BF3F9176CE7\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini
c:\documents and settings\ian.IAN-BF3F9176CE7\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse
c:\documents and settings\ian.IAN-BF3F9176CE7\Local Settings\Application Data\ApplicationHistory\hpqiscfg.exe.94ca2e04.ini
c:\documents and settings\ian.IAN-BF3F9176CE7\Local Settings\Application Data\ApplicationHistory\hpqthb08.exe.a935d1e0.ini
c:\documents and settings\ian.IAN-BF3F9176CE7\Local Settings\Application Data\ApplicationHistory\HPTLBXFX.exe.4ce16ee6.ini.inuse
c:\documents and settings\ian.IAN-BF3F9176CE7\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\ian.IAN-BF3F9176CE7\WINDOWS
c:\documents and settings\Ian\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Ian\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Ian\Local Settings\Application Data\ApplicationHistory\SL33.tmp.6fcbc1c1.ini
c:\documents and settings\Ian\Local Settings\Application Data\ApplicationHistory\SLD9.tmp.45d498d6.ini
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSrcas.dll
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-08-26 to 2011-09-26 )))))))))))))))))))))))))))))))
.
.
2011-09-26 16:50 . 2011-09-26 16:50 -------- d-----w- c:\documents and settings\ian.IAN-BF3F9176CE7\Local Settings\Application Data\PackageAware
2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-08 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USBFW"="c:\program files\Net Studio\USB FireWall\USB FireWall.exe" [2008-09-01 1330688]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-10-28 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"LXBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 69632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-02-01 19:05 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Detector]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
2004-01-14 01:10 409600 ----a-w- c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2004-09-17 17:24 61440 ----a-w- c:\program files\Lexmark 7100 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1]
2004-12-06 09:53 286720 ----a-w- c:\program files\Lexmark 7100 Series\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxbxmon.exe]
2005-01-18 14:43 196608 ----a-w- c:\program files\Lexmark 7100 Series\lxbxmon.exE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-10-28 11:59 417792 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-01-20 18:04 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-08 19:46 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009/09/02 09:41 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009/09/02 09:41 AM 17744]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2009/07/21 01:43 PM 802683]
R3 MaBtPort;MA Bluetooth VCOM Driver;c:\windows\system32\drivers\MaBtPort.sys [2006/02/17 11:21 AM 101920]
R3 MaBtVad;Mobile Action Bluetooth Audio;c:\windows\system32\drivers\MaBtVad.sys [2006/02/17 11:21 AM 14414]
R3 ULI5261;ULi Based Ethernet NT Driver;c:\windows\system32\drivers\ULILAN.SYS [2004/12/31 03:24 PM 28160]
S3 D500M;D500M;c:\windows\system32\drivers\D500M.sys [2006/03/02 04:36 PM 25300]
S3 D500U;D500U;c:\windows\system32\drivers\D500U.sys [2006/03/02 04:36 PM 50389]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010/03/19 06:23 PM 36608]
S3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.sys [2010/02/09 03:33 PM 31899]
S3 MaBtc;MA Bluetooth Core Driver;c:\windows\system32\drivers\MaBtc.sys [2006/02/17 11:21 AM 131904]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 12:29]
.
2011-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 12:29]
.
2011-09-26 c:\windows\Tasks\User_Feed_Synchronization-{9B4A86BF-B915-40E3-9294-CB853368A5AC}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 192.168.121.11:3128
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.121.11
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-CmUsbSound - cmcnfgu.cpl
MSConfigStartUp-PCSuiteTrayApplication - c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-09-26 20:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-09-26 20:46:58
ComboFix-quarantined-files.txt 2011-09-26 18:46
.
Pre-Run: 3,123,105,792 bytes free
Post-Run: 3,887,403,008 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - D9DEE296F63DEDEBE95836E2981BD220

Dipsomaniac 69
Beginner
Beginner

Status :
Online
Offline

Posts : 3
Joined : 2011-09-26
OS : Windows XP
Points : 18983
# Likes : 0

View user profile

Back to top Go down

Re: Virus - One note table of contents

Post by Dipsomaniac 69 on Mon Sep 26, 2011 7:04 pm

I still have this as a user login- ian.IAN-BF3F9176CE7. Why is my name repeated in capitals and why this code attached to my name?

There is also this file under the 'C' drive on my computer in blue font - '4690f7cc265dc29b9a317a8109dee4'
Any ideas ??

Dipsomaniac 69
Beginner
Beginner

Status :
Online
Offline

Posts : 3
Joined : 2011-09-26
OS : Windows XP
Points : 18983
# Likes : 0

View user profile

Back to top Go down

Re: Virus - One note table of contents

Post by Belahzur on Mon Sep 26, 2011 8:10 pm

Keep hold off that folder for now.

That extra account should be removable through control panel, it's just an extra profile I think.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum