1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

.exe files with the same name created and some other problems

Discussion in 'Virus & Other Malware Removal' started by irolfi, Jun 5, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. irolfi

    irolfi Thread Starter

    Joined:
    Feb 15, 2008
    Messages:
    61
    Hi,
    I sticked my usb flash in an infected pc, then in my pc in order to scan it. i run mcafee virusscan enterprise 8.5. when i sticked the usb in my pc, mcafee blocked some trojans from executing. then the files in usb become hidden. i managed to unhide them with a dos command. i made a full scan with mcafee and malwarebytes including the usb drive, but it found only 1 or 2 infections. in my usb there are a lot of exe files created with the names of my current files that mcafee doesnt recognize them as viruses. if i leave the usb sticked, the on access scan feature of mcafee continues to block trojans infinitly that come from the local settings/temp folder. also the access protection log file of mcafee shows: "Common Standard Protection:prevent common programs from running files from the Temp folder" and "Anti-virus Standard Protection:prevent mass mailing worms from sending mail" continously. now what should i do? I have to clean my pc and my usb to in the same time, because they can infect one another. please help me. thank you.
     
  2. irolfi

    irolfi Thread Starter

    Joined:
    Feb 15, 2008
    Messages:
    61
    I scanned my pc with sar_15_sfx.exe, a rootkit remover. it found 5 infections in temp. i deleted them. now when i stick my usb , mcafee doesnt block any trojans any more. i dont know if i am safe now. this is my hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:39:05.MD, on 05/06/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINDOWS\system32\dyvuhodoom.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\PAStiSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [fity] C:\WINDOWS\system32\dyvuhodoom.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
    O23 - Service: Asset Management Daemon (yyxe1jiiaiwua) - Four-F - C:\WINDOWS\system32\wapyl.exe

    --
    End of file - 7739 bytes
     
  3. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    Download ComboFix here :

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

      Click me

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
     
  4. irolfi

    irolfi Thread Starter

    Joined:
    Feb 15, 2008
    Messages:
    61
    well after i scanned my pc with sophos anti rootkit, I decided to delete: O4 - HKLM\..\Run: [fity] C:\WINDOWS\system32\dyvuhodoom.exe; O23 - Service: Asset Management Daemon (yyxe1jiiaiwua) - Four-F - C:\WINDOWS\system32\wapyl.exe
    I am sure about the first, not so sure about the second. I also deleted to files in C:\Documents and Settings\LocalService\Application Data\Microsoft: wapyl; dyvuhodoom. than I deleted the service responsible for wapyl. I formated the usb. It seems ok now. should I do anything else, any measure? thanks
     
  5. irolfi

    irolfi Thread Starter

    Joined:
    Feb 15, 2008
    Messages:
    61
    ooops, we were writting at the same time. thank you very much for your help. sould i continue with your steps?
     
  6. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
  7. irolfi

    irolfi Thread Starter

    Joined:
    Feb 15, 2008
    Messages:
    61
    anyway here is the combofix log:

    ComboFix 10-06-05.01 - Flori 06/06/2010 1:04.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2465 [GMT 2:00]
    Running from: c:\documents and settings\Flori\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Flori\SDM-2.3.2-2801-c2801-advsecurityk9-mz.124-6.T.BIN

    .
    ((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))
    .

    2010-06-05 21:57 . 2010-06-05 21:57 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-06-05 21:56 . 2006-11-30 06:50 72264 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2010-06-05 21:56 . 2006-11-30 06:50 64360 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2010-06-05 21:56 . 2006-11-30 06:50 52136 ----a-w- c:\windows\system32\drivers\mfetdik.sys
    2010-06-05 21:56 . 2006-11-30 06:50 34152 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2010-06-05 21:56 . 2006-11-30 06:50 168776 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2010-06-05 21:56 . 2010-06-05 21:57 -------- d-----w- c:\program files\McAfee
    2010-06-05 21:56 . 2010-06-05 21:56 -------- d-----w- c:\program files\Common Files\McAfee
    2010-06-05 12:28 . 2010-06-05 16:30 -------- d-----w- c:\program files\Sophos
    2010-06-05 11:39 . 2010-06-05 11:39 -------- d-----w- c:\program files\Trend Micro
    2010-06-04 21:55 . 2010-06-04 22:17 -------- d-----w- c:\windows\BDOSCAN8
    2010-06-04 20:09 . 2010-06-04 20:09 347136 ----a-w- c:\windows\system32\dyvuhodoom.exe
    2010-06-04 19:37 . 2010-06-05 22:26 -------- d-----w- C:\QUARANTINE
    2010-05-18 22:10 . 2010-05-18 22:10 -------- d-----w- c:\documents and settings\Flori\Local Settings\Application Data\WMTools Downloaded Files
    2010-05-18 20:09 . 2004-08-03 21:10 51328 -c--a-w- c:\windows\system32\dllcache\msdv.sys
    2010-05-18 20:09 . 2004-08-03 21:10 51328 ----a-w- c:\windows\system32\drivers\msdv.sys
    2010-05-18 20:09 . 2004-08-03 21:10 38912 -c--a-w- c:\windows\system32\dllcache\avc.sys
    2010-05-18 20:09 . 2004-08-03 21:10 38912 ----a-w- c:\windows\system32\drivers\avc.sys
    2010-05-18 20:08 . 2004-08-03 21:10 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys
    2010-05-18 20:08 . 2004-08-03 21:10 48128 ----a-w- c:\windows\system32\drivers\61883.sys
    2010-05-14 09:39 . 2010-05-14 09:41 1323 ----a-w- c:\windows\checkip.dat
    2010-05-12 12:58 . 2000-08-05 23:50 36939 ----a-w- c:\windows\system32\insrepim.exe
    2010-05-12 12:57 . 2000-07-07 10:20 81920 ----a-w- c:\windows\system32\mdt2fw95.dll
    2010-05-12 12:56 . 2002-12-17 15:23 29244 ----a-w- c:\windows\system32\dbmslpcn.dll
    2010-05-12 12:14 . 2002-12-17 14:23 33340 ------w- c:\windows\system32\dbmsqlgc.dll
    2010-05-12 12:14 . 2002-10-20 12:05 24576 ------w- c:\windows\system32\dbmsgnet.dll
    2010-05-12 12:11 . 2002-12-17 15:24 188988 ----a-w- c:\windows\system32\msrpjt40.dll
    2010-05-12 12:10 . 2000-08-05 23:51 274489 ----a-w- c:\windows\system32\ntwdblib.dll
    2010-05-12 12:10 . 1997-07-19 15:01 376592 ----a-w- c:\windows\system32\msrdo20.dll
    2010-05-12 12:10 . 1997-01-13 08:49 97552 ----a-w- c:\windows\system32\rdocurs.dll
    2010-05-12 12:10 . 2000-08-05 23:51 32830 ----a-w- c:\windows\system32\dbmsshrn.dll
    2010-05-12 12:09 . 2010-05-12 12:55 -------- d-----w- c:\program files\Microsoft SQL Server
    2010-05-12 12:04 . 2010-05-12 19:13 -------- d-----w- C:\0FINWSQL
    2010-05-12 11:38 . 2010-05-12 11:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-05-12 09:42 . 2009-12-07 15:41 20480 ----a-w- c:\windows\system32\zdnPMntS.dll
    2010-05-12 09:42 . 2009-12-07 15:41 19456 ----a-w- c:\windows\system32\zdnPMntU.dll
    2010-05-12 09:31 . 2010-05-12 09:31 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{50D3FBE1-AD16-4F59-9326-86404D6B1B1F}
    2010-05-12 09:31 . 2010-01-27 16:01 2682646 -c--a-w- c:\documents and settings\All Users\Application Data\{50D3FBE1-AD16-4F59-9326-86404D6B1B1F}\TreeFrog.exe
    2010-05-12 09:23 . 2010-05-12 09:23 -------- d-----w- c:\program files\Common Files\EuroPlus Shared
    2010-05-12 09:23 . 2010-05-12 09:23 -------- d-----w- c:\program files\ZebraDesigner Font Downloader
    2010-05-12 09:23 . 2010-05-12 09:23 -------- d-----w- c:\program files\ZebraDesigner Pro
    2010-05-12 09:23 . 2010-05-12 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Zebra
    2010-05-12 09:22 . 2010-05-12 09:31 -------- d-----w- c:\program files\Zebra Technologies
    2010-05-12 09:15 . 2009-10-16 15:12 150528 ----a-w- c:\windows\system32\zdnNLMNT.dll
    2010-05-08 17:35 . 2004-08-04 01:07 221184 ----a-w- c:\windows\system32\wmpns.dll
    2010-05-07 15:06 . 2010-05-07 15:06 -------- d-----w- c:\documents and settings\Flori\Local Settings\Application Data\Help
    2010-05-07 15:02 . 1998-04-23 19:00 368912 ----a-w- c:\windows\system32\vbar332.dll
    2010-05-07 14:59 . 2010-05-07 15:00 970000 ----a-w- c:\documents and settings\Flori\Application Data\IDM\DwnlData\Flori\bic_setup_75\bic_setup.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-05 21:52 . 2010-03-31 13:50 28672 ----a-w- c:\documents and settings\Flori\Application Data\IDM\NP_IDM5.dll
    2010-06-05 21:52 . 2010-03-31 13:42 -------- d-----w- c:\documents and settings\Flori\Application Data\IDM
    2010-06-05 21:52 . 2010-03-31 13:50 28672 ----a-w- c:\documents and settings\Flori\Application Data\IDM\NP_IDM4.dll
    2010-06-05 21:52 . 2010-03-31 13:50 28672 ----a-w- c:\documents and settings\Flori\Application Data\IDM\NP_IDM3.dll
    2010-06-05 21:52 . 2010-03-31 13:50 28672 ----a-w- c:\documents and settings\Flori\Application Data\IDM\NP_IDM2.dll
    2010-06-05 21:52 . 2010-03-31 13:50 28672 ----a-w- c:\documents and settings\Flori\Application Data\IDM\NP_IDM1.dll
    2010-06-05 21:52 . 2010-03-31 13:42 -------- d-----w- c:\documents and settings\Flori\Application Data\DMCache
    2010-06-04 19:57 . 2010-03-30 21:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-26 11:25 . 2010-04-01 15:22 112 ----a-w- C:\RAPORT.DAT
    2010-05-20 20:58 . 2010-03-30 20:48 70608 ----a-w- c:\documents and settings\Flori\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-05-15 04:26 . 2010-03-30 21:29 -------- d-----w- c:\program files\Google
    2010-04-29 13:39 . 2010-03-30 21:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 13:39 . 2010-03-30 21:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-02 20:25 . 2010-03-30 18:50 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
    2010-04-01 20:51 . 2010-04-01 20:42 724992 ----a-w- c:\windows\iun6002.exe
    2010-03-31 19:37 . 2010-03-31 19:36 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
    2010-03-31 13:42 . 2010-03-31 13:42 198064 ----a-w- c:\documents and settings\Flori\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
    2010-03-31 12:33 . 2010-03-31 12:33 0 ----a-w- c:\windows\nsreg.dat
    2010-03-30 21:24 . 2010-03-30 21:24 503808 ----a-w- c:\documents and settings\Flori\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-25330d36-n\msvcp71.dll
    2010-03-30 21:24 . 2010-03-30 21:24 348160 ----a-w- c:\documents and settings\Flori\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-25330d36-n\msvcr71.dll
    2010-03-30 21:24 . 2010-03-30 21:24 499712 ----a-w- c:\documents and settings\Flori\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-25330d36-n\jmc.dll
    2010-03-30 21:24 . 2010-03-30 21:24 61440 ----a-w- c:\documents and settings\Flori\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6459d2c8-n\decora-sse.dll
    2010-03-30 21:24 . 2010-03-30 21:24 12800 ----a-w- c:\documents and settings\Flori\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6459d2c8-n\decora-d3d.dll
    2010-03-30 21:24 . 2010-03-30 21:24 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-03-30 20:48 . 2010-03-30 20:48 128 ----a-w- c:\documents and settings\Flori\Local Settings\Application Data\fusioncache.dat
    2010-03-30 20:41 . 2010-03-30 20:31 104257 ----a-w- c:\windows\hpoins04.dat
    2010-03-30 20:38 . 2010-03-30 20:38 45056 ----a-r- c:\documents and settings\Flori\Application Data\Microsoft\Installer\{457791C5-D702-4143-A7B2-2744BE9573F2}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
    2010-03-30 20:09 . 2010-03-30 20:09 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
    2010-03-30 18:48 . 2010-03-30 18:48 21640 ----a-w- c:\windows\system32\emptyregdb.dat
    2010-03-29 07:59 . 2010-04-23 20:59 52224 ----a-w- c:\documents and settings\Flori\Application Data\Mozilla\Firefox\Profiles\rsdbw72j.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    2010-03-29 07:59 . 2010-04-23 20:59 101376 ----a-w- c:\documents and settings\Flori\Application Data\Mozilla\Firefox\Profiles\rsdbw72j.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-05-14 29831168]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-08 13680640]
    "nwiz"="nwiz.exe" [2009-03-08 1657376]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-08 86016]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2010-5-12 74308]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
    backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
    backup=c:\windows\pss\Ralink Wireless Utility.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    2004-12-14 00:12 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2006-10-26 22:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    2004-05-12 13:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2004-02-12 11:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-01-11 13:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "usnjsvc"=3 (0x3)
    "gupdate"=2 (0x2)
    "Adobe LM Service"=3 (0x3)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

    R3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\PFC027.sys [24/02/2005 12:29 162176]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [30/03/2010 21:44 238080]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\B.tmp --> c:\windows\system32\B.tmp [?]
    S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/03/2010 23:29 135664]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MCAFEEFRAMEWORK
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-30 21:29]

    2010-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-30 21:29]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
    IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
    IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Flori\Application Data\Mozilla\Firefox\Profiles\rsdbw72j.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - component: c:\documents and settings\Flori\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
    FF - component: c:\documents and settings\Flori\Application Data\Mozilla\Firefox\Profiles\rsdbw72j.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\Flori\Application Data\Mozilla\Firefox\Profiles\rsdbw72j.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Opera\program\plugins\NP_IDM1.dll
    FF - plugin: c:\program files\Opera\program\plugins\NP_IDM2.dll
    FF - plugin: c:\program files\Opera\program\plugins\NP_IDM3.dll
    FF - plugin: c:\program files\Opera\program\plugins\NP_IDM4.dll
    FF - plugin: c:\program files\Opera\program\plugins\NP_IDM5.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-06 01:06
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\B.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    @Denied: (Full) (Everyone)
    "scansk"=hex(0):6b,71,92,f9,64,4e,db,e8,92,9b,b5,ab,e2,40,6a,2b,a4,bd,5c,62,a4,
    c3,27,d3,52,6f,54,a4,1a,e7,61,7f,3f,5a,a8,8b,ac,ce,0d,5e,00,00,00,00,00,00,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{e51a451f-4f8a-43e9-a6a2-9b23d6984959}]
    @Denied: (Full) (Everyone)
    "Model"=dword:0000009b
    "Therad"=dword:0000000a
    "MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
    1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
    .
    Completion time: 2010-06-06 01:07:16
    ComboFix-quarantined-files.txt 2010-06-05 23:07

    Pre-Run: 146,048,040,960 bytes free
    Post-Run: 146,101,964,800 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - A03D718AE996A6D4C48E63F7AB21AA58
     
  8. irolfi

    irolfi Thread Starter

    Joined:
    Feb 15, 2008
    Messages:
    61
    lol again at the same time
     
  9. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




    Please download Malwarebytes' Anti-Malware from Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






    Go to Kaspersky website and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  10. irolfi

    irolfi Thread Starter

    Joined:
    Feb 15, 2008
    Messages:
    61
    these are the logs:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4172

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    06/06/2010 7:52:12
    mbam-log-2010-06-06 (07-52-12).txt

    Scan type: Quick scan
    Objects scanned: 124128
    Time elapsed: 4 minute(s), 27 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Sunday, June 6, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Sunday, June 06, 2010 04:00:01
    Records in database: 4204757
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan statistics:
    Objects scanned: 55754
    Threats found: 3
    Infected objects found: 4
    Suspicious objects found: 0
    Scan duration: 01:28:15


    File name / Threat / Threats count
    D:\My Documents\Setupe\VNC\Realvnc_Enterprise_Edition_v4[1].0__Serial\vnc-E4_0-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
    D:\My Documents\Setupe\VNC\UltraVNC-1.0\UltraVNC-1.0-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1
    D:\My Documents\Setupe\VNC\VNC 3.3\vnc-3.3.7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2

    Selected area has been scanned.
     
  11. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    Your logs are clean


    Follow these steps to uninstall Combofix and tools used in the removal of malware

    Uninstall ComboFix

    Remove Combofix now that we're done with it.
    • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
      [​IMG]
    • Please follow the prompts to uninstall Combofix.
    • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.


    • Download OTC to your desktop and run it
    • Click Yes to beginning the Cleanup process and remove these components, including this application.
    • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.



    • Please read my guide on how to prevent malware and about safe computing here
    Thank you for your patience, and performing all of the procedures requested.
     
  12. irolfi

    irolfi Thread Starter

    Joined:
    Feb 15, 2008
    Messages:
    61
    Thank you so much! Have a nice time.
     
  13. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
  14. irolfi

    irolfi Thread Starter

    Joined:
    Feb 15, 2008
    Messages:
    61
    Hi Rorschach112,

    After following the steps in your guide, I am getting the famous error: "Windows Explorer has encountered a problem and needs to close. We are sorry for the inconvenience" to often when opening "My Computer" or any program, but not always, randomly. do you have any idea?
     
  15. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    post a new HJT Log
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/927271

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice