1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help, I'm scared :P

Discussion in 'Virus & Other Malware Removal' started by yuanD1, Dec 29, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. yuanD1

    yuanD1 Thread Starter

    Joined:
    Mar 11, 2010
    Messages:
    61
    Hi,

    My free Avira antivirus just alerted me that i got 6 viruses, but when i attempted to open avira to see which ones i got, it freezes.

    I have disconnected that computer from the internet, and currently on my back-up.

    Oh, I've also turned it off, and shut down all power to the computer. I wonder if that helps.

    Please help!

    TIA

    Yuan.
     
  2. yuanD1

    yuanD1 Thread Starter

    Joined:
    Mar 11, 2010
    Messages:
    61
    bump for help
     
  3. yuanD1

    yuanD1 Thread Starter

    Joined:
    Mar 11, 2010
    Messages:
    61
    bump for help
     
  4. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Please run some diagnostic logs


    Please download DDS from either of these links

    LINK 1
    LINK 2

    and save it to your desktop.
    • Disable any script blocking protection
    • Double click dds to run the tool.
    • When done, two DDS.txt's will open.
    • Save both reports to your desktop.
    ---------------------------------------------------
    Please include the contents of the following in your next reply:

    DDS.txt
    Attach.txt.


    NEXT


    Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.
    • Double click the exe file.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.

      [​IMG]
      Click the image to enlarge it
    • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and attach it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
     
  5. yuanD1

    yuanD1 Thread Starter

    Joined:
    Mar 11, 2010
    Messages:
    61
    DDS (Ver_10-12-12.02) - NTFSx86
    Run by jliang at 9:38:25.00 on Fri 12/31/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.408 [GMT -5:00]

    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
    C:\Program Files\Prio\prio_svc.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Documents and Settings\jliang\Desktop\dds.com

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.ca/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [QBCMAgent] c:\program files\intuit\quickbooks client manager\QBCMAgent.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [nwiz] nwiz.exe /installquiet
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    AppInit_DLLs: prio.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\jliang\applic~1\mozilla\firefox\profiles\ljwjeu4a.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - google.ca
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
    FF - plugin: c:\documents and settings\jliang\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: BlackFox V1-Blue: [email protected] - %profile%\extensions\[email protected]

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-27 11608]
    R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
    R1 prio;Prio;c:\windows\system32\drivers\prio.sys [2010-7-28 51408]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-27 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-27 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-27 61960]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-5-28 88176]
    R2 prio_svc;Prio Service;c:\program files\prio\prio_svc.exe [2010-7-28 5120]
    R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~3\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~3\QBDBMgrN.exe -hvQuickBooksDB18 [?]
    R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
    S2 Distributed;Distributed;c:\program files\common files\microsoft shared\msinfo\servernet.exe --> c:\program files\common files\microsoft shared\msinfo\ServerNet.exe [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-23 135664]
    S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2008-7-17 2944]
    S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2008-7-17 60416]
    S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2008-7-17 11008]
    S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2008-7-17 10368]

    =============== Created Last 30 ================


    ==================== Find3M ====================

    2010-11-08 22:57:04 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

    ============= FINISH: 9:39:51.17 ===============

    thanks for helping me

    See attachments for Gmer.txt and Attach.txt
     

    Attached Files:

  6. yuanD1

    yuanD1 Thread Starter

    Joined:
    Mar 11, 2010
    Messages:
    61
    i realized i should have pasted the Gmer file content

    here it is





    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-31 11:07:41
    Windows 5.1.2600 Service Pack 2 Harddisk1\DR1 -> \Device\0000006b ST3808110AS rev.3.AAH
    Running: fpmvs1cv.exe; Driver: C:\DOCUME~1\jliang\LOCALS~1\Temp\fftdapob.sys


    ---- System - GMER 1.0.15 ----

    SSDT F7B36726 ZwCreateKey
    SSDT F7B3671C ZwCreateThread
    SSDT F7B3672B ZwDeleteKey
    SSDT F7B36735 ZwDeleteValueKey
    SSDT F7B3673A ZwLoadKey
    SSDT F7B36708 ZwOpenProcess
    SSDT F7B3670D ZwOpenThread
    SSDT F7B36744 ZwReplaceKey
    SSDT F7B3673F ZwRestoreKey
    SSDT F7B36730 ZwSetValueKey

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF685D380, 0x566445, 0xE8000020]
    ? C:\DOCUME~1\jliang\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3100] USER32.dll!TrackPopupMenu 7E4650EE 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip prio.sys (Prio Network Activity Driver/Xeno)
    AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp prio.sys (Prio Network Activity Driver/Xeno)
    AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp prio.sys (Prio Network Activity Driver/Xeno)
    AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp prio.sys (Prio Network Activity Driver/Xeno)
    AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  7. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:

    Download ComboFix from one of the following locations:
    Link 1
    Link 2

    VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

    * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
    • Double click on ComboFix.exe & follow the prompts.
    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    • Click on Yes, to continue scanning for malware.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
     
  8. yuanD1

    yuanD1 Thread Starter

    Joined:
    Mar 11, 2010
    Messages:
    61
    ComboFix 10-12-31.01 - jliang 12/31/2010 20:57:57.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.475 [GMT -5:00]
    Running from: c:\documents and settings\jliang\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\jliang\AUTORUN.INF
    c:\documents and settings\sbhattacharjee\ifmember.exe
    c:\windows\winhelp.ini

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-01 to 2011-01-01 )))))))))))))))))))))))))))))))
    .

    2010-12-25 00:34 . 2010-12-25 00:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-21 13:44 . 2010-05-27 23:03 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-11-22 21:42 . 2010-05-27 23:03 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-08 22:57 . 2010-11-08 22:57 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
    "RTHDCPL"="RTHDCPL.EXE" [2008-04-07 16859136]
    "QBCMAgent"="c:\program files\Intuit\QuickBooks Client Manager\QBCMAgent.exe" [2004-12-13 36864]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]

    c:\documents and settings\sbhattacharjee\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    c:\documents and settings\asgnaqvi.DUA\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    c:\documents and settings\Home\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-10 967960]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
    2006-03-21 17:19 69632 ----a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2003-09-30 04:14 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
    "57324:TCP"= 57324:TCP:pando Media Booster
    "57324:UDP"= 57324:UDP:pando Media Booster

    R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 6:00 AM 26624]
    R1 prio;Prio;c:\windows\system32\drivers\prio.sys [7/28/2010 10:36 AM 51408]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/27/2010 6:03 PM 135336]
    R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 6:00 AM 3712]
    S2 Distributed;Distributed;c:\program files\Common Files\Microsoft Shared\MSINFO\ServerNet.exe --> c:\program files\Common Files\Microsoft Shared\MSINFO\ServerNet.exe [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2010 1:26 PM 135664]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [5/28/2010 8:41 PM 88176]
    S2 prio_svc;Prio Service;c:\program files\Prio\prio_svc.exe [7/28/2010 10:36 AM 5120]
    S2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB18 [?]
    S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [7/17/2008 3:27 PM 2944]
    S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [7/17/2008 3:27 PM 60416]
    S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [7/17/2008 3:27 PM 11008]
    S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [7/17/2008 3:27 PM 10368]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

    2011-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-23 18:26]

    2011-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-23 18:26]

    2010-12-28 c:\windows\Tasks\ParetoLogic Registration.job
    - c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-21 05:36]

    2010-12-18 c:\windows\Tasks\ParetoLogic Update Version2.job
    - c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-21 05:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\jliang\Application Data\Mozilla\Firefox\Profiles\ljwjeu4a.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - google.ca
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: BlackFox V1-Blue: [email protected] - %profile%\extensions\[email protected]
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-nwiz - nwiz.exe
    MSConfigStartUp-CanonMyPrinter - c:\program files\Canon\MyPrinter\BJMyPrt.exe
    MSConfigStartUp-CanonSolutionMenu - c:\program files\Canon\SolutionMenu\CNSLMAIN.exe
    MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
    MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
    MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-31 21:04
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(708)
    c:\program files\Prio\prio.dll

    - - - - - - - > 'lsass.exe'(764)
    c:\program files\Prio\prio.dll
    .
    Completion time: 2010-12-31 21:06:58
    ComboFix-quarantined-files.txt 2011-01-01 02:06

    Pre-Run: 44,465,807,360 bytes free
    Post-Run: 46,549,368,832 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - B2B78340879A1F4387B0818F343FD5F5


    or see attachment for the file

    I found a weird file with no extension named "6650D960" in My Documents folder
    Should i delete it or let it be for now?
     

    Attached Files:

  9. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    What is the exact path to that file? How big is it and what was it's creation date?

    Upload it to Virus Total

    submit a file to virustotal for analysis
    • Use the browse button on that page to navigate to the location of the file to be scanned.
    • In the right hand panel,
    • click on the file %path%\6650D960
    • then click the open button.
    • The file will now be displayed in the submit box.
    • Scroll down a bit and click "send file", wait for the results
    • If you get a message saying File has already been analyzed: click Reanalyze file now
    • Once scanned, copy and paste the link to the results page in your next reply.


    NEXT


    Please download Malwarebytes' Anti-Malware
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected. <-- very important
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



    NEXT


    Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

    1. Click Accept, when prompted to download and install the program files and database of malware definitions.
    2. To optimize scanning time and produce a more sensible report for review:
    • Close any open programs
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    3. Click Run at the Security prompt.
    The program will then begin downloading and installing and will also update the database.
    Please be patient as this can take several minutes.
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
    • Click View scan report at the bottom.

      [​IMG]
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
     
  10. yuanD1

    yuanD1 Thread Starter

    Joined:
    Mar 11, 2010
    Messages:
    61
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5437

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    1/1/2011 11:22:22 AM
    mbam-log-2011-01-01 (11-22-22).txt

    Scan type: Quick scan
    Objects scanned: 256761
    Time elapsed: 6 minute(s), 28 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)




    Scan on file

    Complete scanning result of "6650D960", processed in VirusTotal at 01/01/2011 17:09:40 (CET).

    [ file data ]
    * name..: 6650D960
    * size..: 16384
    * md5...: 679672a5004e0af50529f33db5469699
    * sha1..: 427a4ec3281c9c4faeb47a22ffbe7ca3e928afb0
    * peid..: -

    [ scan result ]
    AhnLab-V3 2011.01.01.00/20101231 found nothing
    AntiVir 7.11.0.247/20101231 found nothing
    Antiy-AVL 2.0.3.7/20110101 found nothing
    Avast 4.8.1351.0/20110101 found nothing
    Avast5 5.0.677.0/20110101 found nothing
    AVG 9.0.0.851/20110101 found nothing
    BitDefender 7.2/20110101 found nothing
    CAT-QuickHeal 11.00/20110101 found nothing
    ClamAV 0.96.4.0/20110101 found nothing
    Command 5.2.11.5/20110101 found nothing
    Comodo 7261/20110101 found nothing
    DrWeb 5.0.2.03300/20110101 found nothing
    Emsisoft 5.1.0.1/20110101 found nothing
    eSafe 7.0.17.0/20101230 found nothing
    eTrust-Vet 36.1.8074/20101231 found nothing
    F-Prot 4.6.2.117/20101231 found nothing
    F-Secure 9.0.16160.0/20110101 found nothing
    Fortinet 4.2.254.0/20110101 found nothing
    GData 21/20110101 found nothing
    Ikarus T3.1.1.90.0/20110101 found nothing
    Jiangmin 13.0.900/20110101 found nothing
    K7AntiVirus 9.75.3406/20101231 found nothing
    Kaspersky 7.0.0.125/20110101 found nothing
    McAfee 5.400.0.1158/20110101 found nothing
    McAfee-GW-Edition 2010.1C/20110101 found nothing
    Microsoft 1.6402/20110101 found nothing
    NOD32 5751/20110101 found nothing
    Norman 6.06.12/20110101 found nothing
    nProtect 2011-01-01.01/20110101 found nothing
    Panda 10.0.2.7/20110101 found nothing
    PCTools 7.0.3.5/20110101 found nothing
    Prevx 3.0/20110101 found nothing
    Rising 22.80.04.04/20101231 found nothing
    Sophos 4.60.0/20110101 found nothing
    SUPERAntiSpyware 4.40.0.1006/20110101 found nothing
    Symantec 20101.3.0.103/20110101 found nothing
    TheHacker 6.7.0.1.109/20101230 found nothing
    TrendMicro 9.120.0.1004/20110101 found nothing
    TrendMicro-HouseCall 9.120.0.1004/20110101 found nothing
    VBA32 3.12.14.2/20101230 found nothing
    VIPRE 7910/20110101 found nothing
    ViRobot 2010.12.31.4232/20110101 found nothing
    VirusBuster 13.6.121.0/20101230 found nothing




    I could not run the Kaspersky online scan. It took so long for the data base to load that the license expired when it finished
     
  11. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    sorry, wrong one, please run this scan


    Go here to run an online scanner from ESET.
    • Note: You will need to use Internet explorer for this scan
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activeX control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
    • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    • Click Scan
    • Wait for the scan to finish
    • When the scan completes, press the LIST OF THREATS FOUND button
    • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
    • Include the contents of this report in your next reply.
    • Press the BACK button.
    • Press Finish
     
  12. yuanD1

    yuanD1 Thread Starter

    Joined:
    Mar 11, 2010
    Messages:
    61
    The scanner stalled when scanning when it reached my E:\ drive. I let it alone for 1 hour and it still didn't finish. I then checked Task Manager and saw that there was no activity, so i stopped the scan. Since the scanner didn't find any threats, I couldn't find the List of Threats Found button after i stopped it.

    The scanner was 99% done when I stopped the scan, and it finished scanning the C:\ drive. Should i assume that my computer is virus-free now? Perhaps my Avira automatically quarantined the threat when it first detected it.

    Thanks for your help so far
     
  13. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Please do the following:


    [​IMG]
    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
    • Download the latest version of Java Runtime Environment (JRE) 23 and save it to your desktop.
    • Scroll down to where it says JDK 6 Update 23 (JDK or JRE)
    • Click the Download JRE button to the right
    • Select the Windows platform from the dropdown menu.
    • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u23 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
    • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
      • On the General tab, under Temporary Internet Files, click the Settings button.
      • Next, click on the Delete Files button
      • There are two options in the window to clear the cache - Leave BOTH Checked

        • Applications and Applets
          Trace and Log Files
      • Click OK on Delete Temporary Files Window
        Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
      • Click OK to leave the Temporary Files Window
      • Click OK to leave the Java Control Panel.


    NEXT

    Visit ADOBEand download the latest version of Acrobat Reader (version X)
    Having the latest updates ensures there are no security vulnerabilities in your system.


    NEXT


    Please post a fresh DDS Log and advise how your computer is running now and if there are any outstanding issues
     
  14. yuanD1

    yuanD1 Thread Starter

    Joined:
    Mar 11, 2010
    Messages:
    61
    Can i just update my current versions of Flash and Java instead of uninstalling then installing again?
     
  15. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    You should remove all the old versions of Java from your machine and just keep the most up to date version > version 6 update 23


    You can just update Flash, no problem
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/971373

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice