1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Got virus or something from Ares!Help!

Discussion in 'Virus & Other Malware Removal' started by DonovanP, Mar 30, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. DonovanP

    DonovanP Thread Starter

    Joined:
    Mar 30, 2008
    Messages:
    11
    Hi there.

    I got a virus or something while using Ares yesterday.In my ares shared folder I get loads of .RAR files I didn't download.And my PC takes for ever to boot up after this.Also my internet connection very slow!Here is my HJT log.Please help me look for the problem!

    Thanks in advance
    Regards
    Donovan Potgieter

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:07:44 PM, on 3/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\svchost.exe
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BM8b9bfec8] Rundll32.exe "C:\WINDOWS\system32\wforocfd.dll",s
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ares destiny] "C:\Program Files\Ares Destiny\Ares.exe" -h
    O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinSpooler.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{67A0AC14-4740-4825-8811-9DF847AFA1AC}: NameServer = 196.43.50.190 196.43.53.190
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares Destiny\chatServer.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 4930 bytes
     
  2. DonovanP

    DonovanP Thread Starter

    Joined:
    Mar 30, 2008
    Messages:
    11
  3. DonovanP

    DonovanP Thread Starter

    Joined:
    Mar 30, 2008
    Messages:
    11
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi Welcome to TSG!!


    Please visit this webpage for instructions for downloading and running ComboFix.

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.



    You should also read: Posting for help read first
     
  5. DonovanP

    DonovanP Thread Starter

    Joined:
    Mar 30, 2008
    Messages:
    11
    Here's the logs!

    Combofix:
    ComboFix 08-04-01.2 - User 2008-04-02 17:52:23.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.518 [GMT 2:00]
    Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\BM8b9bfec8.xml
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system\_sv_CMD_
    C:\WINDOWS\system\_sv_CMD_\U.exe
    C:\WINDOWS\system32\ihevnmov.dll
    C:\WINDOWS\system32\ljJbXrOi.dll
    C:\WINDOWS\system32\odbkyqac.dll
    C:\WINDOWS\system32\pmnljICt.dll
    C:\WINDOWS\system32\tCIjlnmp.ini
    C:\WINDOWS\system32\tCIjlnmp.ini2
    C:\WINDOWS\system32\tnnkcbhg.dll
    C:\WINDOWS\system32\vkhyxltc.dll
    C:\WINDOWS\system32\wforocfd.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
    .

    2008-04-01 23:33 . 2008-04-01 23:33 <DIR> d-------- C:\Kimberley drags 2008
    2008-04-01 22:39 . 2008-04-01 22:39 <DIR> d-------- C:\Program Files\Ashampoo
    2008-03-31 18:00 . 2008-03-31 18:00 <DIR> d-------- C:\Documents and Settings\User\Application Data\Grisoft
    2008-03-31 18:00 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-03-30 16:55 . 2008-03-30 16:55 <DIR> d-------- C:\Program Files\Trend Micro
    2008-03-30 16:36 . 2008-03-30 16:44 <DIR> d-------- C:\Program Files\Ares Destiny
    2008-03-30 16:05 . 2008-03-30 16:05 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
    2008-03-29 20:51 . 2008-03-30 22:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-03-29 20:51 . 2008-03-29 20:51 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-03-29 20:14 . 2008-03-29 20:16 <DIR> d-------- C:\Program Files\NCH Software
    2008-03-29 20:14 . 2008-03-29 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
    2008-03-29 18:01 . 2008-03-31 18:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-03-29 18:01 . 2008-03-29 18:01 37,888 --a------ C:\WINDOWS\system32\rar.exe
    2008-03-29 17:52 . 2008-03-29 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-03-27 21:29 . 2008-03-27 21:29 <DIR> d--h----- C:\WINDOWS\PIF
    2008-03-27 19:45 . 2008-03-27 19:45 <DIR> d-------- C:\Program Files\Mpeg2Decoder
    2008-03-27 19:44 . 2008-03-27 19:44 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
    2008-03-27 19:44 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\Unicows.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-02 15:46 --------- d-----w C:\Documents and Settings\User\Application Data\AVG7
    2008-04-01 21:24 --------- d-----w C:\Program Files\Java
    2008-03-31 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-03-30 20:53 --------- d-----w C:\Program Files\History Cleaner
    2008-03-30 14:16 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-02-27 22:47 --------- d-----w C:\Program Files\PC-Cleaner
    2008-02-27 22:41 --------- d-----w C:\Program Files\All Cleaner
    2008-02-27 22:35 --------- d-----w C:\Documents and Settings\User\Application Data\ParetoLogic
    2008-02-27 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\ParetoLogic
    2008-02-27 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
    2008-02-19 18:24 --------- d-----w C:\Documents and Settings\User\Application Data\Corel
    2008-02-19 18:22 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-02-19 18:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
    2008-02-19 18:20 --------- d-----w C:\Program Files\Corel
    2008-02-19 18:20 --------- d-----w C:\Program Files\Common Files\Corel
    2008-02-14 20:03 --------- d-----w C:\Documents and Settings\User\Application Data\Autodesk
    2008-02-14 19:57 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
    2008-02-14 19:57 --------- d-----w C:\Program Files\AutoCAD 2006
    2008-02-14 19:57 --------- d-----w C:\Program Files\AnswerWorks 4.0
    2008-02-14 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
    2008-02-14 19:54 --------- d-----w C:\Program Files\Autodesk
    2008-02-09 20:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-02-09 20:48 --------- d-----w C:\Program Files\Google
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ares"="C:\Program Files\Ares\Ares.exe" [ ]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 14:00 15360]
    "ares destiny"="C:\Program Files\Ares Destiny\Ares.exe" [2007-08-07 17:11 2970112]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-29 22:29 579072]
    "googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 23:22 3739648]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 21:07 7110656]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-04 11:56 219136]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
    "Windows Printing Driver"= WinSpooler.exe

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2003-08-26 10:58 49152]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
    backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    -r------- 2005-05-03 12:43 69632 C:\WINDOWS\Alcmtr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares destiny]
    --a------ 2007-08-07 17:11 2970112 C:\Program Files\Ares Destiny\Ares.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    --a------ 2006-01-02 17:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    --a------ 2007-01-15 16:14 147456 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8b9bfec8]
    C:\WINDOWS\system32\wforocfd.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2006-02-28 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    --a------ 2005-08-11 16:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    --a------ 2005-08-11 16:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --a------ 2005-07-20 21:07 7110656 C:\WINDOWS\system32\NvCpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    --a------ 2005-07-20 21:07 86016 C:\WINDOWS\system32\NvMcTray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2005-07-20 21:07 1519616 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-11-04 20:30 155648 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    -r------- 2006-06-28 08:54 16248320 C:\WINDOWS\RTHDCPL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
    -r------- 2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
    -ra------ 2006-11-24 01:06 487424 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "usnjsvc"=3 (0x3)
    "ose"=3 (0x3)
    "NMIndexingService"=3 (0x3)
    "NBService"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Ares Destiny\\Ares.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
    "C:\\Program Files\\Java\\jre1.6.0_03\\bin\\java.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=


    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-02 17:58:19
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    .
    **************************************************************************
    .
    Completion time: 2008-04-02 18:00:25 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-04-02 16:00:22
    Pre-Run: 56,302,067,712 bytes free
    Post-Run: 56,242,847,744 bytes free
    .
    2008-03-12 06:50:56 --- E O F ---

    HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:58:39 PM, on 4/2/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Ares Destiny\Ares.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ares destiny] "C:\Program Files\Ares Destiny\Ares.exe" -h
    O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinSpooler.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{67A0AC14-4740-4825-8811-9DF847AFA1AC}: NameServer = 196.43.50.190 196.43.53.190
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares Destiny\chatServer.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5921 bytes
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re-enable the protection again afterwards before connecting to the Internet.


    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
    • Instead of Windows loading as normal, the Advanced Options Menu should appear
    • Select the first option, to run Windows in Safe Mode, then press Enter
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to the clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  7. DonovanP

    DonovanP Thread Starter

    Joined:
    Mar 30, 2008
    Messages:
    11
    here's the log!


    SDFix: Version 1.165

    Run by Administrator on Wed 04/02/2008 at 10:27 PM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting


    Checking Files :

    No Trojan Files Found






    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-02 22:34:06
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
    "StateIndex"=dword:00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D\n\21]
    "DisplayName"="\xb973\x7792"
    "DeviceDesc"="\xb973\x7792"
    "ProviderName"="\x27fc\21\xee18\x7c90\x286c\21\b"
    "MFG"="\xc1bf\b\xe12b\x1803\x5d0"
    "ReinstallString"=".10.1000.7"
    "DeviceInstanceIds"=str(7):"d:\software\drivers\chipset_inf\smdrv\smbus\smbusati.inf"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    source file error: C:\Documents and Settings\User\ntuser.dat

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Ares Destiny\\Ares.exe"="C:\\Program Files\\Ares Destiny\\Ares.exe:*:Disabled:Ares p2p for windows"
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
    "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
    "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
    "C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe:*:Disabled:Java(TM) Platform SE binary"
    "C:\\Program Files\\Java\\jre1.6.0_03\\bin\\java.exe"="C:\\Program Files\\Java\\jre1.6.0_03\\bin\\java.exe:*:Disabled:Java(TM) Platform SE binary"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
    "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

    Remaining Files :


    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Tue 19 Feb 2008 952 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
    Wed 22 Dec 2004 76,568 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
    Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
    Wed 2 Apr 2008 20,222,992 A..H. --- "C:\Documents and Settings\User\Local Settings\Temp\BIT1.tmp"

    Finished!
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.

    Click Exit on the Main menu to close the program.



    Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive and all other fixed drives..
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
    • Click Close to exit the program.


    Please perform a scan with Kaspersky Webscan Online Virus Scanner
    • Read the Requirements and Privacy statement, then select "Accept".
    • A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
    • Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
    • When the download is complete it will say ready, click "Next".
    • Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
    • Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
    • Click "OK".
    • Under "Select a target to scan", click on "My Computer".
    • When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.


    Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
     
  9. DonovanP

    DonovanP Thread Starter

    Joined:
    Mar 30, 2008
    Messages:
    11
    Found nothing with SUPERantispyware.Was clean!

    And with Kaspersky

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Thursday, April 03, 2008 9:58:53 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 3/04/2008
    Kaspersky Anti-Virus database records: 679710
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan Statistics:
    Total number of scanned objects: 86736
    Number of viruses found: 5
    Number of infected objects: 13
    Number of suspicious objects: 0
    Duration of the scan process: 01:46:55

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\dr4ac6af.default\cert8.db Object is locked skipped
    C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\dr4ac6af.default\formhistory.dat Object is locked skipped
    C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\dr4ac6af.default\history.dat Object is locked skipped
    C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\dr4ac6af.default\key3.db Object is locked skipped
    C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\dr4ac6af.default\parent.lock Object is locked skipped
    C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\dr4ac6af.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\dr4ac6af.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-3-2008( 18-8-5 ).LOG Object is locked skipped
    C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\User\Local Settings\Application Data\Ares Destiny\My Shared Folder\___ARESTRA___animal japanese girl ****s with black dog(sex xxx porn).mpeg Object is locked skipped
    C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dr4ac6af.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dr4ac6af.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dr4ac6af.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dr4ac6af.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\User\Local Settings\Temp\Perflib_Perfdata_760.dat Object is locked skipped
    C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\User\My Documents\Setups\nero-7 7 5 1 premium edition + serial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
    C:\Documents and Settings\User\My Documents\Setups\nero-7 7 5 1 premium edition + serial.exe RAR: infected - 1 skipped
    C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Yahoo!\Messenger\logs\billing_User.log Object is locked skipped
    C:\Program Files\Yahoo!\Messenger\logs\client_User.log Object is locked skipped
    C:\Program Files\Yahoo!\Messenger\logs\network_User.log Object is locked skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\ihevnmov.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\odbkyqac.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.bgj skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\wforocfd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.lwy skipped
    C:\QooBox\Quarantine\catchme2008-04-02_175801.00.zip/Documents and Settings/User/Desktop/catchme.zip/ljJbXrOi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\catchme2008-04-02_175801.00.zip/Documents and Settings/User/Desktop/catchme.zip/pmnljICt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\catchme2008-04-02_175801.00.zip/Documents and Settings/User/Desktop/catchme.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\catchme2008-04-02_175801.00.zip ZIP: infected - 3 skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{C4169057-5905-480B-9F46-5B6B7DF73B61}\RP167\A0044874.exe Infected: P2P-Worm.Win32.Agent.bq skipped
    C:\System Volume Information\_restore{C4169057-5905-480B-9F46-5B6B7DF73B61}\RP171\A0045302.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{C4169057-5905-480B-9F46-5B6B7DF73B61}\RP171\A0045303.dll Infected: not-a-virus:AdWare.Win32.Agent.bgj skipped
    C:\System Volume Information\_restore{C4169057-5905-480B-9F46-5B6B7DF73B61}\RP171\A0045306.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lwy skipped
    C:\System Volume Information\_restore{C4169057-5905-480B-9F46-5B6B7DF73B61}\RP173\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    This is the one infected item:
    C:\Documents and Settings\User\My Documents\Setups\nero-7 7 5 1 premium edition + serial.exe

    You should delete that one.

    You should remove all of the tools I requested you to download and/or folders associated with them now. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.

    OTMoveIt2 by OldTimer has a CleanUp! option you can use to remove most of the fixes and associated files and folders.
    • Make sure you have an Internet Connection.
    • Double-click OTMoveIt2.exe to run it.
    • Click on the CleanUp! button
    • A list of tool components used in the Cleanup of malware will be downloaded.
    • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
    • Click Yes to beging the Cleanup process and remove these components, including this application.
    • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


    It's a good idea to Flush your System Restore after removing malware:
    Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405



    Now you should Clean up your PC


    Here are some additional links for you to check out to help you with your computer security.

    How did I get infected in the first place.

    Secunia software inspector & update checker

    Good free tools and advice on how to tighten your security settings.

    Security Help Tools
     
  11. DonovanP

    DonovanP Thread Starter

    Joined:
    Mar 30, 2008
    Messages:
    11
    Okay I deleted that file.SO after I do the rest of the steps I will be good?
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I hope so ... but you will have to tell me! ;)
     
  13. DonovanP

    DonovanP Thread Starter

    Joined:
    Mar 30, 2008
    Messages:
    11
    Everything is working again!

    Thanks so much!Job well done!
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Right back at you!


    Great! I'm happy to hear it!


    :)
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/698566

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice