Help Please Stupid Virus attack - Red X

View previous topic View next topic Go down

Help Please Stupid Virus attack - Red X

Post by ainsley on Tue Mar 10, 2009 9:22 am

Hello - I require help, pretty please geek police.

I have a virus that is blocking virus scanners and won't let me download anything that may clean it out.

It has a red circle with a White X on the task bar. Every minute it comes up saying "Warning! Security report. Your computer is infected! it is recommended to start spyware cleaner tool.

If I go to google and do a search on virus downloads it will work but if I was to click on the link it redirects me to some stupid ad and hitting back eventually takes me to My Documents

I have AVG and it wont let me download updates

on the top of the screen it says in red the same thing Warning Warning Warning

I am in safe mode now as it eventually booted the computer down to a blue screen of death

Please help

Cheers
Ainsley

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Tue Mar 10, 2009 9:28 am

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Tue Mar 10, 2009 9:43 am

Hello

thanks so much for your prompt reply. Here is the txt result

cheers

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "seneka" found!
ImagePath: \systemroot\system32\drivers\senekaxvnymeyy.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Tue Mar 10, 2009 9:49 am

Lets kill this rootkit and then your programs should work, we'll use an effective scanner once this rootkit is gone.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
seneka

Files to delete:
C:\WINDOWS\system32\drivers\senekaxvnymeyy.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Tue Mar 10, 2009 10:03 am

Hello

Each time this reboots and every key stroke it just gets worse and worse. Very weird things are happening. Trying to repost this again now

Results as follows

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "seneka" found!
ImagePath: \systemroot\system32\drivers\senekaxvnymeyy.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "seneka" deleted successfully.
File "C:\WINDOWS\system32\drivers\senekaxvnymeyy.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Tue Mar 10, 2009 10:05 am

Probably the rootkits fault, but we'll see if this can remove the files.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Tue Mar 10, 2009 10:21 am

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/10/2009 9:20:42 PM
mbam-log-2009-03-10 (21-20-42).txt

Scan type: Quick Scan
Objects scanned: 65400
Time elapsed: 7 minute(s), 31 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 9
Folders Infected: 3
Files Infected: 61

Memory Processes Infected:
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\XPPoliceAntivirus (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\sounds (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\XPPoliceAntivirus\setup.dat (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\cevakrnl.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\cevakrnl.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\cevakrnl.rvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\ceva_dll.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\ceva_emu.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\ceva_vfs.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\ceva_vfs.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\cookie.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\cran.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\cran.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\emalware.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\e_spyw.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\e_spyw.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\gvmscripts.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\hpe.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\java.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\mdx_97.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\mdx_97.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\mdx_w95.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\mdx_x95.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\mdx_xf.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\mobmalware.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\na.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\nelf.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\regarch.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\regscan.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\rup.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\sdx.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\sdx.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\unpack.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\unpack.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\vb0.dat (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\vb1.dat (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\vb2.dat (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\ve.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\ve.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\vedata.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\sounds\alert.wav (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\sounds\click.wav (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\sounds\fire.wav (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\User\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaathlwxrb.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaeptkjlov.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekaexjgelwb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekajxjsddhf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalymyqksr.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaneoofjpj.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekarifonssw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekasiutkjlf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaulsioenp.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekayabwqvns.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekahopknkbx.sys (Trojan.Agent) -> Quarantined and deleted successfully.

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Tue Mar 10, 2009 10:23 am

Thanks heaps for your help, it is getting quite late here, we will be back online in 17 hours...hopefully

Thanks heaps!

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Tue Mar 10, 2009 10:39 am

We have rebooted after the scan, and there seems to be no virus present, the red X is gone, and there is a command prompt file called 'c:\spsx.exe' that popped up on reboot that wont shut, otherwise it seems okay. we will check back tomorrow. is it an ongoing virus scanner, or just one off?

Can't thank you enough Belahzur,
cheers ainsley

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Tue Mar 10, 2009 11:40 am

The malware is still present.
When you get back, run this scanner.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Tue Mar 10, 2009 8:09 pm

DDS (Ver_09-02-01.01) - NTFSx86
Run by User at 7:08:12.37 on Wed 03/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.75 [GMT 11:00]

AV: AVG 7.5.524 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\fxsteller.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Windows UDP Control Center] fxsteller.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{00cd55d6-ee5a-4570-9875-8a306628c032}\Icon3E5562ED7.ico
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\docume~1\admini~1\locals~1\temp\ntdll64.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - [You must be registered and logged in to see this link.]
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-3-12 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-3-12 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-3-12 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-3-12 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-3-12 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-3-12 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2008-3-12 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2008-3-12 4960]
R2 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-03-10 21:36 93,266 a------- C:\sp2.exe
2009-03-10 21:34 290 a------- C:\spsx.exe
2009-03-10 21:07 --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-03-10 21:07 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-10 21:07 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 21:07 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-10 21:07 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-10 20:54 1,104 a------- C:\backup.reg
2009-03-10 20:37 135,168 a------- C:\zip.exe
2009-03-10 20:37 19,286 a------- C:\cleanup.exe
2009-03-10 20:37 574 a------- C:\cleanup.bat
2009-03-10 18:52 446 a------- c:\windows\system32\win32hlp.cnf
2009-03-10 18:52 104,960 ac------ c:\windows\system32\dllcache\userinit.exe
2009-03-10 18:52 1 a------- c:\windows\system32\uniq.tll
2009-03-10 18:52 30,720 a------- c:\windows\system32\303369.exe
2009-03-10 18:16 48,690 ---shr-- c:\windows\fxsteller.exe
2009-03-06 17:54 --d----- c:\program files\Monster Trucks Nitro Demo
2009-02-20 21:27 5,632 a------- c:\windows\system32\ptpusb.dll
2009-02-20 21:27 159,232 a------- c:\windows\system32\ptpusd.dll
2009-02-12 17:07 --d----- c:\program files\Tux4kids
2009-02-11 17:27 --d----- c:\docume~1\user\applic~1\TuxPaint
2009-02-11 17:26 --d----- c:\program files\TuxPaint

==================== Find3M ====================

2009-03-10 18:52 104,960 a------- c:\windows\system32\userinit.exe
2009-02-07 19:45 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-21 10:15 826,368 a------- c:\windows\system32\wininet.dll
2008-11-18 21:43 30 a------- c:\documents and settings\user\jagex_runescape_preferences.dat

============= FINISH: 7:08:48.89 ===============

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Tue Mar 10, 2009 8:25 pm

Oh wow, this machine is horribly infected, how is it even able to boot properly?

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Tue Mar 10, 2009 10:15 pm

Oh Wow, thats not good news at all. Before this latest Red X Virus, it actually worked beautifully.
Can I ask you, would the keystrokes being logged be a program someone has installed within the house (ie someone I know spying) or are they more likely to be hacker related. I dont see how my computer would be of interest to anyone unless there is dissent in the house
Either way this is totally out of my league and I would appreciate your assistance

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Tue Mar 10, 2009 11:06 pm

Nope, it's a hacker.

This line from DDS:
mRun: [Windows UDP Control Center] fxsteller.exe

Info:
[You must be registered and logged in to see this link.]

This is why you got infected:
AV: AVG 7.5.524 *On-access scanning enabled* (Outdated)

You can't stay safe if you don't keep your AV up to date.
I'd seriously recommend a format here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Tue Mar 10, 2009 11:22 pm

Belahur

OK So changed all passwords. I will then blow away windows and start again. I have all info music files etc saved in an external box, I presume this is also infected. What a nightmare

cheers

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Tue Mar 10, 2009 11:28 pm

Actually, I don't think the external is infected.
MBAM/DDS would show an autorun.inf on the C drive, but there isn't in this case. So I think the external drive is fine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Wed Mar 11, 2009 9:58 am

hello,

could we please accept your kind offer of cleaning this pc remotely, we would like to try this before the re-format option

cheers!

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Wed Mar 11, 2009 1:11 pm

Okay.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Please disable your local AV (Anti-virus) See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG7)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Thu Mar 12, 2009 7:17 am

ComboFix 09-03-10.03 - User 2009-03-12 17:50:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.276 [GMT 11:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG 7.5.503 *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\303369.exe
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekahopknkbx.sys
c:\windows\system32\init32.exe
c:\windows\system32\senekaeptkjlov.dll
c:\windows\system32\senekajxjsddhf.dat
c:\windows\system32\senekalymyqksr.dat
c:\windows\system32\senekarifonssw.dll
c:\windows\system32\senekaulsioenp.dll
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-10 21:36 . 2009-03-10 21:36 93,266 --a------ C:\sp2.exe
2009-03-10 21:34 . 2009-03-10 21:34 290 --a------ C:\spsx.exe
2009-03-10 21:27 . 2009-03-10 21:27 d-------- c:\documents and settings\Administrator
2009-03-10 21:07 . 2009-03-10 21:07 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-10 21:07 . 2009-03-10 21:07 d-------- c:\documents and settings\User\Application Data\Malwarebytes
2009-03-10 21:07 . 2009-03-10 21:07 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-10 21:07 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 21:07 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-10 20:54 . 2009-03-10 20:54 1,104 --a------ C:\backup.reg
2009-03-10 20:37 . 2009-03-10 20:54 135,168 --a------ C:\zip.exe
2009-03-10 20:37 . 2009-03-10 20:54 19,286 --a------ C:\cleanup.exe
2009-03-10 20:37 . 2009-03-10 20:54 574 --a------ C:\cleanup.bat
2009-03-10 18:16 . 2009-03-09 22:51 48,690 -r-hs---- c:\windows\fxsteller.exe
2009-03-06 17:54 . 2009-03-06 17:54 d-------- c:\program files\Monster Trucks Nitro Demo
2009-02-20 21:27 . 2008-04-14 11:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-02-20 21:27 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-02-12 17:07 . 2009-02-12 17:07 d-------- c:\program files\Tux4kids

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 06:56 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-12 06:35 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-03-12 06:26 --------- d-----w c:\documents and settings\User\Application Data\AVG7
2009-03-10 10:09 5,747 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-03-01 03:02 --------- d-----w c:\documents and settings\User\Application Data\uTorrent
2009-02-12 04:58 --------- d-----w c:\program files\TuxPaint
2009-02-11 07:16 --------- d-----w c:\documents and settings\User\Application Data\TuxPaint
2009-02-07 08:17 --------- d-----w c:\program files\Google
2009-02-07 08:13 --------- d-----w c:\program files\MySpace
2009-02-07 08:10 --------- d-----w c:\program files\Canon
2009-02-07 07:48 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-06 18:18 --------- d-----w c:\program files\Common Files\CANON
2009-02-06 18:14 --------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2009-02-06 18:13 --------- d--h--w c:\program files\CanonBJ
2009-01-19 20:49 --------- d-----w c:\program files\sz8080_6
2009-01-19 20:49 --------- d-----w c:\documents and settings\User\Application Data\School Zone Preferences
2008-11-18 10:43 30 ----a-w c:\documents and settings\User\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-21 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-21 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-21 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 57344]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-03-12 579072]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-03-12 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
VPN Client.lnk - c:\windows\Installer\{00CD55D6-EE5A-4570-9875-8A306628C032}\Icon3E5562ED7.ico [2008-11-26 6144]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\[You must be registered and logged in to see this link.]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-03-12 c:\windows\Tasks\User_Feed_Synchronization-{10B83218-3B6A-4A63-B109-B4A676C056FB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-12 17:56:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-1958367476-682003330-1004\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-03-12 18:02:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-12 07:02:00

Pre-Run: 1,929,736,192 bytes free
Post-Run: 2,536,493,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

168 --- E O F --- 2009-03-10 20:32:31

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Thu Mar 12, 2009 11:26 am

Nearly there.

Now open a new notepad file.
Input this into the notepad file:

File::
C:\sp2.exe
C:\spsx.exe
C:\backup.reg
C:\zip.exe
C:\cleanup.exe
C:\cleanup.bat
c:\windows\fxsteller.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Fri Mar 13, 2009 3:11 am

ComboFix 09-03-10.03 - User 2009-03-13 14:04:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.267 [GMT 11:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFscript.txt
AV: AVG 7.5.503 *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-10 21:36 . 2009-03-10 21:36 93,266 --a------ C:\sp2.exe
2009-03-10 21:34 . 2009-03-10 21:34 290 --a------ C:\spsx.exe
2009-03-10 21:27 . 2009-03-10 21:27 d-------- c:\documents and settings\Administrator
2009-03-10 21:07 . 2009-03-10 21:07 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-10 21:07 . 2009-03-10 21:07 d-------- c:\documents and settings\User\Application Data\Malwarebytes
2009-03-10 21:07 . 2009-03-10 21:07 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-10 21:07 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 21:07 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-10 20:54 . 2009-03-10 20:54 1,104 --a------ C:\backup.reg
2009-03-10 20:37 . 2009-03-10 20:54 135,168 --a------ C:\zip.exe
2009-03-10 20:37 . 2009-03-10 20:54 19,286 --a------ C:\cleanup.exe
2009-03-10 20:37 . 2009-03-10 20:54 574 --a------ C:\cleanup.bat
2009-03-10 18:16 . 2009-03-09 22:51 48,690 -r-hs---- c:\windows\fxsteller.exe
2009-03-06 17:54 . 2009-03-06 17:54 d-------- c:\program files\Monster Trucks Nitro Demo
2009-02-20 21:27 . 2008-04-14 11:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-02-20 21:27 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 21:00 --------- d-----w c:\documents and settings\User\Application Data\AVG7
2009-03-12 20:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-12 06:35 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-03-10 10:09 5,747 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-03-01 03:02 --------- d-----w c:\documents and settings\User\Application Data\uTorrent
2009-02-12 06:07 --------- d-----w c:\program files\Tux4kids
2009-02-12 04:58 --------- d-----w c:\program files\TuxPaint
2009-02-11 07:16 --------- d-----w c:\documents and settings\User\Application Data\TuxPaint
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 08:17 --------- d-----w c:\program files\Google
2009-02-07 08:13 --------- d-----w c:\program files\MySpace
2009-02-07 08:10 --------- d-----w c:\program files\Canon
2009-02-07 07:48 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-06 18:18 --------- d-----w c:\program files\Common Files\CANON
2009-02-06 18:14 --------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2009-02-06 18:13 --------- d--h--w c:\program files\CanonBJ
2009-01-19 20:49 --------- d-----w c:\program files\sz8080_6
2009-01-19 20:49 --------- d-----w c:\documents and settings\User\Application Data\School Zone Preferences
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-11-18 10:43 30 ----a-w c:\documents and settings\User\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-21 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-21 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-21 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 57344]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-03-12 579072]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-03-12 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
VPN Client.lnk - c:\windows\Installer\{00CD55D6-EE5A-4570-9875-8A306628C032}\Icon3E5562ED7.ico [2008-11-26 6144]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\[You must be registered and logged in to see this link.]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-03-12 c:\windows\Tasks\User_Feed_Synchronization-{10B83218-3B6A-4A63-B109-B4A676C056FB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-13 14:07:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-1958367476-682003330-1004\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
Completion time: 2009-03-13 14:10:17
ComboFix-quarantined-files.txt 2009-03-13 03:09:17
ComboFix2.txt 2009-03-12 07:02:21

Pre-Run: 2,413,068,288 bytes free
Post-Run: 2,474,467,328 bytes free

131 --- E O F --- 2009-03-10 20:32:31

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Fri Mar 13, 2009 9:24 am

That didn't work right.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    C:\sp2.exe
    C:\spsx.exe
    C:\backup.reg
    C:\zip.exe
    C:\cleanup.exe
    C:\cleanup.bat
    c:\windows\fxsteller.exe


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Fri Mar 13, 2009 9:43 am

Hello This is what I got. cheers

========== FILES ==========
C:\sp2.exe moved successfully.
C:\spsx.exe moved successfully.
C:\backup.reg moved successfully.
C:\zip.exe moved successfully.
C:\cleanup.exe moved successfully.
C:\cleanup.bat moved successfully.
c:\windows\fxsteller.exe moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03132009_204211

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Fri Mar 13, 2009 9:49 am

Okay, the malware is gone, but not done yet.
Your AVG is outdated and won't keep you protected, so we have to remove it and install a new AV.

First though, we need to remove Combofix because we don't need it now.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

Lets see what's installed.

  • Open HijackThis
  • Click "Open the Misc Tools section"
  • Click "Open Uninstall Manager"
  • Click "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Fri Mar 13, 2009 11:07 am

sorry we dont have the program 'HijackThis'
could you please send us a link
cheers

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Fri Mar 13, 2009 11:24 am

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Click "Open the Misc Tools section"
  • Click "Open Uninstall Manager"
  • Click "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Fri Mar 13, 2009 11:42 am

here you go...thanks

ABBYY FineReader 5.0 Sprint
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player 11
AVG 7.5
Ben 10 Escape Fury
Canon MP Navigator EX 2.0
Canon MP630 series MP Drivers
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Cisco Systems VPN Client 4.7.00.0533
Dell Resource CD
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 3
Lexmark X1100 Series
Malwarebytes' Anti-Malware
Maxtor Manager
Maxtor Manager
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
mIRC
Monster Trucks Nitro Demo
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
OTOY
Pencil-Pal Preschool
QuickTime
Registry Mechanic 8.0
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SoundMAX
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VLC media player 0.9.2
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows XP Service Pack 3
WinRAR archiver

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Fri Mar 13, 2009 11:48 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

    Adobe Reader 7.0
    AVG 7.5
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 3
    VLC media player 0.9.2


These items I ask to be uninstalled, are all old versions and I want to update them to the new versions.
First, install Avira.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Second, install the latest versions of Adobe Reader.

Download and install version 9 from here:
[You must be registered and logged in to see this link.]

Let me know once you've done that and then we'll do VLC player and Java.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Fri Mar 13, 2009 12:25 pm

ok i am done
cheers

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Fri Mar 13, 2009 1:13 pm

Hello.
Okay, Java and VLC.

Please download and install the VLC player 0.9.8b from here:
[You must be registered and logged in to see this link.]

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "This release includes the highly anticipated...".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa. (If you are running Vista, you will need to right click JavaRa > select "Run as administrator")
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Fri Mar 13, 2009 1:29 pm

here we go
thanks heaps!

JavaRa 1.12 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sat Mar 14 00:27:37 2009

Found and removed: C:\Program Files\Java\jre1.6.0_03

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

------------------------------------

Finished reporting.

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by Belahzur on Fri Mar 13, 2009 1:32 pm

That should do it.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please Stupid Virus attack - Red X

Post by ainsley on Fri Mar 13, 2009 1:35 pm

Thank you!
i don't think i can put into words how much help you have been. You guys are great! Thanks for everything that you have done and the time and effort you have put into our problem.
Cheers Ainsley

ainsley
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-03-10
OS OS : xp
Points Points : 28280
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum