VIRUS. NEED HELP

View previous topic View next topic Go down

VIRUS. NEED HELP

Post by megfurey on Mon Jan 16, 2012 8:41 pm

Hi! I run Vista. PC keeps shutting down/crashing. What do I do? Here's a copy of a scan log, if that helps:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:34 PM, on 1/16/2012
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.17037)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\WerCon.exe
C:\Program Files\Vongo\Tray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [{A1933D36-00B7-C2AC-A865-8B4C390CFB18}] C:\Users\meg\AppData\Roaming\Banabyz\nouguva.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Vongo Tray.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12152 bytes

megfurey
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-11-03
OS OS : Vista
Points Points : 26004
# Likes # Likes : 0

View user profile

Back to top Go down

Re: VIRUS. NEED HELP

Post by Pancake on Mon Jan 16, 2012 9:48 pm

Hi.Welcome to the forum





Please download Malwarebytes' Anti-Malware from one of these places:

[You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.]


Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.Do so.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.



===============================================



Download Combofix from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.] and place it on your Desktop

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Combofix may be slow to start and appear to be doing nothing before it starts scanning.Just leave it,it will start.

You can get help on disabling your protection programs here : [You must be registered and logged in to see this link.]

Please include the C:\ComboFix.txt in your next reply for further review.


Caution.....
Never use this program to remove files.Only use it with help from an experienced user.Wrongful use can damage your computer.This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a qualified helper













[You must be registered and logged in to see this link.]

Pancake
Senior
Senior

Posts Posts : 222
Joined Joined : 2010-03-06
Gender Gender : Male
OS OS : Windows 7
Points Points : 28148
# Likes # Likes : 0

View user profile

Back to top Go down

Re: VIRUS. NEED HELP

Post by megfurey on Tue Jan 17, 2012 12:08 am

Combo Fix Log:

ComboFix 12-01-16.02 - meg 01/16/2012 17:33:34.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.958.140 [GMT -6:00]
Running from: c:\users\meg\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\meg\AppData\Roaming\AcroIEHelpe.txt
c:\users\meg\AppData\Roaming\Adobe\f1.exe
c:\users\meg\AppData\Roaming\Adobe\netsk.exe
c:\users\meg\AppData\Roaming\Adobe\xcomm.exe
c:\users\meg\AppData\Roaming\mrqczp5t.default.tmp
c:\users\meg\AppData\Roaming\srvblck2.tmp
c:\users\meg\AppData\Roaming\urhtps.tmp
c:\users\meg\Desktop\Malware Protection.lnk
c:\users\meg\Desktop\Security Protection.lnk
c:\users\meg\Documents\~WRL0001.tmp
c:\users\meg\Documents\~WRL0002.tmp
c:\users\meg\Documents\~WRL0003.tmp
c:\users\meg\Documents\~WRL0004.tmp
c:\users\meg\Documents\~WRL0045.tmp
c:\users\meg\Documents\~WRL0128.tmp
c:\users\meg\Documents\~WRL0226.tmp
c:\users\meg\Documents\~WRL0259.tmp
c:\users\meg\Documents\~WRL0401.tmp
c:\users\meg\Documents\~WRL0423.tmp
c:\users\meg\Documents\~WRL0426.tmp
c:\users\meg\Documents\~WRL0474.tmp
c:\users\meg\Documents\~WRL0495.tmp
c:\users\meg\Documents\~WRL0536.tmp
c:\users\meg\Documents\~WRL0551.tmp
c:\users\meg\Documents\~WRL0603.tmp
c:\users\meg\Documents\~WRL0696.tmp
c:\users\meg\Documents\~WRL0722.tmp
c:\users\meg\Documents\~WRL0744.tmp
c:\users\meg\Documents\~WRL0752.tmp
c:\users\meg\Documents\~WRL0785.tmp
c:\users\meg\Documents\~WRL0807.tmp
c:\users\meg\Documents\~WRL1022.tmp
c:\users\meg\Documents\~WRL1065.tmp
c:\users\meg\Documents\~WRL1263.tmp
c:\users\meg\Documents\~WRL1313.tmp
c:\users\meg\Documents\~WRL1339.tmp
c:\users\meg\Documents\~WRL1408.tmp
c:\users\meg\Documents\~WRL1447.tmp
c:\users\meg\Documents\~WRL1564.tmp
c:\users\meg\Documents\~WRL1648.tmp
c:\users\meg\Documents\~WRL1714.tmp
c:\users\meg\Documents\~WRL1796.tmp
c:\users\meg\Documents\~WRL1859.tmp
c:\users\meg\Documents\~WRL1863.tmp
c:\users\meg\Documents\~WRL1879.tmp
c:\users\meg\Documents\~WRL1908.tmp
c:\users\meg\Documents\~WRL1910.tmp
c:\users\meg\Documents\~WRL1912.tmp
c:\users\meg\Documents\~WRL1923.tmp
c:\users\meg\Documents\~WRL1956.tmp
c:\users\meg\Documents\~WRL1987.tmp
c:\users\meg\Documents\~WRL2006.tmp
c:\users\meg\Documents\~WRL2013.tmp
c:\users\meg\Documents\~WRL2045.tmp
c:\users\meg\Documents\~WRL2121.tmp
c:\users\meg\Documents\~WRL2135.tmp
c:\users\meg\Documents\~WRL2145.tmp
c:\users\meg\Documents\~WRL2147.tmp
c:\users\meg\Documents\~WRL2161.tmp
c:\users\meg\Documents\~WRL2178.tmp
c:\users\meg\Documents\~WRL2198.tmp
c:\users\meg\Documents\~WRL2413.tmp
c:\users\meg\Documents\~WRL2539.tmp
c:\users\meg\Documents\~WRL2543.tmp
c:\users\meg\Documents\~WRL2643.tmp
c:\users\meg\Documents\~WRL2662.tmp
c:\users\meg\Documents\~WRL2734.tmp
c:\users\meg\Documents\~WRL2735.tmp
c:\users\meg\Documents\~WRL2860.tmp
c:\users\meg\Documents\~WRL2970.tmp
c:\users\meg\Documents\~WRL2997.tmp
c:\users\meg\Documents\~WRL3072.tmp
c:\users\meg\Documents\~WRL3089.tmp
c:\users\meg\Documents\~WRL3090.tmp
c:\users\meg\Documents\~WRL3158.tmp
c:\users\meg\Documents\~WRL3184.tmp
c:\users\meg\Documents\~WRL3185.tmp
c:\users\meg\Documents\~WRL3305.tmp
c:\users\meg\Documents\~WRL3359.tmp
c:\users\meg\Documents\~WRL3468.tmp
c:\users\meg\Documents\~WRL3494.tmp
c:\users\meg\Documents\~WRL3497.tmp
c:\users\meg\Documents\~WRL3531.tmp
c:\users\meg\Documents\~WRL3536.tmp
c:\users\meg\Documents\~WRL3549.tmp
c:\users\meg\Documents\~WRL3559.tmp
c:\users\meg\Documents\~WRL3656.tmp
c:\users\meg\Documents\~WRL3677.tmp
c:\users\meg\Documents\~WRL3698.tmp
c:\users\meg\Documents\~WRL3745.tmp
c:\users\meg\Documents\~WRL3759.tmp
c:\users\meg\Documents\~WRL3769.tmp
c:\users\meg\Documents\~WRL3772.tmp
c:\users\meg\Documents\~WRL3817.tmp
c:\users\meg\Documents\~WRL3894.tmp
c:\users\meg\Documents\~WRL3925.tmp
c:\users\meg\Documents\~WRL3958.tmp
c:\users\meg\Documents\~WRL3963.tmp
c:\users\meg\Documents\~WRL4009.tmp
c:\windows\$NtUninstallKB3255$
c:\windows\$NtUninstallKB3255$\485945278\@
c:\windows\$NtUninstallKB3255$\485945278\bckfg.tmp
c:\windows\$NtUninstallKB3255$\485945278\cfg.ini
c:\windows\$NtUninstallKB3255$\485945278\Desktop.ini
c:\windows\$NtUninstallKB3255$\485945278\kwrd.dll
c:\windows\$NtUninstallKB3255$\485945278\L\qnbwvoto
c:\windows\$NtUninstallKB3255$\485945278\U\00000001.@
c:\windows\$NtUninstallKB3255$\485945278\U\00000002.@
c:\windows\$NtUninstallKB3255$\485945278\U\80000000.@
c:\windows\$NtUninstallKB3255$\485945278\U\80000032.@
c:\windows\$NtUninstallKB3255$\93048862
c:\windows\system32\regobj.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-12-16 to 2012-01-16 )))))))))))))))))))))))))))))))
.
.
2012-01-16 23:54 . 2012-01-16 23:55 -------- d-----w- c:\users\meg\AppData\Local\temp
2012-01-16 23:54 . 2012-01-16 23:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-16 22:43 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-04 13:16 . 2011-12-04 13:16 644368 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-03-12 00:18 . 2010-03-12 00:19 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-20 1773568]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-23 39408]
"Aim"="c:\program files\AIM\aim.exe" [2010-03-08 3972440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-02-28 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-28 7770112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-28 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2007-06-26 77824]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-30 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-03-12 30192]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-24 981680]
.
c:\users\meg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Vongo Tray.lnk - c:\windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-6-26 53248]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-8-3 394856]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-28 21:24]
.
2012-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-28 21:24]
.
2011-12-13 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - meg.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 15:09]
.
2012-01-16 c:\windows\Tasks\User_Feed_Synchronization-{A6FC6AE6-7A1B-4246-8CC6-51E0AD30D962}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-{A1933D36-00B7-C2AC-A865-8B4C390CFB18} - c:\users\meg\AppData\Roaming\Banabyz\nouguva.exe
SafeBoot-25729355.sys
SafeBoot-32178841.sys
SafeBoot-39311285.sys
SafeBoot-43199823.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2012-01-16 17:55
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-01-16 18:00:41
ComboFix-quarantined-files.txt 2012-01-17 00:00
ComboFix2.txt 2009-02-17 23:20
ComboFix3.txt 2008-12-05 03:57
.
Pre-Run: 59,107,606,528 bytes free
Post-Run: 66,285,129,728 bytes free
.
- - End Of File - - 8DDB948CA7210C128D99D135AD6DE588

megfurey
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-11-03
OS OS : Vista
Points Points : 26004
# Likes # Likes : 0

View user profile

Back to top Go down

Re: VIRUS. NEED HELP

Post by megfurey on Tue Jan 17, 2012 12:09 am

Malwarebytes log:

Windows Vista x86 NTFS
Internet Explorer 7.0.6000.17037
meg :: FELIX [administrator]

1/16/2012 4:45:51 PM
mbam-log-2012-01-16 (16-45-51).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 189752
Time elapsed: 17 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\Users\meg\AppData\Roaming\5037\components\AcroFF0375.dll (Trojan.Passwords) -> Quarantined and deleted successfully.
C:\Users\meg\AppData\Roaming\5039\components\AcroFF0395.dll (Trojan.Passwords) -> Quarantined and deleted successfully.
C:\Users\meg\AppData\Roaming\5039\components\AcroFF0396.dll (Trojan.Passwords) -> Quarantined and deleted successfully.
C:\Users\meg\AppData\Roaming\5039\components\AcroFF0397.dll (Trojan.Passwords) -> Quarantined and deleted successfully.
C:\Users\meg\AppData\Roaming\5039\components\AcroFF0398.dll (Trojan.Passwords) -> Quarantined and deleted successfully.
C:\Users\meg\AppData\Roaming\5040\components\AcroFF0405.dll (Trojan.Passwords) -> Quarantined and deleted successfully.
C:\Users\meg\AppData\Roaming\5040\components\AcroFF0407.dll (Trojan.Passwords) -> Quarantined and deleted successfully.
C:\Users\meg\AppData\Roaming\5041\components\AcroFF0415.dll (Trojan.Passwords) -> Quarantined and deleted successfully.
C:\Users\meg\AppData\Roaming\5041\components\AcroFF0417.dll (Trojan.Passwords) -> Quarantined and deleted successfully.

(end)

megfurey
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-11-03
OS OS : Vista
Points Points : 26004
# Likes # Likes : 0

View user profile

Back to top Go down

Re: VIRUS. NEED HELP

Post by Pancake on Tue Jan 17, 2012 12:12 am

Ok.That looks better.How is it now.?






[You must be registered and logged in to see this link.]

Pancake
Senior
Senior

Posts Posts : 222
Joined Joined : 2010-03-06
Gender Gender : Male
OS OS : Windows 7
Points Points : 28148
# Likes # Likes : 0

View user profile

Back to top Go down

Re: VIRUS. NEED HELP

Post by megfurey on Tue Jan 17, 2012 1:02 am

We're up and working again! Thank you so much!!!!!

megfurey
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-11-03
OS OS : Vista
Points Points : 26004
# Likes # Likes : 0

View user profile

Back to top Go down

Re: VIRUS. NEED HELP

Post by Pancake on Tue Jan 17, 2012 2:55 am

Ok.All done.I see no more malware.Log looks good! All that was detected is now either in quarantine or system restore, both of which we'll be cleaning out in just a minute. Congratulations, well done.


Go to :
Start > Run then copy and paste the following highlighted (blue) text below into the box and click OK.


ComboFix /uninstall






Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.


Please download [You must be registered and logged in to see this link.] to your desktop.


Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.


Here are some tips to reduce the potential for malware infection in the future; I strongly suggest that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

=============================








[You must be registered and logged in to see this link.]

Pancake
Senior
Senior

Posts Posts : 222
Joined Joined : 2010-03-06
Gender Gender : Male
OS OS : Windows 7
Points Points : 28148
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum