multiple infections

View previous topic View next topic Go down

multiple infections

Post by tinkerman on Wed Feb 25, 2009 5:23 pm

hello dear belahzur, just note that i couldn't understand 'stop any malware getting back on.' instruction that you say.. i just turned off my machine.. and now am working on my sisters machine.. do you remember what we've done yesterday? i want to remind the summary situation of this machine..

- this machine was uable to do any internet action although it seems to be no noticable network problem
- there were too many annoying alerts in windows and the machine was working slower then before ( some of the errors ı remember: explorer.exe error, drwatson.exe error scvhost.exe or something like that erors and many others
- after consulting you, i followed the instructions from my machine and transfer the programs to her machine by usb disk and progressed till the LopSD option2 step.. and many annoying and strange actions and errors disappearedand now i can connect to internet and wrok on browser as you permit..
-before you got online early today after your permisson to me to connect from on her machine and surf on safe trusted sites, i encountered two memorable errors one was very annoying an unstopable ''7l3m4x8d6.exe '' error repeating constantly and the other was lpa.exe ( i could mis-remember the name) that appeaed just once..
- after turning off her machine to clean my machine by your invaluable help, returned to her machine and didn't realise any noticable errors tihs time..

the summary of our situations is this..

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Wed Feb 25, 2009 5:32 pm

Hello.
Glad to hear that.
Lets make sure we haven't left anything behind.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Wed Feb 25, 2009 5:40 pm

DDS (Ver_09-02-01.01) - NTFSx86
Run by usr at 19:36:10,53 on 25.02.2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1254.90.1055.18.511.116 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\LifeView TVR\RecSche.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SMC\SMCWPCIT-G\SMCWCU.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\LifeView TVR\remote.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\usr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Oturum Açma Yardım Aracı: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Remote] c:\program files\lifeview tvr\Remote.exe
mRun: [RecSche] "c:\program files\lifeview tvr\RecSche.exe"
mRun: [WinDVRCtrl] c:\windows\WDVRCtrl.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SMCWCU] "c:\program files\smc\smcwpcit-g\SMCWCU.exe" -nogui
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NodLogin] c:\program files\eset\nodlogin.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - [You must be registered and logged in to see this link.]
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - [You must be registered and logged in to see this link.]
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - [You must be registered and logged in to see this link.]
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - [You must be registered and logged in to see this link.]
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - [You must be registered and logged in to see this link.]
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - [You must be registered and logged in to see this link.]
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - [You must be registered and logged in to see this link.]
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - [You must be registered and logged in to see this link.]
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - [You must be registered and logged in to see this link.]
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\usr\applic~1\mozilla\firefox\profiles\oyyj043w.default\

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-24 15424]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-24 552064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-20 24652]
R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [2006-10-2 892032]
S3 bDMusicb;bDMusicb;c:\docume~1\usr\locals~1\temp\bDMusicb.sys [2004-9-14 31744]
S4 WinSoft Service Controler;WinSoft Service Controler;c:\windows\system32\drivers\WinMgmt.exe [2009-2-19 723968]

=============== Created Last 30 ================

2009-02-24 22:12 --d----- C:\Lop SD
2009-02-24 17:08 0 a------- c:\windows\system32\mapisvc.inf
2009-02-24 17:08 512,096 a------- c:\windows\system32\drivers\amon.sys
2009-02-24 17:08 298,104 a------- c:\windows\system32\imon.dll
2009-02-24 17:08 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2009-02-24 17:08 --d----- c:\program files\ESET
2009-02-23 20:31 26,156 a------- c:\documents and settings\usr\lpex.exe
2009-02-23 18:05 26,156 a------- c:\documents and settings\usr\lpe.exe
2009-02-21 22:55 26,156 a------- c:\documents and settings\usr\7l3m4x8d6.exe
2009-02-21 21:26 73,216 a------- c:\documents and settings\usr\Setxup.exe
2009-02-21 21:25 26,156 a------- c:\documents and settings\usr\ssdswe.exe
2009-02-21 21:24 26,156 a------- c:\documents and settings\usr\deleteme.exe
2009-02-19 16:08 723,968 ---shr-- c:\windows\system32\drivers\WinMgmt.exe
2009-02-17 19:09 26,156 a------- c:\documents and settings\usr\h4d7l3m4x8d6.exe
2009-02-16 16:37 73,216 a------- c:\documents and settings\usr\Setup.exe
2009-02-15 14:03 25,132 a------- c:\documents and settings\usr\explode.exe
2009-02-12 19:26 25,132 a------- c:\documents and settings\usr\ssddshd.exe
2009-02-12 19:25 18,944 a------- c:\documents and settings\usr\sfddshd.exe
2009-02-08 12:27 25,132 a------- c:\documents and settings\usr\sd4dshd.exe
2009-02-07 17:30 --d----- C:\quarantine
2009-02-07 17:29 25,132 a------- c:\documents and settings\usr\srdshd.exe
2009-02-06 18:50 167,936 ---shr-- c:\windows\system32\drivers\services.exe
2009-02-04 16:44 18,944 a------- c:\documents and settings\usr\sdsxxdshd.exe
2009-02-04 11:45 41,004 a------- c:\documents and settings\usr\sxdsxdshd.exe
2009-02-04 11:41 41,004 a------- c:\windows\sxdsxdshd.exe
2009-02-03 18:12 25,132 a------- c:\documents and settings\usr\s2dsxdshd.exe
2009-02-03 18:10 41,004 a------- c:\windows\s2dsxdshd.exe
2009-02-03 18:05 41,004 a------- c:\documents and settings\usr\sdsxdshd.exe
2009-02-02 12:55 49,152 a------- c:\documents and settings\usr\kkkl.exe
2009-01-29 15:46 41,004 a------- c:\windows\sdsxdshd.exe
2009-01-29 15:45 47,192 a------- c:\documents and settings\usr\sxdsdshd.exe
2009-01-27 11:21 81,920 a------- c:\documents and settings\usr\kdjods.exe
2009-01-27 11:20 81,920 a------- c:\documents and settings\usr\kjodxs.exe

==================== Find3M ====================

2009-02-22 21:45 303,230 a------- c:\windows\system32\perfh01F.dat
2009-02-22 21:45 46,628 a------- c:\windows\system32\perfc01F.dat
2009-02-01 00:18 47,192 a------- c:\documents and settings\usr\sdsdsd.exe
2009-01-30 00:07 49,196 a------- c:\documents and settings\usr\sdsdshd.exe
2009-01-25 19:12 33,366 a------- c:\documents and settings\usr\Exrexdr.exe
2009-01-25 18:19 33,366 a------- c:\documents and settings\usr\Exredr2.exe
2009-01-25 18:19 33,366 a------- c:\documents and settings\usr\Exxrxedr.exe
2009-01-23 23:24 49,196 a------- c:\documents and settings\usr\Exredr.exe
2009-01-21 20:47 4,014 a------- c:\documents and settings\usr\taskmger.exe
2009-01-21 15:19 49,196 a------- c:\documents and settings\usr\xsdsdsd.exe
2009-01-20 22:19 62,976 a------- c:\documents and settings\usr\asdsdsd.exe
2009-01-16 21:35 74,256 a------- c:\documents and settings\usr\Rkhaa.exe
2006-11-21 18:38 18,096 a------- c:\docume~1\usr\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 19:36:37,45 ===============

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Wed Feb 25, 2009 5:44 pm

Oh my, this is bad.
We have to use Combofix here, this tool is extemely powerful, so when reading the instructions for it, read very carefully.

First though, I see Viewpoint is present.

Viewpoint Manager, this is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". Read this article: [You must be registered and logged in to see this link.]

Additional info: [You must be registered and logged in to see this link.]

I suggest you remove the program now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Ask Toolbar
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Using Combofix

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Please disable your local AV (Anti-virus) See [You must be registered and logged in to see this link.] for how to disable your AV. (Eset Nod32)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Wed Feb 25, 2009 5:55 pm

i couldnt remove 'ask toolbar' it says something like cant remove or removed before in my language.. i must exit for 20 minutes and come back.. is there anything i can do to remove those viewpoint or ask tool bar etc..? or do you want me to neglect this step and go further?

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Wed Feb 25, 2009 5:57 pm

Okay, skip the removing and we'll have CF remove it for us when we remove the malware.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Wed Feb 25, 2009 6:32 pm

OK i came back again.. when i turned on the pc again i encountered explorer.exe error and after that strange box opened on the left upper corner with the title personal adjustments ( translated from my language) and saw some recyler and restore stuff there..now i'm continueing to follow your instructions given above..

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Wed Feb 25, 2009 6:41 pm

i've downloaded CF and diasabled the nod32 but CF insists that antivirus is still active so i didnt go further what do you advise to be sure that nod32 is inactive ?

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Wed Feb 25, 2009 6:47 pm

Hmm.
Is nod32 paid for? if not, we can uninstall it while we do this.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Wed Feb 25, 2009 6:51 pm

no i was using trial version.. ok i am unistalling nod32 and stay without anti-virus till your next instruction.. and after that will try to go further with CF tool..

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Wed Feb 25, 2009 6:54 pm

Okay, uninstall it, but DO NOT surf the net.
Then run CF.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Wed Feb 25, 2009 7:03 pm

i got mad when i noticed that i couldn't even enter the Add/Remove Programs section:-( i uninstalled it by programs-eset-nod32-uninstall and the reboot the machine.. now hopefully CF will take care of my pc..

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Wed Feb 25, 2009 7:19 pm

i have finalised the scan, but i didn't encounter the recovery console part..

ComboFix 09-02-24.02 - usr 2009-02-25 21:04:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.511.267 [GMT 2:00]
Running from: c:\documents and settings\usr\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\usr\kkkl.exe
c:\documents and settings\usr\s2dsxdshd.exe
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
c:\windows\IE4 Error Log.txt
c:\windows\s2dsxdshd.exe
c:\windows\sdsxdshd.exe
c:\windows\system32\drivers\services.exe
c:\windows\Temp\23370.exe
c:\windows\Temp\60360.exe
c:\windows\Temp\61312.exe
c:\windows\Temp\84547.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-24 22:12 . 2009-02-24 22:39 d-------- C:\Lop SD
2009-02-24 17:08 . 2009-02-25 20:54 d-------- c:\program files\ESET
2009-02-24 17:08 . 2009-02-24 17:08 0 --a------ c:\windows\system32\mapisvc.inf
2009-02-23 20:31 . 2009-02-24 17:14 26,156 --a------ c:\documents and settings\usr\lpex.exe
2009-02-23 18:05 . 2009-02-25 20:56 26,156 --a------ c:\documents and settings\usr\lpe.exe
2009-02-21 22:55 . 2009-02-25 20:59 26,156 --a------ c:\documents and settings\usr\7l3m4x8d6.exe
2009-02-21 21:26 . 2009-02-24 20:17 73,216 --a------ c:\documents and settings\usr\Setxup.exe
2009-02-21 21:25 . 2009-02-22 21:45 26,156 --a------ c:\documents and settings\usr\ssdswe.exe
2009-02-21 21:24 . 2009-02-22 21:49 26,156 --a------ c:\documents and settings\usr\deleteme.exe
2009-02-19 16:08 . 2009-02-19 16:08 723,968 -r-hs---- c:\windows\system32\drivers\WinMgmt.exe
2009-02-17 19:09 . 2009-02-25 21:03 26,156 --a------ c:\documents and settings\usr\h4d7l3m4x8d6.exe
2009-02-16 16:37 . 2009-02-25 21:03 73,216 --a------ c:\documents and settings\usr\Setup.exe
2009-02-15 14:03 . 2009-02-15 20:50 25,132 --a------ c:\documents and settings\usr\explode.exe
2009-02-12 19:26 . 2009-02-16 16:56 25,132 --a------ c:\documents and settings\usr\ssddshd.exe
2009-02-12 19:25 . 2009-02-12 21:31 18,944 --a------ c:\documents and settings\usr\sfddshd.exe
2009-02-08 12:27 . 2009-02-16 16:56 25,132 --a------ c:\documents and settings\usr\sd4dshd.exe
2009-02-07 17:30 . 2009-02-18 20:33 d-------- C:\quarantine
2009-02-07 17:29 . 2009-02-16 16:56 25,132 --a------ c:\documents and settings\usr\srdshd.exe
2009-02-04 16:44 . 2009-02-16 16:46 18,944 --a------ c:\documents and settings\usr\sdsxxdshd.exe
2009-02-04 11:45 . 2009-02-04 12:08 41,004 --a------ c:\documents and settings\usr\sxdsxdshd.exe
2009-02-04 11:41 . 2009-02-04 11:41 41,004 --a------ c:\windows\sxdsxdshd.exe
2009-02-03 18:05 . 2009-02-04 21:54 41,004 --a------ c:\documents and settings\usr\sdsxdshd.exe
2009-01-29 15:45 . 2009-01-29 16:05 47,192 --a------ c:\documents and settings\usr\sxdsdshd.exe
2009-01-27 11:21 . 2009-01-27 11:35 81,920 --a------ c:\documents and settings\usr\kdjods.exe
2009-01-27 11:20 . 2009-01-27 11:35 81,920 --a------ c:\documents and settings\usr\kjodxs.exe
2009-01-25 18:32 . 2009-01-25 19:12 33,366 --a------ c:\documents and settings\usr\Exrexdr.exe
2009-01-25 17:44 . 2009-01-25 18:19 33,366 --a------ c:\documents and settings\usr\Exxrxedr.exe
2009-01-25 17:44 . 2009-01-25 18:19 33,366 --a------ c:\documents and settings\usr\Exredr2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 20:37 --------- d-----w c:\program files\Viewpoint
2009-02-23 19:54 --------- d-----w c:\program files\Common Files\AOL
2009-02-22 19:43 --------- d-----w c:\documents and settings\All Users\Application Data\GamesBar
2009-02-06 16:30 --------- d-----w c:\program files\Messenger Plus! Live
2009-01-31 22:18 47,192 ----a-w c:\documents and settings\usr\sdsdsd.exe
2009-01-29 22:07 49,196 ----a-w c:\documents and settings\usr\sdsdshd.exe
2009-01-23 21:24 49,196 ----a-w c:\documents and settings\usr\Exredr.exe
2009-01-21 18:47 4,014 ----a-w c:\documents and settings\usr\taskmger.exe
2009-01-21 15:51 --------- d-----w c:\documents and settings\usr\Application Data\PlayFirst
2009-01-21 15:51 --------- d-----w c:\documents and settings\All Users\Application Data\Reflexive
2009-01-21 15:50 --------- d-----w c:\program files\PlayFirst
2009-01-21 15:24 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-01-21 13:19 49,196 ----a-w c:\documents and settings\usr\xsdsdsd.exe
2009-01-20 20:19 62,976 ----a-w c:\documents and settings\usr\asdsdsd.exe
2009-01-18 17:59 --------- d-----w c:\program files\PhotoScape
2009-01-16 19:35 74,256 ----a-w c:\documents and settings\usr\Rkhaa.exe
2006-11-21 16:38 18,096 ----a-w c:\documents and settings\usr\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Remote"="c:\program files\LifeView TVR\Remote.exe" [2006-05-09 212992]
"RecSche"="c:\program files\LifeView TVR\RecSche.exe" [2006-01-04 454656]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SMCWCU"="c:\program files\SMC\SMCWPCIT-G\SMCWCU.exe" [2006-03-14 303104]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NodLogin"="c:\program files\Eset\nodlogin.exe" [2008-07-29 358448]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\All Users\Start Menu\Programlar\BaŸlang‡\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-09-22 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:35 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\System\\taskmger.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-20 24652]
R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [2006-10-02 892032]
S3 bDMusicb;bDMusicb;\??\c:\docume~1\usr\LOCALS~1\Temp\bDMusicb.sys --> c:\docume~1\usr\LOCALS~1\Temp\bDMusicb.sys [?]
S4 WinSoft Service Controler;WinSoft Service Controler;c:\windows\system32\drivers\WinMgmt.exe [2009-02-19 723968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96f52345-e246-11dd-a532-00173176301a}]
\Shell\AutoRun\command - f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
\Shell\open\command - f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e68a4e8e-1086-11dd-a460-00173176301a}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL win32s.exe
\Shell\Aç\command - F:\win32s.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1D187332}]
c:\restore\k-1-3542-4232123213-7676767-8888886\X0R.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F187332}]
c:\recycler\k-1-3542-4232123213-7676767-8888886\r00t.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}]
c:\recycler\k-1-3542-4232123213-7676767-8888886\root.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987192}]
c:\restore\c-1-3-64-8794238531-8742492-9897532\Sys32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}]
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-24CX1C987132}]
c:\recycle\D-0-060-0000000000-1111111-2222222\FiX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-34CX1C987132}]
c:\recycle\D-0-060-0000000000-1111111-2222222\fix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187562}]
c:\restore\k-1-3542-4232123213-7676767-8888886\JUZZ.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinDVRCtrl - c:\windows\WDVRCtrl.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\usr\Application Data\Mozilla\Firefox\Profiles\oyyj043w.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-02-25 21:07:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Remote = c:\program files\LifeView TVR\Remote.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"



Completion time: 2009-02-25 21:09:01
ComboFix-quarantined-files.txt 2009-02-25 19:08:59

Pre-Run: 52.270.600.192 bayt boş
Post-Run: 54,570,307,584 bayt boş

172 --- E O F --- 2009-01-16 16:27:44

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Wed Feb 25, 2009 7:34 pm

Okay, lets finish this off.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
Viewpoint Manager Service
WinSoft Service Controler

File::
c:\documents and settings\usr\lpex.exe
c:\documents and settings\usr\lpe.exe
c:\documents and settings\usr\7l3m4x8d6.exe
c:\documents and settings\usr\Setxup.exe
c:\documents and settings\usr\ssdswe.exe
c:\documents and settings\usr\deleteme.exe
c:\windows\system32\drivers\WinMgmt.exe
c:\documents and settings\usr\h4d7l3m4x8d6.exe
c:\documents and settings\usr\Setup.exe
c:\documents and settings\usr\explode.exe
c:\documents and settings\usr\ssddshd.exe
c:\documents and settings\usr\sfddshd.exe
c:\documents and settings\usr\sd4dshd.exe
c:\documents and settings\usr\srdshd.exe
c:\documents and settings\usr\sdsxxdshd.exe
c:\documents and settings\usr\sxdsxdshd.exe
c:\windows\sxdsxdshd.exe
c:\documents and settings\usr\sdsxdshd.exe
c:\documents and settings\usr\sxdsdshd.exe
c:\documents and settings\usr\kdjods.exe
c:\documents and settings\usr\kjodxs.exe
c:\documents and settings\usr\Exrexdr.exe
c:\documents and settings\usr\Exxrxedr.exe
c:\documents and settings\usr\Exredr2.exe
c:\documents and settings\usr\sdsdsd.exe
c:\documents and settings\usr\sdsdshd.exe
c:\documents and settings\usr\Exredr.exe
c:\documents and settings\usr\taskmger.exe
c:\documents and settings\usr\xsdsdsd.exe
c:\documents and settings\usr\asdsdsd.exe
c:\documents and settings\usr\Rkhaa.exe
f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
F:\win32s.exe
c:\recycler\k-1-3542-4232123213-7676767-8888886\root.exe
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
c:\restore\c-1-3-64-8794238531-8742492-9897532\Sys32.exe
c:\recycle\D-0-060-0000000000-1111111-2222222\fix.exe
c:\restore\k-1-3542-4232123213-7676767-8888886\JUZZ.exe

Folder::
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\GamesBar
c:\restore

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\System\\taskmger.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96f52345-e246-11dd-a532-00173176301a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e68a4e8e-1086-11dd-a460-00173176301a}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1D187332}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F187332}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987192}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-24CX1C987132}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-34CX1C987132}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187562}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Wed Feb 25, 2009 7:51 pm

the resulting log:

ComboFix 09-02-24.02 - usr 2009-02-25 21:41:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.511.195 [GMT 2:00]
Running from: c:\documents and settings\usr\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\usr\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\documents and settings\usr\7l3m4x8d6.exe
c:\documents and settings\usr\asdsdsd.exe
c:\documents and settings\usr\deleteme.exe
c:\documents and settings\usr\explode.exe
c:\documents and settings\usr\Exredr.exe
c:\documents and settings\usr\Exredr2.exe
c:\documents and settings\usr\Exrexdr.exe
c:\documents and settings\usr\Exxrxedr.exe
c:\documents and settings\usr\h4d7l3m4x8d6.exe
c:\documents and settings\usr\kdjods.exe
c:\documents and settings\usr\kjodxs.exe
c:\documents and settings\usr\lpe.exe
c:\documents and settings\usr\lpex.exe
c:\documents and settings\usr\Rkhaa.exe
c:\documents and settings\usr\sd4dshd.exe
c:\documents and settings\usr\sdsdsd.exe
c:\documents and settings\usr\sdsdshd.exe
c:\documents and settings\usr\sdsxdshd.exe
c:\documents and settings\usr\sdsxxdshd.exe
c:\documents and settings\usr\Setup.exe
c:\documents and settings\usr\Setxup.exe
c:\documents and settings\usr\sfddshd.exe
c:\documents and settings\usr\srdshd.exe
c:\documents and settings\usr\ssddshd.exe
c:\documents and settings\usr\ssdswe.exe
c:\documents and settings\usr\sxdsdshd.exe
c:\documents and settings\usr\sxdsxdshd.exe
c:\documents and settings\usr\taskmger.exe
c:\documents and settings\usr\xsdsdsd.exe
c:\recycle\D-0-060-0000000000-1111111-2222222\fix.exe
c:\recycler\k-1-3542-4232123213-7676767-8888886\root.exe
c:\restore\c-1-3-64-8794238531-8742492-9897532\Sys32.exe
c:\restore\k-1-3542-4232123213-7676767-8888886\JUZZ.exe
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
c:\windows\sxdsxdshd.exe
c:\windows\system32\drivers\WinMgmt.exe
f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
F:\win32s.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\GamesBar
c:\documents and settings\All Users\Application Data\GamesBar\about.gif
c:\documents and settings\All Users\Application Data\GamesBar\action.gif
c:\documents and settings\All Users\Application Data\GamesBar\arcade.gif
c:\documents and settings\All Users\Application Data\GamesBar\buy.gif
c:\documents and settings\All Users\Application Data\GamesBar\call_of_atlantis16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\cards.gif
c:\documents and settings\All Users\Application Data\GamesBar\deals.gif
c:\documents and settings\All Users\Application Data\GamesBar\download.gif
c:\documents and settings\All Users\Application Data\GamesBar\dream_day_wedding_216x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\feedback.gif
c:\documents and settings\All Users\Application Data\GamesBar\help.gif
c:\documents and settings\All Users\Application Data\GamesBar\highlight.gif
c:\documents and settings\All Users\Application Data\GamesBar\holly_a_christmas_tale_deluxe16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\house_of_wonders_bch16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\interpol_2_most_wanted16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\miss_teri_tale_2_vote_4_me16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\multiplayer.gif
c:\documents and settings\All Users\Application Data\GamesBar\mygames.gif
c:\documents and settings\All Users\Application Data\GamesBar\newGames.gif
c:\documents and settings\All Users\Application Data\GamesBar\oberonconfig.xm_
c:\documents and settings\All Users\Application Data\GamesBar\obSearchHistory.dat
c:\documents and settings\All Users\Application Data\GamesBar\onload\loading.gif
c:\documents and settings\All Users\Application Data\GamesBar\partner.gif
c:\documents and settings\All Users\Application Data\GamesBar\puzzle.gif
c:\documents and settings\All Users\Application Data\GamesBar\search.gif
c:\documents and settings\All Users\Application Data\GamesBar\search_yahoo.gif
c:\documents and settings\All Users\Application Data\GamesBar\season_match_216x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\sendafriend.gif
c:\documents and settings\All Users\Application Data\GamesBar\trial.gif
c:\documents and settings\All Users\Application Data\GamesBar\Turbo_Fiesta16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\uninstall.gif
c:\documents and settings\All Users\Application Data\GamesBar\update.gif
c:\documents and settings\All Users\Application Data\GamesBar\webgame.gif
c:\documents and settings\usr\7l3m4x8d6.exe
c:\documents and settings\usr\asdsdsd.exe
c:\documents and settings\usr\deleteme.exe
c:\documents and settings\usr\explode.exe
c:\documents and settings\usr\Exredr.exe
c:\documents and settings\usr\Exredr2.exe
c:\documents and settings\usr\Exrexdr.exe
c:\documents and settings\usr\Exxrxedr.exe
c:\documents and settings\usr\h4d7l3m4x8d6.exe
c:\documents and settings\usr\kdjods.exe
c:\documents and settings\usr\kjodxs.exe
c:\documents and settings\usr\lpe.exe
c:\documents and settings\usr\lpex.exe
c:\documents and settings\usr\Rkhaa.exe
c:\documents and settings\usr\sd4dshd.exe
c:\documents and settings\usr\sdsdsd.exe
c:\documents and settings\usr\sdsdshd.exe
c:\documents and settings\usr\sdsxdshd.exe
c:\documents and settings\usr\sdsxxdshd.exe
c:\documents and settings\usr\Setup.exe
c:\documents and settings\usr\Setxup.exe
c:\documents and settings\usr\sfddshd.exe
c:\documents and settings\usr\srdshd.exe
c:\documents and settings\usr\ssddshd.exe
c:\documents and settings\usr\ssdswe.exe
c:\documents and settings\usr\sxdsdshd.exe
c:\documents and settings\usr\sxdsxdshd.exe
c:\documents and settings\usr\taskmger.exe
c:\documents and settings\usr\xsdsdsd.exe
c:\program files\Viewpoint
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\recycle\D-0-060-0000000000-1111111-2222222\fix.exe
c:\restore
c:\restore\c-1-3-64-8794238531-8742492-9897532\Desktop.ini
c:\restore\c-1-3-64-8794238531-8742492-9897532\Sys32.exe
c:\restore\k-1-3542-4232123213-7676767-8888886\Desktop.ini
c:\restore\k-1-3542-4232123213-7676767-8888886\JUZZ.exe
c:\restore\k-1-3542-4232123213-7676767-8888886\X0R.exe
c:\windows\sxdsxdshd.exe
c:\windows\system32\drivers\WinMgmt.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Legacy_WINSOFT_SERVICE_CONTROLER
-------\Service_Viewpoint Manager Service
-------\Service_WinSoft Service Controler


((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-24 22:12 . 2009-02-24 22:39 d-------- C:\Lop SD
2009-02-24 17:08 . 2009-02-25 20:54 d-------- c:\program files\ESET
2009-02-24 17:08 . 2009-02-24 17:08 0 --a------ c:\windows\system32\mapisvc.inf
2009-02-07 17:30 . 2009-02-18 20:33 d-------- C:\quarantine

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 19:54 --------- d-----w c:\program files\Common Files\AOL
2009-02-06 16:30 --------- d-----w c:\program files\Messenger Plus! Live
2009-01-21 15:51 --------- d-----w c:\documents and settings\usr\Application Data\PlayFirst
2009-01-21 15:51 --------- d-----w c:\documents and settings\All Users\Application Data\Reflexive
2009-01-21 15:50 --------- d-----w c:\program files\PlayFirst
2009-01-21 15:24 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-01-18 17:59 --------- d-----w c:\program files\PhotoScape
2006-11-21 16:38 18,096 ----a-w c:\documents and settings\usr\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.],79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Remote"="c:\program files\LifeView TVR\Remote.exe" [2006-05-09 212992]
"RecSche"="c:\program files\LifeView TVR\RecSche.exe" [2006-01-04 454656]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SMCWCU"="c:\program files\SMC\SMCWPCIT-G\SMCWCU.exe" [2006-03-14 303104]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NodLogin"="c:\program files\Eset\nodlogin.exe" [2008-07-29 358448]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\All Users\Start Menu\Programlar\BaŸlang‡\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-09-22 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:35 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [2006-10-02 892032]
S3 bDMusicb;bDMusicb;\??\c:\docume~1\usr\LOCALS~1\Temp\bDMusicb.sys --> c:\docume~1\usr\LOCALS~1\Temp\bDMusicb.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\usr\Application Data\Mozilla\Firefox\Profiles\oyyj043w.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-02-25 21:44:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Remote = c:\program files\LifeView TVR\Remote.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-02-25 21:47:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-25 19:47:20
ComboFix2.txt 2009-02-25 19:09:03

Pre-Run: 54.549.286.912 bayt boş
Post-Run: 54,490,476,544 bayt boş

234 --- E O F --- 2009-01-16 16:27:44

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Wed Feb 25, 2009 7:52 pm

did i done everything correct?

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Wed Feb 25, 2009 8:01 pm

Hello.
Yep, just these last things to do.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000000
    "UpdatesDisableNotify"=dword:00000000
    "AntiVirusOverride"=dword:00000000
    "FirewallOverride"=dword:00000000

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


Now install a new AV.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) [You must be registered and logged in to see this link.]
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is everything now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Wed Feb 25, 2009 8:33 pm

CF is unistalled on the last step is this ok?
everything seems to be normal know can i give back pc to my sister now? after some use we can make a better feedback about the machine a few days later.. i don't know how to thank you!!

if everything is done, can you give me some brief infomation that whaht did happen to this machine and what caused this.. also you've told that (about my pc) i infected from messenger plus? are you sure about that? cos i dont use plus extensions.. are we both safe now? especially form this lop kind problems that you've mentioned before.. may you give info abut both computers seperately?

now i am returnig to my machine.. Glad that you're always here to help us, god bless you:))

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Wed Feb 25, 2009 8:39 pm

Don't know if you used Messenger Plus, but your sister did.

From CF log:

((((( Find3m )))))
c:\program files\Messenger Plus! Live


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Wed Feb 25, 2009 9:20 pm

i returned to my pc.. yes i am sure my sister still uses it.. do you have any advises about that? is it necessary to run CF on my pc? or finally is it time to relax:)?

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Wed Feb 25, 2009 10:15 pm

If yours and your sisters machine is fine now, then I'd say you can relax.
Let me know how everything is in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Thu Feb 26, 2009 10:44 am

my machine seems to be working fine, i will ask my sister is everything turned to normal when i'll see her in this evening.. thank you again for everything you've done for me.. I've started to support you on facebook and adverting GP to my friends..

you've told me that you post a brief messge that what happened to our machines, what is the caouse of the damage, and how can we protect ourselves for future damages.. for example do you want me to post DDS or Hijackthis logs periodically, once a week or so?

another question i want to ask you is about the trojans i've deleted via my antivirus before the consultion that i've made it to you.. i've cleaned nearly 50 Kryptik.GH, Kryptik.GF, KRyptik.GA , Kryptik.DQ tans so on kryptik stuff what were those? and am i carrying any risks now?

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Thu Feb 26, 2009 3:50 pm

i am more that happy to say that both of our machines work very well now :Clapping:

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Thu Feb 26, 2009 4:59 pm

Hello.
The Kryptic files I did alittle research on today, they appear mostly in %temp%, which aren't dangerous.

Glad the machines are fine. Next time you/your sister installs Plus!, watch what it says because the 2 options will either install cleanly or restore this infection.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Thu Feb 26, 2009 11:17 pm

thank you for your recommendations i will consider and apply them slowly when i have free time.. can i be sure that this topic wil remain open ?

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Thu Feb 26, 2009 11:21 pm

It will remain open for about 7-10 days.
After 10 days, it will be closed.

If you want it re-opened, PM me or Doctor_Inferno.
If not, then just start a new topic.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Big Problems again:-(

Post by tinkerman on Mon Mar 02, 2009 9:34 am

hello my saviour again.. i am too upset to say that i'm wrting from my sis's machine because the similiar problems that i've encountered on this machine has now damaged my laptop.. ıt means that i can't do anything on internet at the moment cant connect to anysite, or msn etc..

everything was working fine yesterday night for me untill my father took my laptop and nt more than 5 minutes past suddenly he revealed that he can't even log in to hotmial.com.. i am really jaded with him because i can predict that he always try to connect those bad porn sites.. i suppose the damage is maybe from saturday night.. ( cos i wasnt at home and probably he took my laptop an d done strange things.. but the machine seemed to be fine on full sunday till the night that i gave the machine to him..

the most common message that i receive when i try to connect mozilla is somthing like ' web prescription: tr.start2.mozilla.com sever is answering too late..'' ( i 've tried to translate to english)

note that: i had installed the spybotS&D and outpost firewall to mya laptop coouldn't avoid the damage:(

as a resuşt i need your invaluable helps again:(( do yuo want me to post the dds log or hijackthis log ?

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Mon Mar 02, 2009 2:15 pm

DDS log please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Mon Mar 02, 2009 2:51 pm

hi again..
DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 16:44:29,56 on 02.03.2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.2046.1553 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nodlogin.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Problem Çözümleme Artıkları\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = libpxy.cc.yildiz.edu.tr:81
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Babylon Client] c:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NodLogin] c:\program files\eset\nodlogin.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Outpost Firewall] "c:\program files\agnitum\outpost firewall 1.0\outpost.exe" /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Microsoft Excel'e &Ver - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\dk994s4c.default\

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-8 15424]
R1 VFILT;Outpost Firewall Kernel Driver;c:\progra~1\agnitum\outpos~1.0\kernel\2000\FILTNT.SYS [2009-3-1 90368]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-8 552064]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\ADBLOCK.DLL [2009-3-1 15552]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\CONTENT.DLL [2009-3-1 3904]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\DNSCACHE.DLL [2009-3-1 6144]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\FTPFILT.DLL [2009-3-1 6304]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\HTMLFILT.DLL [2009-3-1 7776]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\HTTPFILT.DLL [2009-3-1 9152]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\IMAPFILT.DLL [2009-3-1 7072]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\MAILFILT.DLL [2009-3-1 9920]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\NNTPFILT.DLL [2009-3-1 6656]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\POP3FILT.DLL [2009-3-1 7136]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\PROTECT.DLL [2009-3-1 15584]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Dönüştürücüsü;c:\windows\system32\drivers\ADM8511.SYS [2008-11-10 20160]

=============== Created Last 30 ================

2009-03-02 16:42 268 a---h--- C:\sqmdata03.sqm
2009-03-02 16:42 244 a---h--- C:\sqmnoopt03.sqm
2009-03-01 23:58 268 a---h--- C:\sqmdata02.sqm
2009-03-01 23:58 244 a---h--- C:\sqmnoopt02.sqm
2009-03-01 23:19 268 a---h--- C:\sqmdata01.sqm
2009-03-01 23:19 244 a---h--- C:\sqmnoopt01.sqm
2009-03-01 21:53 --d----- c:\program files\common files\Agnitum Shared
2009-03-01 21:53 --d----- c:\program files\Agnitum
2009-02-27 23:48 --d----- c:\program files\Spybot - Search & Destroy
2009-02-27 23:48 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-26 23:45 268 a---h--- C:\sqmdata00.sqm
2009-02-26 23:45 244 a---h--- C:\sqmnoopt00.sqm
2009-02-25 17:51 --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-02-25 17:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-25 17:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-25 17:51 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-25 17:51 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 16:40 --d----- C:\Lop SD
2009-02-25 00:41 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-25 00:41 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-21 16:24 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-21 16:15 --d----- c:\docume~1\alluse~1\applic~1\KONAMI
2009-02-21 16:11 --d----- c:\program files\KONAMI
2009-02-15 17:59 a-dshr-- C:\autorun.inf
2009-02-08 21:09 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-08 21:07 512,096 a------- c:\windows\system32\drivers\amon.sys
2009-02-08 21:07 298,104 a------- c:\windows\system32\imon.dll
2009-02-08 21:07 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2009-02-02 20:45 230 a------- c:\windows\system32\spupdsvc.inf

==================== Find3M ====================

2009-03-01 22:57 413,744 a------- c:\windows\system32\perfh01F.dat
2009-03-01 22:57 82,292 a------- c:\windows\system32\perfc01F.dat

============= FINISH: 16:44:55,87 ===============

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Mon Mar 02, 2009 2:55 pm

Hello.
This log looks fine, there's no real signs of malware, only leftovers.
What problems is this machine having?

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    C:\sqmdata*.sqm
    C:\sqmnoopt*.sqm
    C:\Lop SD


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Mon Mar 02, 2009 3:02 pm

as i mention before: ''hello my saviour again.. i am too upset to say that i'm wrting from my sis's machine because the similiar problems that i've encountered on this machine has now damaged my laptop.. ıt means that i can't do anything on internet at the moment cant connect to anysite, or msn etc..

everything was working fine yesterday night for me untill my father took my laptop and nt more than 5 minutes past suddenly he revealed that he can't even log in to hotmial.com.. i am really jaded with him because i can predict that he always try to connect those bad porn sites.. i suppose the damage is maybe from saturday night.. ( cos i wasnt at home and probably he took my laptop an d done strange things.. but the machine seemed to be fine on full sunday till the night that i gave the machine to him..

the most common message that i receive when i try to connect mozilla is somthing like ' web prescription: tr.start2.mozilla.com sever is answering too late..'' ( i 've tried to translate to english)

note that: i had installed the spybotS&D and outpost firewall to mya laptop coouldn't avoid the damage:(''
could the source of the damage occur when he opens his account? then affects me?

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Mon Mar 02, 2009 3:06 pm

Maybe that's why DDS gave me nothing.
The malware is on the other account of the machine and just appears on yours without the files.

Your account is fine, can you logon to the other account and post a DDS log from that account.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Mon Mar 02, 2009 3:16 pm

i think that will prove that i am innocent:-) we are curing the macihne and he makes it ill easily:((

========== FILES ==========
C:\sqmdata00.sqm moved successfully.
C:\sqmdata01.sqm moved successfully.
C:\sqmdata02.sqm moved successfully.
C:\sqmdata03.sqm moved successfully.
C:\sqmnoopt00.sqm moved successfully.
C:\sqmnoopt01.sqm moved successfully.
C:\sqmnoopt02.sqm moved successfully.
C:\sqmnoopt03.sqm moved successfully.
C:\Lop SD moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03022009_171126

now i will open his account and post the dds log..

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Mon Mar 02, 2009 3:26 pm

DDS (Ver_09-02-01.01) - NTFSx86
Run by Moiz at 17:20:24,31 on 02.03.2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.2046.1599 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nodlogin.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
E:\cem sorun giderme\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Babylon Client] c:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NodLogin] c:\program files\eset\nodlogin.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Outpost Firewall] "c:\program files\agnitum\outpost firewall 1.0\outpost.exe" /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Microsoft Excel'e &Ver - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\moiz\applic~1\mozilla\firefox\profiles\6xuxhze4.default\

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-8 15424]
R1 VFILT;Outpost Firewall Kernel Driver;c:\progra~1\agnitum\outpos~1.0\kernel\2000\FILTNT.SYS [2009-3-1 90368]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-8 552064]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\ADBLOCK.DLL [2009-3-1 15552]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\CONTENT.DLL [2009-3-1 3904]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\DNSCACHE.DLL [2009-3-1 6144]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\FTPFILT.DLL [2009-3-1 6304]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\HTMLFILT.DLL [2009-3-1 7776]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\HTTPFILT.DLL [2009-3-1 9152]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\IMAPFILT.DLL [2009-3-1 7072]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\MAILFILT.DLL [2009-3-1 9920]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\NNTPFILT.DLL [2009-3-1 6656]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\POP3FILT.DLL [2009-3-1 7136]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\PROTECT.DLL [2009-3-1 15584]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Dönüştürücüsü;c:\windows\system32\drivers\ADM8511.SYS [2008-11-10 20160]

=============== Created Last 30 ================

2009-03-01 21:53 --d----- c:\program files\common files\Agnitum Shared
2009-03-01 21:53 --d----- c:\program files\Agnitum
2009-02-27 23:48 --d----- c:\program files\Spybot - Search & Destroy
2009-02-27 23:48 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-26 22:36 --d----- c:\docume~1\moiz\applic~1\BSplayer
2009-02-25 17:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-25 17:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-25 17:51 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-25 17:51 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 00:41 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-25 00:41 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-22 00:49 --d----- c:\docume~1\moiz\applic~1\Windows Search
2009-02-21 16:24 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-21 16:15 --d----- c:\docume~1\alluse~1\applic~1\KONAMI
2009-02-21 16:11 --d----- c:\program files\KONAMI
2009-02-15 17:59 a-dshr-- C:\autorun.inf
2009-02-08 21:09 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-08 21:07 512,096 a------- c:\windows\system32\drivers\amon.sys
2009-02-08 21:07 298,104 a------- c:\windows\system32\imon.dll
2009-02-08 21:07 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2009-02-02 20:45 230 a------- c:\windows\system32\spupdsvc.inf

==================== Find3M ====================

2009-03-01 22:57 413,744 a------- c:\windows\system32\perfh01F.dat
2009-03-01 22:57 82,292 a------- c:\windows\system32\perfc01F.dat

============= FINISH: 17:20:41,90 ===============

could it be a lop problem again? cos the sypmtoms is similar to the one that you healed previous week on my sistes machine the internet is unavaliable although ir seemsto be no connection problems..

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Mon Mar 02, 2009 3:34 pm

when trying to surf it always says something like network prescription: mozilla server is anwering too late.. below that it shows some reasons may be the outpost firewall 's wrong settings could couse such problem i don't know?

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Mon Mar 02, 2009 3:35 pm

The log looks okay.
We can check if it's LOP, but I doubt it is.

The problem could be the firewall.
Uninstall it for now and see if it repairs it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Mon Mar 02, 2009 3:51 pm

yes you were right! it turned to normal after unistalling the firewall..(I ve checked the both accounts) am i supposed to do somethnig else?

while checking his account i saw many bad sites that he usulayy uses probably.. do you advise me to delete the temp folder of his, to prevent future threats?

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Mon Mar 02, 2009 3:58 pm

unless i don't know how to use a firewall well i think i shouldn't use it am i right?
and one more question i was using nod32 cracked version as you could see from the logs do you advise me to use avira personal free instead of nod32 cracked?

and finally are both spybotS&D and firefox addons enough for my defence?

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Mon Mar 02, 2009 4:02 pm

Sticking with Windows firewall should be enough providing you surf safely.
The Firefox add-ons will protect you.

Yeah, uninstall nod32 and install Avira.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Mon Mar 02, 2009 4:06 pm

ok i will use avira form now on..

how can i be sure that wşndows firewall is open and protecting me properly?
it seems closed and i cant open it from windows security center!?

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Mon Mar 02, 2009 4:13 pm

Windows would alert you if the firewall wasn't switched on.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Mon Mar 02, 2009 4:16 pm

ok thank you for everything you've done for me:) i hope you aren't jaded of dealing with my problems again anad again..

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by tinkerman on Thu Mar 05, 2009 3:20 pm

hi again this time i haven't got any problems with the machine Smile just searching for Piranha Webcam Driver model PC5000 can you help me?

tinkerman
Intermediate
Intermediate

Status :
Online
Offline

Posts : 109
Joined : 2009-02-11
Gender : Male
OS : windows xp with sp3

View user profile

Back to top Go down

Re: multiple infections

Post by Belahzur on Thu Mar 05, 2009 5:13 pm

Maybe.
Please open a thread in the software area for that, since this is the malware removal section.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum