1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Antivirus applications unworkable...even their websites, please help!

Discussion in 'Virus & Other Malware Removal' started by sea_sprite, Apr 3, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. sea_sprite

    sea_sprite Thread Starter

    Joined:
    Apr 3, 2010
    Messages:
    11
    Hello,

    I have had now three computers go down with this crazy virus...not fixable by just reinstalling windows either.

    It completely disables all possible antivirus programs from running or updating it even blocks me from accessing their websites from any browser.

    I have no way of identifying it...the only program so far that i have been able to run is HJT.

    Here is my log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:29:57 AM, on 4/3/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
    D:\WINDOWS\system32\svchost.exe
    D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Documents and Settings\Chelsea\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
    D:\Program Files\GNU\GnuPG\dirmngr.exe
    D:\Program Files\Mozilla Firefox\firefox.exe
    D:\Documents and Settings\Chelsea\Desktop\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - D:\Program Files\Vuze_Remote\tbVuze.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - D:\Program Files\Vuze_Remote\tbVuze.dll
    O3 - Toolbar: HopSurf toolbar - {E9FAB13D-4600-49E1-90D1-EE961C859D39} - D:\Program Files\Comodo\HopSurfToolbar\HopSurfToolbar_IE.dll
    O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - D:\Program Files\Vuze_Remote\tbVuze.dll
    O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Chelsea\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: HopSurf - {ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - D:\Program Files\Comodo\HopSurfToolbar\HopSurfToolbar_IE.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5112A0E3-4E12-49EB-A5DC-EC8070730C53}: NameServer = 156.154.70.22,156.154.71.22
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll
    O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - D:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: DirMngr - Unknown owner - D:\Program Files\GNU\GnuPG\dirmngr.exe

    --
    End of file - 3958 bytes

    It took one of our laptops down, all pcs are running Windows XP pro. It managed to damage 2483 sectors on the laptops hard drive.

    On the other desktop i have re-written the MBR and have now reinstalled windows xp pro again. not sure if it is okay yet or not. That seems to have worked for the time being, i can now access antivirus websites but that is all i have had time to check so far.

    Is there any other way around this?

    thank you
     
  2. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:

    Please download DDS from either of these links

    LINK 1
    LINK 2

    and save it to your desktop.



    • [*]Disable any script blocking protection

      [*] Double click dds.pif to run the tool.

      [*]When done, two DDS.txt's will open.

      [*]Save both reports to your desktop.

    ---------------------------------------------------
    Please include the contents of the following in your next reply:

    DDS.txt
    Attach.txt.


    NEXT


    [​IMG]
    Download GMER Rootkit Scanner from here or here.



    • [*] Extract the contents of the zipped file to desktop.

      [*] Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .

      [*] If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

      [​IMG]
      Click the image to enlarge it


      [*] In the right panel, you will see several boxes that have been checked. Uncheck the following ...


      • [*] Sections

        [*] IAT/EAT

        [*] Drives/Partition other than Systemdrive (typically C:\)

        [*] Show All (don't miss this one)



      [*] Then click the Scan button & wait for it to finish.

      [*] Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.


      [*]Save it where you can easily find it, such as your desktop, and post it in your next reply.



    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
     
  3. sea_sprite

    sea_sprite Thread Starter

    Joined:
    Apr 3, 2010
    Messages:
    11
    Attached are the logs you requested...


    Thank you once again for your time spent on this, it is very much appreciated!!!

    sea_sprite
     

    Attached Files:

  4. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:


    Download ComboFix from one of the following locations:
    Link 1
    Link 2

    VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

    * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here



    • [*]Double click on ComboFix.exe & follow the prompts.


    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.




    • [*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]




    • [*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    [​IMG]




    • [*]Click on Yes, to continue scanning for malware.


    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
     
  5. sea_sprite

    sea_sprite Thread Starter

    Joined:
    Apr 3, 2010
    Messages:
    11
    Hi CatByte,

    Here is the Combo Fix log...

    Thank you.
     

    Attached Files:

  6. sea_sprite

    sea_sprite Thread Starter

    Joined:
    Apr 3, 2010
    Messages:
    11
    Re-posting combo fix log in here...

    ComboFix 10-04-03.02 - Chelsea 04/04/2010 18:33:53.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.383.8 [GMT -7:00]
    Running from: d:\documents and settings\Chelsea\Desktop\ComboFix.exe
    FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    d:\windows\AppPatch\AcAdProc.dll
    F:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
    .

    2010-04-04 05:13 . 2010-04-04 05:13 -------- d-----w- d:\program files\VideoLAN
    2010-04-02 19:09 . 2007-08-02 17:58 390480 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\VsUSMgr.dll
    2010-04-02 19:09 . 2007-08-02 17:58 165200 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\VsUSBVer.dll
    2010-04-02 19:09 . 2007-08-02 17:58 644432 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\VsUSBUpd.exe
    2010-04-02 19:09 . 2007-08-02 17:58 337232 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\VsInstru.dll
    2010-04-02 19:09 . 2007-10-24 17:10 2600960 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\u3dapi10.dll
    2010-04-02 19:09 . 2007-11-14 19:51 717088 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\mvsusbui.dll
    2010-04-02 19:09 . 2007-11-14 19:33 529696 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\McVsUSB.exe
    2010-04-02 19:09 . 2007-08-21 19:19 122224 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\mcutil.dll
    2010-04-02 19:09 . 2007-07-13 14:14 288592 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\McAltLib.dll
    2010-04-01 05:22 . 2010-04-01 05:22 -------- d-----w- d:\program files\gBurner
    2010-03-31 00:08 . 2010-03-31 00:16 -------- d-----w- d:\documents and settings\Chelsea\Local Settings\Application Data\Adobe
    2010-03-31 00:04 . 2010-03-31 00:06 -------- d-----w- d:\program files\Common Files\Adobe
    2010-03-30 23:39 . 2009-11-05 15:39 87552 ----a-w- d:\windows\system32\cpwmon2k.dll
    2010-03-29 21:33 . 2010-03-29 21:33 -------- d-----w- d:\program files\GPLGS
    2010-03-29 21:31 . 2010-03-29 21:31 -------- d-----w- d:\program files\Acro Software
    2010-03-29 19:40 . 2010-03-29 19:40 -------- d-sh--w- d:\documents and settings\Chelsea\IECompatCache
    2010-03-29 19:40 . 2010-03-29 19:40 -------- d-sh--w- d:\documents and settings\Chelsea\PrivacIE
    2010-03-29 19:36 . 2010-03-29 19:36 2095 ----a-w- d:\documents and settings\Chelsea\Application Data\.purple\certificates\x509\tls_peers\login.live.com
    2010-03-29 19:36 . 2010-03-29 19:36 1089 ----a-w- d:\documents and settings\Chelsea\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
    2010-03-26 04:07 . 2010-03-26 04:07 -------- d-----w- d:\documents and settings\All Users\Application Data\McAfee
    2010-03-25 03:51 . 2010-03-25 03:51 -------- d-----w- d:\documents and settings\Chelsea\Local Settings\Application Data\GNU
    2010-03-25 03:51 . 2010-03-25 03:51 -------- d-----w- d:\documents and settings\Chelsea\.kde
    2010-03-25 03:48 . 2010-03-25 03:48 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\GNU
    2010-03-25 03:48 . 2010-03-25 03:48 -------- d-----w- d:\documents and settings\LocalService\Application Data\gnupg
    2010-03-25 03:48 . 2010-03-25 03:52 -------- d-----w- d:\documents and settings\Chelsea\Application Data\gnupg
    2010-03-25 03:48 . 2010-03-25 03:48 -------- d-----w- d:\documents and settings\All Users\Application Data\GNU
    2010-03-25 03:47 . 2010-03-25 03:47 -------- d-----w- d:\program files\GNU
    2010-03-24 16:37 . 2007-10-23 16:27 110592 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\temp\cleanup.exe
    2010-03-24 16:37 . 2010-03-24 16:37 -------- d-----w- d:\program files\WinASO
    2010-03-24 16:18 . 2008-05-02 17:41 3493888 ---ha-w- d:\documents and settings\Chelsea\Application Data\U3\temp\Launchpad Removal.exe
    2010-03-24 16:18 . 2008-04-14 12:41 21504 -c--a-w- d:\windows\system32\dllcache\hidserv.dll
    2010-03-24 16:18 . 2008-04-14 12:41 21504 ----a-w- d:\windows\system32\hidserv.dll
    2010-03-24 16:17 . 2008-04-14 07:15 10368 -c--a-w- d:\windows\system32\dllcache\hidusb.sys
    2010-03-24 16:17 . 2008-04-14 07:15 10368 ----a-w- d:\windows\system32\drivers\hidusb.sys
    2010-03-24 16:17 . 2008-04-14 07:15 32128 -c--a-w- d:\windows\system32\dllcache\usbccgp.sys
    2010-03-24 16:17 . 2008-04-14 07:15 32128 ----a-w- d:\windows\system32\drivers\usbccgp.sys
    2010-03-24 16:17 . 2010-04-02 19:09 -------- d-----w- d:\documents and settings\Chelsea\Application Data\U3
    2010-03-24 16:17 . 2010-03-24 16:17 -------- d-----w- D:\VritualRoot
    2010-03-23 01:27 . 2010-03-23 01:27 0 ----a-w- d:\windows\nsreg.dat
    2010-03-23 01:27 . 2010-03-23 01:27 -------- d-----w- d:\documents and settings\Chelsea\Local Settings\Application Data\Mozilla
    2010-03-23 00:45 . 2010-03-23 00:45 48 ---ha-w- d:\windows\system32\ezsidmv.dat
    2010-03-23 00:45 . 2010-03-29 19:34 -------- d-----w- d:\documents and settings\Chelsea\Application Data\skypePM
    2010-03-22 16:50 . 2010-03-22 16:50 1632 ----a-w- d:\windows\system32\d3d8caps.dat
    2010-03-22 15:11 . 2008-04-14 07:15 26368 -c--a-w- d:\windows\system32\dllcache\usbstor.sys
    2010-03-22 07:34 . 2010-03-26 04:52 -------- d-----w- d:\documents and settings\Chelsea\Application Data\foobar2000
    2010-03-22 07:34 . 2010-03-22 07:34 -------- d-----w- d:\program files\foobar2000
    2010-03-22 07:10 . 2010-03-22 07:10 -------- d-----w- d:\documents and settings\All Users\Application Data\Azureus
    2010-03-22 07:10 . 2010-03-23 05:06 -------- d-----w- d:\documents and settings\Chelsea\Application Data\Azureus
    2010-03-22 07:06 . 2010-03-22 07:09 -------- d-----w- d:\program files\Vuze
    2010-03-22 07:06 . 2010-03-22 07:06 -------- d-----w- d:\program files\Common Files\i4j_jres
    2010-03-22 07:05 . 2010-03-22 07:05 -------- d-----w- d:\program files\Conduit
    2010-03-22 07:05 . 2010-03-22 07:05 -------- d-----w- d:\documents and settings\Chelsea\Local Settings\Application Data\Conduit
    2010-03-22 07:05 . 2010-03-29 19:40 -------- d-----w- d:\documents and settings\Chelsea\Local Settings\Application Data\Vuze_Remote
    2010-03-22 07:05 . 2010-03-22 07:06 -------- d-----w- d:\program files\Vuze_Remote
    2010-03-22 07:05 . 2010-03-22 07:05 -------- d-----w- d:\documents and settings\Chelsea\Application Data\AVG8
    2010-03-22 06:49 . 2010-03-22 06:49 2165 ----a-w- d:\documents and settings\Chelsea\Application Data\.purple\certificates\x509\tls_peers\rsi.hotmail.com
    2010-03-22 06:49 . 2010-03-22 06:49 2157 ----a-w- d:\documents and settings\Chelsea\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
    2010-03-22 06:48 . 2010-03-29 19:36 -------- d-----w- d:\documents and settings\Chelsea\Application Data\.purple
    2010-03-22 06:48 . 2010-03-22 06:48 -------- d-----w- D:\Sandbox
    2010-03-22 06:43 . 2010-03-22 06:44 -------- d-----w- d:\program files\Pidgin
    2010-03-22 06:43 . 2010-03-22 06:43 -------- d-----w- d:\program files\Common Files\GTK
    2010-03-22 05:48 . 2010-03-22 05:48 12328 ----a-w- d:\documents and settings\Chelsea\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-22 05:47 . 2010-03-22 05:47 -------- d-sh--w- d:\documents and settings\NetworkService\IETldCache
    2010-03-22 05:47 . 2010-03-22 05:47 -------- d-sh--w- d:\documents and settings\Chelsea\IETldCache
    2010-03-22 05:47 . 2010-03-22 05:47 -------- d-----w- d:\documents and settings\All Users\Application Data\COMODO
    2010-03-22 05:29 . 2009-12-11 08:38 69120 -c----w- d:\windows\system32\dllcache\iecompat.dll
    2010-03-22 05:29 . 2010-03-31 10:04 -------- d-----w- d:\windows\ie8updates
    2010-03-22 05:29 . 2010-02-25 06:24 12800 -c----w- d:\windows\system32\dllcache\xpshims.dll
    2010-03-22 05:29 . 2010-02-25 18:54 11070976 -c----w- d:\windows\system32\dllcache\ieframe.dll
    2010-03-22 05:29 . 2010-02-25 06:24 594432 -c----w- d:\windows\system32\dllcache\msfeeds.dll
    2010-03-22 05:29 . 2010-02-25 06:24 55296 -c----w- d:\windows\system32\dllcache\msfeedsbs.dll
    2010-03-22 05:29 . 2010-02-25 06:24 247808 -c----w- d:\windows\system32\dllcache\ieproxy.dll
    2010-03-22 05:29 . 2010-02-25 06:24 1985536 -c----w- d:\windows\system32\dllcache\iertutil.dll
    2010-03-22 05:27 . 2010-03-22 05:28 -------- dc-h--w- d:\windows\ie8
    2010-03-22 05:16 . 2010-03-29 21:31 -------- d-----w- d:\documents and settings\Chelsea\Application Data\Skype
    2010-03-22 05:16 . 2010-03-22 05:16 -------- d-----w- d:\program files\Common Files\Skype
    2010-03-22 05:16 . 2010-03-22 05:16 -------- d-----r- d:\program files\Skype
    2010-03-22 05:16 . 2010-03-22 05:16 -------- d-----w- d:\documents and settings\All Users\Application Data\Skype
    2010-03-22 05:03 . 2009-12-04 18:22 455424 -c----w- d:\windows\system32\dllcache\mrxsmb.sys
    2010-03-22 05:03 . 2010-03-22 05:03 -------- d-----w- d:\documents and settings\Chelsea\Application Data\Comodo
    2010-03-22 05:02 . 2009-10-15 03:08 32000 ----a-w- d:\windows\system32\drivers\tap0901.sys
    2010-03-22 05:02 . 2010-03-22 05:12 -------- d-----w- d:\program files\Comodo
    2010-03-22 05:02 . 2008-06-13 11:05 272128 -c----w- d:\windows\system32\dllcache\bthport.sys
    2010-03-22 05:02 . 2008-06-13 11:05 272128 ------w- d:\windows\system32\drivers\bthport.sys
    2010-03-22 05:01 . 2010-03-22 05:01 1510584 ----a-w- d:\documents and settings\All Users\Application Data\Comodo Downloader\trustconnectclient.exe
    2010-03-22 05:01 . 2010-03-22 05:01 5542592 ----a-w- d:\documents and settings\All Users\Application Data\Comodo Downloader\hopsurf.exe
    2010-03-22 05:00 . 2009-12-08 19:26 2145280 -c----w- d:\windows\system32\dllcache\ntkrnlmp.exe
    2010-03-22 05:00 . 2009-12-08 19:27 2189184 -c----w- d:\windows\system32\dllcache\ntoskrnl.exe
    2010-03-22 05:00 . 2009-12-08 18:43 2023936 -c----w- d:\windows\system32\dllcache\ntkrpamp.exe
    2010-03-22 05:00 . 2010-03-22 05:12 -------- d-----w- d:\documents and settings\All Users\Application Data\Comodo Downloader
    2010-03-22 04:58 . 2008-05-03 11:55 2560 ------w- d:\windows\system32\xpsp4res.dll
    2010-03-22 04:56 . 2010-03-31 09:01 -------- d-----w- d:\documents and settings\Chelsea\Local Settings\Application Data\Temp
    2010-03-22 04:56 . 2010-03-22 04:58 -------- d-----w- d:\documents and settings\Chelsea\Local Settings\Application Data\Google
    2010-03-22 04:56 . 2010-03-22 04:56 -------- d-s---w- d:\documents and settings\Chelsea\UserData

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-24 16:05 . 2010-03-04 03:54 224808 ----a-w- d:\windows\system32\drivers\cmdGuard.sys
    2010-03-22 05:45 . 2010-01-15 02:18 86327 ----a-w- d:\windows\pchealth\helpctr\OfflineCache\index.dat
    2010-03-04 03:54 . 2010-03-04 03:54 276648 ----a-w- d:\windows\system32\guard32.dll
    2010-03-04 03:54 . 2010-03-04 03:54 86720 ----a-w- d:\windows\system32\drivers\inspect.sys
    2010-03-04 03:54 . 2010-03-04 03:54 25160 ----a-w- d:\windows\system32\drivers\cmdhlp.sys
    2010-03-04 03:54 . 2010-03-04 03:54 15376 ----a-w- d:\windows\system32\drivers\cmderd.sys
    2010-02-25 06:24 . 2008-04-14 04:42 916480 ----a-w- d:\windows\system32\wininet.dll
    2010-01-15 02:15 . 2010-01-15 02:15 21640 ----a-w- d:\windows\system32\emptyregdb.dat
    2009-03-21 14:06 . 2008-04-14 04:41 169532 --sha-r- d:\windows\system32\vmokdmw.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "d:\program files\Vuze_Remote\tbVuze.dll" [2010-03-17 2355224]

    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    2010-03-17 22:45 2355224 ----a-w- d:\program files\Vuze_Remote\tbVuze.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "d:\program files\Vuze_Remote\tbVuze.dll" [2010-03-17 2355224]

    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "d:\program files\Vuze_Remote\tbVuze.dll" [2010-03-17 2355224]

    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="d:\documents and settings\Chelsea\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-22 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "COMODO Internet Security"="d:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-03-24 1994640]
    "Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
    "Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=d:\windows\system32\guard32.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Program Files\\Vuze\\Azureus.exe"=
    "d:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "d:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "d:\\Program Files\\Messenger\\msmsgs.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9438:TCP"= 9438:TCP:pxeoohiu

    R1 cmdGuard;COMODO Internet Security Sandbox Driver;d:\windows\system32\drivers\cmdGuard.sys [3/3/2010 8:54 PM 224808]
    R1 cmdHlp;COMODO Internet Security Helper Driver;d:\windows\system32\drivers\cmdhlp.sys [3/3/2010 8:54 PM 25160]
    R2 CLPSLS;COMODO livePCsupport Service;d:\program files\Comodo\COMODO livePCsupport\CLPSLS.exe [2/12/2010 8:23 PM 148744]
    R2 DirMngr;DirMngr;d:\program files\GNU\GnuPG\dirmngr.exe [9/28/2009 9:15 AM 242176]
    S2 dtirqojx;Windows Boot;d:\windows\system32\svchost.exe -k netsvcs [4/13/2008 9:42 PM 14336]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    dtirqojx
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-04 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1292428093-1644491937-1003Core.job
    - d:\documents and settings\Chelsea\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 04:56]

    2010-04-05 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1292428093-1644491937-1003UA.job
    - d:\documents and settings\Chelsea\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 04:56]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: {5112A0E3-4E12-49EB-A5DC-EC8070730C53} = 156.154.70.22,156.154.71.22
    FF - ProfilePath - d:\documents and settings\Chelsea\Application Data\Mozilla\Firefox\Profiles\8dgvt1hw.default\
    FF - plugin: d:\documents and settings\Chelsea\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

    ---- FIREFOX POLICIES ----
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-HijackThis - d:\documents and settings\Chelsea\Desktop\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-04 18:41
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dtirqojx]
    "ServiceDll"="d:\windows\system32\vmokdmw.dll"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3576)
    d:\windows\system32\WININET.dll
    d:\windows\system32\ieframe.dll
    d:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    d:\program files\COMODO\COMODO Internet Security\cmdagent.exe
    d:\documents and settings\Chelsea\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
    .
    **************************************************************************
    .
    Completion time: 2010-04-04 18:44:35 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-05 01:44

    Pre-Run: 127,520,976,896 bytes free
    Post-Run: 130,109,067,264 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 5EBC5F69581DB9CA347D89EB8208C400


    Thank you!
     
  7. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:




    • [*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.

      [*]They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".



    Copy/paste the text inside the Codebox below into notepad:

    Here's how to do that:
    Click Start > Run type Notepad click OK.
    This will open an empty notepad file:

    Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

    Code:
    http://forums.techguy.org/7312448-post6.html
    
    Collect::
    d:\windows\system32\vmokdmw.dll
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
    "9438:TCP"=-
    [-HKLM\SYSTEM\CurrentControlSet\Services\dtirqojx]
    
    Driver::
    dtirqojx
    
    NetSvc::
    dtirqojx[/FONT]
    [FONT=Verdana]
    [/FONT]
    [FONT=Verdana]


    Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

    Save this file to your desktop, Save this as "CFScript"


    Here's how to do that:

    1.Click File;
    2.Click Save As... Change the directory to your desktop;
    3.Change the Save as type to "All Files";
    4.Type in the file name: CFScript
    5.Click Save ...

    [​IMG]



    • [*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

      [*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

      [*]When finished, it shall produce a log for you.

      [*]Copy and paste the contents of the log in your next reply.



    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


    **Note**
    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
     
  8. sea_sprite

    sea_sprite Thread Starter

    Joined:
    Apr 3, 2010
    Messages:
    11
    ComboFix 10-04-04.01 - Chelsea 04/05/2010 8:06.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.383.14 [GMT -7:00]
    Running from: d:\documents and settings\Chelsea\Desktop\ComboFix.exe
    Command switches used :: d:\documents and settings\Chelsea\Desktop\CFScript.txt
    FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

    file zipped: d:\windows\system32\vmokdmw.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    d:\windows\system32\vmokdmw.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_DTIRQOJX
    -------\Service_dtirqojx


    ((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
    .

    2010-04-05 05:27 . 2010-04-05 05:28 -------- d-----w- d:\documents and settings\Chelsea\Application Data\dvdcss
    2010-04-05 05:27 . 2010-04-05 05:56 -------- d-----w- d:\documents and settings\Chelsea\Application Data\vlc
    2010-04-04 05:13 . 2010-04-04 05:13 -------- d-----w- d:\program files\VideoLAN
    2010-04-02 19:09 . 2007-08-02 17:58 390480 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\VsUSMgr.dll
    2010-04-02 19:09 . 2007-08-02 17:58 165200 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\VsUSBVer.dll
    2010-04-02 19:09 . 2007-08-02 17:58 644432 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\VsUSBUpd.exe
    2010-04-02 19:09 . 2007-08-02 17:58 337232 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\VsInstru.dll
    2010-04-02 19:09 . 2007-10-24 17:10 2600960 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\u3dapi10.dll
    2010-04-02 19:09 . 2007-11-14 19:51 717088 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\mvsusbui.dll
    2010-04-02 19:09 . 2007-11-14 19:33 529696 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\McVsUSB.exe
    2010-04-02 19:09 . 2007-08-21 19:19 122224 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\mcutil.dll
    2010-04-02 19:09 . 2007-07-13 14:14 288592 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\00001519C660055B\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\McAltLib.dll
    2010-04-01 05:22 . 2010-04-01 05:22 -------- d-----w- d:\program files\gBurner
    2010-03-31 00:08 . 2010-03-31 00:16 -------- d-----w- d:\documents and settings\Chelsea\Local Settings\Application Data\Adobe
    2010-03-31 00:04 . 2010-03-31 00:06 -------- d-----w- d:\program files\Common Files\Adobe
    2010-03-30 23:39 . 2009-11-05 15:39 87552 ----a-w- d:\windows\system32\cpwmon2k.dll
    2010-03-29 21:33 . 2010-03-29 21:33 -------- d-----w- d:\program files\GPLGS
    2010-03-29 21:31 . 2010-03-29 21:31 -------- d-----w- d:\program files\Acro Software
    2010-03-29 19:40 . 2010-03-29 19:40 -------- d-sh--w- d:\documents and settings\Chelsea\IECompatCache
    2010-03-29 19:40 . 2010-03-29 19:40 -------- d-sh--w- d:\documents and settings\Chelsea\PrivacIE
    2010-03-29 19:36 . 2010-03-29 19:36 2095 ----a-w- d:\documents and settings\Chelsea\Application Data\.purple\certificates\x509\tls_peers\login.live.com
    2010-03-29 19:36 . 2010-03-29 19:36 1089 ----a-w- d:\documents and settings\Chelsea\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
    2010-03-26 04:07 . 2010-03-26 04:07 -------- d-----w- d:\documents and settings\All Users\Application Data\McAfee
    2010-03-25 03:51 . 2010-03-25 03:51 -------- d-----w- d:\documents and settings\Chelsea\Local Settings\Application Data\GNU
    2010-03-25 03:51 . 2010-03-25 03:51 -------- d-----w- d:\documents and settings\Chelsea\.kde
    2010-03-25 03:48 . 2010-03-25 03:48 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\GNU
    2010-03-25 03:48 . 2010-03-25 03:48 -------- d-----w- d:\documents and settings\LocalService\Application Data\gnupg
    2010-03-25 03:48 . 2010-03-25 03:52 -------- d-----w- d:\documents and settings\Chelsea\Application Data\gnupg
    2010-03-25 03:48 . 2010-03-25 03:48 -------- d-----w- d:\documents and settings\All Users\Application Data\GNU
    2010-03-25 03:47 . 2010-03-25 03:47 -------- d-----w- d:\program files\GNU
    2010-03-24 16:37 . 2007-10-23 16:27 110592 ----a-w- d:\documents and settings\Chelsea\Application Data\U3\temp\cleanup.exe
    2010-03-24 16:37 . 2010-03-24 16:37 -------- d-----w- d:\program files\WinASO
    2010-03-24 16:18 . 2008-05-02 17:41 3493888 ---ha-w- d:\documents and settings\Chelsea\Application Data\U3\temp\Launchpad Removal.exe
    2010-03-24 16:18 . 2008-04-14 12:41 21504 -c--a-w- d:\windows\system32\dllcache\hidserv.dll
    2010-03-24 16:18 . 2008-04-14 12:41 21504 ----a-w- d:\windows\system32\hidserv.dll
    2010-03-24 16:17 . 2008-04-14 07:15 10368 -c--a-w- d:\windows\system32\dllcache\hidusb.sys
    2010-03-24 16:17 . 2008-04-14 07:15 10368 ----a-w- d:\windows\system32\drivers\hidusb.sys
    2010-03-24 16:17 . 2008-04-14 07:15 32128 -c--a-w- d:\windows\system32\dllcache\usbccgp.sys
    2010-03-24 16:17 . 2008-04-14 07:15 32128 ----a-w- d:\windows\system32\drivers\usbccgp.sys
    2010-03-24 16:17 . 2010-04-02 19:09 -------- d-----w- d:\documents and settings\Chelsea\Application Data\U3
    2010-03-24 16:17 . 2010-03-24 16:17 -------- d-----w- D:\VritualRoot
    2010-03-23 01:27 . 2010-03-23 01:27 0 ----a-w- d:\windows\nsreg.dat
    2010-03-23 01:27 . 2010-03-23 01:27 -------- d-----w- d:\documents and settings\Chelsea\Local Settings\Application Data\Mozilla
    2010-03-23 00:45 . 2010-03-23 00:45 48 ---ha-w- d:\windows\system32\ezsidmv.dat
    2010-03-23 00:45 . 2010-03-29 19:34 -------- d-----w- d:\documents and settings\Chelsea\Application Data\skypePM
    2010-03-22 16:50 . 2010-03-22 16:50 1632 ----a-w- d:\windows\system32\d3d8caps.dat
    2010-03-22 15:11 . 2008-04-14 07:15 26368 -c--a-w- d:\windows\system32\dllcache\usbstor.sys
    2010-03-22 07:34 . 2010-03-26 04:52 -------- d-----w- d:\documents and settings\Chelsea\Application Data\foobar2000
    2010-03-22 07:34 . 2010-03-22 07:34 -------- d-----w- d:\program files\foobar2000
    2010-03-22 07:10 . 2010-03-22 07:10 -------- d-----w- d:\documents and settings\All Users\Application Data\Azureus
    2010-03-22 07:10 . 2010-03-23 05:06 -------- d-----w- d:\documents and settings\Chelsea\Application Data\Azureus
    2010-03-22 07:06 . 2010-03-22 07:09 -------- d-----w- d:\program files\Vuze
    2010-03-22 07:06 . 2010-03-22 07:06 -------- d-----w- d:\program files\Common Files\i4j_jres
    2010-03-22 07:05 . 2010-03-22 07:05 -------- d-----w- d:\program files\Conduit
    2010-03-22 07:05 . 2010-03-22 07:05 -------- d-----w- d:\documents and settings\Chelsea\Local Settings\Application Data\Conduit
    2010-03-22 07:05 . 2010-03-29 19:40 -------- d-----w- d:\documents and settings\Chelsea\Local Settings\Application Data\Vuze_Remote
    2010-03-22 07:05 . 2010-03-22 07:06 -------- d-----w- d:\program files\Vuze_Remote
    2010-03-22 07:05 . 2010-03-22 07:05 -------- d-----w- d:\documents and settings\Chelsea\Application Data\AVG8
    2010-03-22 06:49 . 2010-03-22 06:49 2165 ----a-w- d:\documents and settings\Chelsea\Application Data\.purple\certificates\x509\tls_peers\rsi.hotmail.com
    2010-03-22 06:49 . 2010-03-22 06:49 2157 ----a-w- d:\documents and settings\Chelsea\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
    2010-03-22 06:48 . 2010-03-29 19:36 -------- d-----w- d:\documents and settings\Chelsea\Application Data\.purple
    2010-03-22 06:48 . 2010-03-22 06:48 -------- d-----w- D:\Sandbox
    2010-03-22 06:43 . 2010-03-22 06:44 -------- d-----w- d:\program files\Pidgin
    2010-03-22 06:43 . 2010-03-22 06:43 -------- d-----w- d:\program files\Common Files\GTK
    2010-03-22 05:48 . 2010-03-22 05:48 12328 ----a-w- d:\documents and settings\Chelsea\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-22 05:47 . 2010-03-22 05:47 -------- d-sh--w- d:\documents and settings\NetworkService\IETldCache
    2010-03-22 05:47 . 2010-03-22 05:47 -------- d-sh--w- d:\documents and settings\Chelsea\IETldCache
    2010-03-22 05:47 . 2010-03-22 05:47 -------- d-----w- d:\documents and settings\All Users\Application Data\COMODO
    2010-03-22 05:29 . 2009-12-11 08:38 69120 -c----w- d:\windows\system32\dllcache\iecompat.dll
    2010-03-22 05:29 . 2010-03-31 10:04 -------- d-----w- d:\windows\ie8updates
    2010-03-22 05:29 . 2010-02-25 06:24 12800 -c----w- d:\windows\system32\dllcache\xpshims.dll
    2010-03-22 05:29 . 2010-02-25 18:54 11070976 -c----w- d:\windows\system32\dllcache\ieframe.dll
    2010-03-22 05:29 . 2010-02-25 06:24 594432 -c----w- d:\windows\system32\dllcache\msfeeds.dll
    2010-03-22 05:29 . 2010-02-25 06:24 55296 -c----w- d:\windows\system32\dllcache\msfeedsbs.dll
    2010-03-22 05:29 . 2010-02-25 06:24 247808 -c----w- d:\windows\system32\dllcache\ieproxy.dll
    2010-03-22 05:29 . 2010-02-25 06:24 1985536 -c----w- d:\windows\system32\dllcache\iertutil.dll
    2010-03-22 05:27 . 2010-03-22 05:28 -------- dc-h--w- d:\windows\ie8
    2010-03-22 05:16 . 2010-03-29 21:31 -------- d-----w- d:\documents and settings\Chelsea\Application Data\Skype
    2010-03-22 05:16 . 2010-03-22 05:16 -------- d-----w- d:\program files\Common Files\Skype
    2010-03-22 05:16 . 2010-03-22 05:16 -------- d-----r- d:\program files\Skype
    2010-03-22 05:16 . 2010-03-22 05:16 -------- d-----w- d:\documents and settings\All Users\Application Data\Skype
    2010-03-22 05:03 . 2009-12-04 18:22 455424 -c----w- d:\windows\system32\dllcache\mrxsmb.sys
    2010-03-22 05:03 . 2010-03-22 05:03 -------- d-----w- d:\documents and settings\Chelsea\Application Data\Comodo
    2010-03-22 05:02 . 2009-10-15 03:08 32000 ----a-w- d:\windows\system32\drivers\tap0901.sys
    2010-03-22 05:02 . 2010-03-22 05:12 -------- d-----w- d:\program files\Comodo
    2010-03-22 05:02 . 2008-06-13 11:05 272128 -c----w- d:\windows\system32\dllcache\bthport.sys
    2010-03-22 05:02 . 2008-06-13 11:05 272128 ------w- d:\windows\system32\drivers\bthport.sys
    2010-03-22 05:01 . 2010-03-22 05:01 1510584 ----a-w- d:\documents and settings\All Users\Application Data\Comodo Downloader\trustconnectclient.exe
    2010-03-22 05:01 . 2010-03-22 05:01 5542592 ----a-w- d:\documents and settings\All Users\Application Data\Comodo Downloader\hopsurf.exe
    2010-03-22 05:00 . 2009-12-08 19:26 2145280 -c----w- d:\windows\system32\dllcache\ntkrnlmp.exe
    2010-03-22 05:00 . 2009-12-08 19:27 2189184 -c----w- d:\windows\system32\dllcache\ntoskrnl.exe
    2010-03-22 05:00 . 2009-12-08 18:43 2023936 -c----w- d:\windows\system32\dllcache\ntkrpamp.exe
    2010-03-22 05:00 . 2010-03-22 05:12 -------- d-----w- d:\documents and settings\All Users\Application Data\Comodo Downloader
    2010-03-22 04:58 . 2008-05-03 11:55 2560 ------w- d:\windows\system32\xpsp4res.dll
    2010-03-22 04:56 . 2010-03-31 09:01 -------- d-----w- d:\documents and settings\Chelsea\Local Settings\Application Data\Temp
    2010-03-22 04:56 . 2010-03-22 04:58 -------- d-----w- d:\documents and settings\Chelsea\Local Settings\Application Data\Google
    2010-03-22 04:56 . 2010-03-22 04:56 -------- d-s---w- d:\documents and settings\Chelsea\UserData

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-24 16:05 . 2010-03-04 03:54 224808 ----a-w- d:\windows\system32\drivers\cmdGuard.sys
    2010-03-22 05:45 . 2010-01-15 02:18 86327 ----a-w- d:\windows\pchealth\helpctr\OfflineCache\index.dat
    2010-03-04 03:54 . 2010-03-04 03:54 276648 ----a-w- d:\windows\system32\guard32.dll
    2010-03-04 03:54 . 2010-03-04 03:54 86720 ----a-w- d:\windows\system32\drivers\inspect.sys
    2010-03-04 03:54 . 2010-03-04 03:54 25160 ----a-w- d:\windows\system32\drivers\cmdhlp.sys
    2010-03-04 03:54 . 2010-03-04 03:54 15376 ----a-w- d:\windows\system32\drivers\cmderd.sys
    2010-02-25 06:24 . 2008-04-14 04:42 916480 ------w- d:\windows\system32\wininet.dll
    2010-01-15 02:15 . 2010-01-15 02:15 21640 ----a-w- d:\windows\system32\emptyregdb.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "d:\program files\Vuze_Remote\tbVuze.dll" [2010-03-17 2355224]

    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    2010-03-17 22:45 2355224 ----a-w- d:\program files\Vuze_Remote\tbVuze.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "d:\program files\Vuze_Remote\tbVuze.dll" [2010-03-17 2355224]

    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "d:\program files\Vuze_Remote\tbVuze.dll" [2010-03-17 2355224]

    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="d:\documents and settings\Chelsea\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-22 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "COMODO Internet Security"="d:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-03-24 1994640]
    "Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
    "Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=d:\windows\system32\guard32.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Program Files\\Vuze\\Azureus.exe"=
    "d:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "d:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "d:\\Program Files\\Messenger\\msmsgs.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9438:TCP"= 9438:TCP:pxeoohiu

    R1 cmdGuard;COMODO Internet Security Sandbox Driver;d:\windows\system32\drivers\cmdGuard.sys [3/3/2010 8:54 PM 224808]
    R1 cmdHlp;COMODO Internet Security Helper Driver;d:\windows\system32\drivers\cmdhlp.sys [3/3/2010 8:54 PM 25160]
    R2 CLPSLS;COMODO livePCsupport Service;d:\program files\Comodo\COMODO livePCsupport\CLPSLS.exe [2/12/2010 8:23 PM 148744]
    R2 DirMngr;DirMngr;d:\program files\GNU\GnuPG\dirmngr.exe [9/28/2009 9:15 AM 242176]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-05 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1292428093-1644491937-1003Core.job
    - d:\documents and settings\Chelsea\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 04:56]

    2010-04-05 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1292428093-1644491937-1003UA.job
    - d:\documents and settings\Chelsea\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 04:56]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: {5112A0E3-4E12-49EB-A5DC-EC8070730C53} = 156.154.70.22,156.154.71.22
    FF - ProfilePath - d:\documents and settings\Chelsea\Application Data\Mozilla\Firefox\Profiles\8dgvt1hw.default\
    FF - plugin: d:\documents and settings\Chelsea\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

    ---- FIREFOX POLICIES ----
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-05 08:13
    Windows 5.1.2600 Service Pack 3 NTFS

    detected NTDLL code modification:
    ZwClose, ZwOpenFile

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3448)
    d:\windows\system32\WININET.dll
    d:\windows\system32\ieframe.dll
    d:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    d:\program files\COMODO\COMODO Internet Security\cmdagent.exe
    d:\windows\system32\wscntfy.exe
    d:\documents and settings\Chelsea\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
    .
    **************************************************************************
    .
    Completion time: 2010-04-05 08:16:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-05 15:16
    ComboFix2.txt 2010-04-05 01:44

    Pre-Run: 130,100,465,664 bytes free
    Post-Run: 130,032,947,200 bytes free

    - - End Of File - - 0DA3D7297BE77B1EDC02BF0FB220EFC9
     
  9. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:


    Please open this link HERE in a new window.

    In the box marked Link to topic where this file was requested: please paste in the following text

    Code:
    http://forums.techguy.org/malware-removal-hijackthis-logs/914429-antivirus-applications-unworkable-even-their.html
    
    Click the Browse button and navigate to C:\Qoobox\Quarantine

    There should be a zip file there called [4]-Submit_****-**-**_**.**.**.zip ( the * denotes Date and Time stamp - yours will be close to this 04/05/2010 8:06)
    Select this file and click Open
    In the Largest box please put

    Code:
    File Requested By CatByte
    Failed Collect::
    
    Finally click SendFile

    Please return here and let me know when that file has been uploaded.


    NEXT

    highlight and copy the contents of the code box below.

    Code:
    [FONT=Verdana]@echo off[/FONT]
    [FONT=Verdana]echo please wait[/FONT]
    [FONT=Verdana]reg delete HKEY_Local_Machine\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List v/ 9438:TCP /f[/FONT]
    
    [FONT=Verdana]exit[/FONT]
    [FONT=Verdana]cls[/FONT]


    Click Start>Run and type cmd then hit Enter to open a command window.
    Right click in the command window and select paste.
    Wait for the command window to close, then restart the machine.


    NEXT

    Please download Malwarebytes' Anti-Malware


    • Double Click mbam-setup.exe to install the application.

      [*]Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

      [*]If an update is found, it will download and install the latest version.

      [*]Once the program has loaded, select "Perform Quick Scan", then click Scan.

      [*]The scan may take some time to finish, so please be patient.

      [*]When the scan is complete, click OK, then Show Results to view the results.

      [*]Make sure that everything is checked, and click Remove Selected. <-- very important

      [*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)

      [*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

      [*]Copy&Paste the entire report in your next reply.


    Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




    NEXT


    Run an on-line scan with Kaspersky

    Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

    1. Click Accept, when prompted to download and install the program files and database of malware definitions.
    2. To optimize scanning time and produce a more sensible report for review:


    • Close any open programs

      [*]Turn off the real time scanner of any existing antivirus program while performing the online scan

    3. Click Run at the Security prompt.
    The program will then begin downloading and installing and will also update the database.
    Please be patient as this can take several minutes.

    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.


    • Click View scan report at the bottom

      [​IMG]


      [*] Click the Save as Text button to save the file to your desktop so that you may post it in your next reply



    In your next reply please include


    • MBAM Log

      [*]Kaspersky report
     
  10. sea_sprite

    sea_sprite Thread Starter

    Joined:
    Apr 3, 2010
    Messages:
    11
    Hi CatByte,

    Please note that I have just submitted the file as requested.

    Thank you,

    Sea_Sprite
     
  11. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    thank-you

    (the Kaspersky scan may take a few hours)

    after the scans, don't forget to tell me how the computer is running and if there are any outstanding issues
     
  12. sea_sprite

    sea_sprite Thread Starter

    Joined:
    Apr 3, 2010
    Messages:
    11
    Hi Catbytre,

    Kaspersky found a worm called Net-Worm.Win32.Kido.ir

    Here is the scan log.

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Wednesday, April 7, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Tuesday, April 06, 2010 08:52:57
    Records in database: 3914280
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan statistics:
    Objects scanned: 64825
    Threats found: 2
    Infected objects found: 3
    Suspicious objects found: 0
    Scan duration: 09:54:12


    File name / Threat / Threats count
    D:\Qoobox\Quarantine\F\autorun.inf.vir Infected: Net-Worm.Win32.Kido.ir 1
    D:\Qoobox\Quarantine\[4]-Submit_2010-04-05_08.06.01.zip Infected: Net-Worm.Win32.Kido.ih 1
    F:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx Infected: Net-Worm.Win32.Kido.ih 1

    Selected area has been scanned.


    Thank you,

    Chelsea
     
  13. sea_sprite

    sea_sprite Thread Starter

    Joined:
    Apr 3, 2010
    Messages:
    11
    Hi CatByte,

    Please note that drive F: refers to my external USB drive....is there way to clean that without losing data?

    Thanks,
    Chelsea
     
  14. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,
    The infected file is in the recycle bin on your F drive, so it is already deleted:

    Use TFC, to empty it:

    make sure the drive is connected then run it:



    Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.


    Did you run the Malwarebytes program? If so, please post the log
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Antivirus applications unworkable
  1. guyshahar
    Replies:
    1
    Views:
    409
  2. aslan777
    Replies:
    8
    Views:
    1,033
  3. Pinkesh
    Replies:
    1
    Views:
    624
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/914429

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice