123 replies to this topic

[Ultilee Stupid]

ComboFix 11-05-04.04 - VJones 10/05/2011 16:30:20.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2036.1287 [GMT 1:00]
Running from: c:\users\Ultimo Lee\Downloads\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: COMODO Antivirus *Disabled/Updated* {A7500527-8708-6548-7035-7F679C5FCEA5}
FW: COMODO Firewall *Disabled* {9F6B8402-CD67-6410-5B6A-D652628C89DE}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: COMODO Defense+ *Disabled/Updated* {1C31E4C3-A132-6AC6-4A85-4415E7D88418}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Caz\AppData\Roaming\Anok
c:\users\Caz\AppData\Roaming\Anok\nepu.edb
c:\users\Caz\AppData\Roaming\Kauwo
c:\users\Caz\AppData\Roaming\Kauwo\liyqu.vun
c:\users\Caz\AppData\Roaming\Laedk
c:\users\Caz\AppData\Roaming\Laedk\efto.naa
c:\users\Ultimo Lee\AppData\Roaming\Microsoft\conhost.exe
c:\users\Ultimo Lee\AppData\Roaming\Revib
c:\users\Ultimo Lee\AppData\Roaming\Revib\noot.nay
c:\users\Ultimo Lee\AppData\Roaming\Taef
c:\users\Ultimo Lee\AppData\Roaming\Taef\podu.acp
.
.
((((((((((((((((((((((((( Files Created from 2011-04-10 to 2011-05-10 )))))))))))))))))))))))))))))))
.
.
2011-05-10 15:46 . 2011-05-10 15:46 -------- d-----w- c:\users\VJones\AppData\Local\temp
2011-05-10 15:46 . 2011-05-10 15:46 -------- d-----w- c:\users\UltimoLee\AppData\Local\temp
2011-05-10 15:46 . 2011-05-10 15:46 -------- d-----w- c:\users\Ultimo Lee\AppData\Local\temp
2011-05-10 15:46 . 2011-05-10 15:46 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-05-10 15:46 . 2011-05-10 15:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-10 15:46 . 2011-05-10 15:46 -------- d-----w- c:\users\CHughes\AppData\Local\temp
2011-05-10 15:46 . 2011-05-10 15:46 -------- d-----w- c:\users\Caz\AppData\Local\temp
2011-05-10 10:36 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7761024C-D953-4A7F-BA25-C47967466E43}\mpengine.dll
2011-05-09 15:13 . 2011-05-09 15:13 -------- d-----w- c:\users\VJones\AppData\Local\VS Revo Group
2011-05-09 15:13 . 2009-12-30 10:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-05-09 15:13 . 2011-05-09 15:13 -------- d-----w- c:\program files\VS Revo Group
2011-05-08 17:17 . 2011-05-08 17:17 100736 ----a-w- C:\kxldipow.sys
2011-05-06 16:03 . 2011-05-06 16:03 -------- d-----w- C:\_OTL
2011-05-05 22:25 . 2011-05-05 22:25 -------- d-----w- c:\users\Caz\AppData\Local\Apple
2011-04-27 11:19 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 11:19 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 11:19 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-27 00:14 . 2011-04-27 00:14 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-04-18 18:11 . 2011-04-18 18:11 -------- d-----w- c:\users\Ultimo Lee\AppData\Roaming\Greyfirst
2011-04-18 18:11 . 2011-04-18 18:11 -------- d-----w- c:\users\Ultimo Lee\AppData\Local\Greyfirst
2011-04-18 17:07 . 2011-04-27 22:02 -------- d-----w- c:\users\Ultimo Lee\AppData\Roaming\gtk-2.0
2011-04-18 17:07 . 2011-04-18 17:07 -------- d-----w- c:\users\Ultimo Lee\.thumbnails
2011-04-18 17:03 . 2011-04-27 22:03 -------- d-----w- c:\users\Ultimo Lee\.gimp-2.6
2011-04-18 17:03 . 2011-04-18 17:03 -------- d-----w- c:\users\Ultimo Lee\.gegl-0.0
2011-04-18 15:56 . 2011-04-18 15:56 -------- d-----w- c:\users\Ultimo Lee\AppData\Local\Deployment
2011-04-18 15:56 . 2011-04-18 15:56 -------- d-----w- c:\users\Ultimo Lee\AppData\Local\Apps
2011-04-14 17:44 . 2011-04-14 17:44 -------- d-----w- c:\users\Ultimo Lee\AppData\Local\Apple Computer
2011-04-13 11:09 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-04-13 11:09 . 2011-02-16 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-04-13 11:07 . 2011-03-03 10:50 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-25 21:40 . 2009-09-15 19:38 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-03 15:40 . 2011-04-27 11:19 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-27 11:19 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-27 11:19 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-27 11:19 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-02-22 14:13 . 2011-03-31 19:18 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-31 19:18 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-31 19:18 797696 ----a-w- c:\windows\system32\FntCache.dll
2006-05-03 09:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 12:30 216064 --sh--r- c:\windows\System32\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}"= "c:\program files\My.Freeze.com Toolbar\NetAssistant.dll" [2008-11-26 253048]
"{930f1200-f5f1-4870-bac6-e233ec8e7023}"= "c:\program files\Softonic_English\tbSoft.dll" [2009-10-27 2325528]
.
[HKEY_CLASSES_ROOT\clsid\{e38fa08e-f56a-4169-abf5-5c71e3c153a1}]
[HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{1E8FC16F-4C51-49C4-BC9B-4FC24BDDCEE7}]
[HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO]
.
[HKEY_CLASSES_ROOT\clsid\{930f1200-f5f1-4870-bac6-e233ec8e7023}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{930f1200-f5f1-4870-bac6-e233ec8e7023}]
2009-10-27 11:45 2325528 ----a-w- c:\program files\Softonic_English\tbSoft.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]
2008-11-26 19:40 253048 ----a-w- c:\program files\My.Freeze.com Toolbar\NetAssistant.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{930f1200-f5f1-4870-bac6-e233ec8e7023}"= "c:\program files\Softonic_English\tbSoft.dll" [2009-10-27 2325528]
.
[HKEY_CLASSES_ROOT\clsid\{930f1200-f5f1-4870-bac6-e233ec8e7023}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{930F1200-F5F1-4870-BAC6-E233EC8E7023}"= "c:\program files\Softonic_English\tbSoft.dll" [2009-10-27 2325528]
.
[HKEY_CLASSES_ROOT\clsid\{930f1200-f5f1-4870-bac6-e233ec8e7023}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-05 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-22 281768]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-03-11 1800464]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-01 06:39 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-22 135336]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-16 135664]
R2 gupdate1cc039659a3dd69;Google Update Service (gupdate1cc039659a3dd69);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-16 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-16 135664]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-03-11 130960]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-03-11 29520]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-16 23:56]
.
2011-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-16 23:56]
.
2011-05-09 c:\windows\Tasks\Norton Security Scan for VJones.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-07-22 23:51]
.
2011-05-10 c:\windows\Tasks\User_Feed_Synchronization-{04F1B430-67A1-4B31-962C-B500816EFE55}.job
- c:\windows\system32\msfeedssync.exe [2011-04-13 04:43]
.
2011-05-10 c:\windows\Tasks\User_Feed_Synchronization-{09CC4FE3-90EB-45E2-9902-ADEE35007982}.job
- c:\windows\system32\msfeedssync.exe [2011-04-13 04:43]
.
2011-05-10 c:\windows\Tasks\User_Feed_Synchronization-{26438954-F43E-45EA-B377-13E87D63FBD8}.job
- c:\windows\system32\msfeedssync.exe [2011-04-13 04:43]
.
2011-05-10 c:\windows\Tasks\User_Feed_Synchronization-{3E4E7D37-EA7D-43AC-8038-284715408613}.job
- c:\windows\system32\msfeedssync.exe [2011-04-13 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1142338
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\VJones\AppData\Roaming\Mozilla\Firefox\Profiles\b3ps2o0c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} - %profile%\extensions\{930f1200-f5f1-4870-bac6-e233ec8e7023}
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-10 16:46
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-05-10 16:48:46
ComboFix-quarantined-files.txt 2011-05-10 15:48
ComboFix2.txt 2011-04-02 20:11
.
Pre-Run: 66,366,681,088 bytes free
Post-Run: 66,370,179,072 bytes free
.
- - End Of File - - 6F832D0CB006EA50A8512AE2812743DB

[Ultilee Stupid]

None of the problems i suffered the last time i used Combofix have happened after reboot.

Last time all my desktop programs had stop working and i had to change profiles.

This still pops up after logging in

Avira AntiVir Personal - Free Antivirus

CCPLG.XML:
Unable to find file (C:\Program Files\Avira\AntiVirDesktop\ccplg.xml).

EDIT: Do you think it would be ok to use paypal again? i contacted my bank and they said they doubt it would be a problem and they'd keep an eye on my account.

Edited by Ultilee Stupid, 10 May 2011 - 02:11 PM.

[oldman960]

Hi Ultilee Stupid,

That doesn't look too bad. I think you can use paypal but I suggest you change your password just as a precaution.

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

• Click the Update tab
• Click Check for Updates
• If an update is found, it will download and install the latest version.
• The program will close to update and reopen.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

One more scan just to check our handiwork.

In order to run this scan you will need to open a browser with Aministrator Rights.

• Right click your browser icon and select "Run as Administrator"
• Do not use this browser for anything else but running this scan
• Once the scan has completed and the results saved, close that browser.
• Open a new browser the normal way and post the ESET log here.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Go here to run an online scannner from
ESET

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
• Click Scan.
• Wait for the scan to finish.
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. or C:\Program Files\ESET\log.txtWe will need this later.

Please post back with the ESET log.

Please post back with

• MBAM log
• ESET log

We'll see what we can do about Antivir after you post back.

Thanks

[Ultilee Stupid]

I had to do this on firefox, Internet Explorer wouldn't connect to the internet


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

11/05/2011 16:19:42
mbam-log-2011-05-11 (16-19-42).txt

Scan type: Quick scan
Objects scanned: 103293
Time elapsed: 6 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=3cfc043de11d6243bf781f54249dbc73
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-11 05:15:00
# local_time=2011-05-11 06:15:00 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 74203556 74203556 0 0
# compatibility_mode=1797 16775166 100 89 349689 41660943 1356694 0
# compatibility_mode=3073 16777213 80 89 349754 36807272 0 0
# compatibility_mode=5892 16776573 100 100 104156 142660683 0 0
# compatibility_mode=8192 67108863 100 0 256 256 0 0
# scanned=257068
# found=6
# cleaned=0
# scan_time=6145
C:\Qoobox\Quarantine\C\Users\Caz\AppData\Roaming\Ucenw\zymo.exe.vir a variant of Win32/Kryptik.LYR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\Caz\AppData\Roaming\Ukfeu\xeti.exe.vir a variant of Win32/Kryptik.ITY trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\Ultimo Lee\AppData\Roaming\Microsoft\conhost.exe.vir a variant of Win32/Kryptik.NJU trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\UltimoLee\AppData\Local\fqg.exe.vir a variant of Win32/Kryptik.MEO trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\UltimoLee\AppData\Local\pgv.exe.vir a variant of Win32/Kryptik.MEO trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Ultimo Lee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\9536d5d-534b1f7e a variant of Win32/Kryptik.NMH trojan (unable to clean) 00000000000000000000000000000000 I




Hopefully thats the right log for ESET. I tried these

C:\Program Files\EsetOnlineScanner\log.txt. or C:\Program Files\ESET\log.txt

but they didn't come up so i went to Program Files and found this



Edit:

On COMODO: i'm unsure of the best setting for it, i've tried looking at their site but i'm a bit clueless. When the infections happened COMODO did ask me to Allow or Block twice and i blocked twice but it still happened.


Would it be safe to go on the site i was on when this happened before the second restore? I've asked someone i know who goes on there and he says theres no problems, http://safeweb.norton.com/ says theres no problems with the site as well.


Apologies for all the questions again.

Edited by Ultilee Stupid, 11 May 2011 - 11:41 AM.

[oldman960]

Hi Ultilee Stupid,

What message do you recieve when you try to use Internet Explorer?

Would it be safe to go on the site i was on when this happened before the second restore?

What is the site?

Your java is out of date. Go to Start > Control Panel , switch to Classic View if it isn't already.

• Locate the Java icon (it looks like a coffee cup)
• double click it to open it
• click the Update tab
• Click update now

Most of the ESET detections are files we have quarantined. These will be removed when we remove the tools.


Next, Right click on OTL.exe and chose Run as Administrator to run it

• Under the Custom Scans/Fixes box at the bottom, paste in the following
• Do Not copy the word CODE
• please note the fix starts with the :

:Services

:Files
C:\Users\Ultimo Lee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\9536d5d-534b1f7e

:Commands
[createrestorepoint]
[emptytemp]

Then click the Run Fix button at the top

• Let the program run unhindered
• Please save the resulting log to be posted in your next reply.

Please post the OTL fix log.

Thanks

[Ultilee Stupid]

Hi Ultilee Stupid,

What message do you recieve when you try to use Internet Explorer?

Would it be safe to go on the site i was on when this happened before the second restore?

What is the site?

Your java is out of date. Go to Start > Control Panel , switch to Classic View if it isn't already.

• Locate the Java icon (it looks like a coffee cup)
• double click it to open it
• click the Update tab
• Click update now

I switched to classic folders view. then went to start typed in Java, java was listed i double clicked, a black pop up with lots of writing appeared for only a second. I tried a few time but no louck.

Do i have to do the java update before doing the OTLScan and fix?

The website is http://www.surrealmoviez.info

[oldman960]

Hi Ultilee Stupid,


It would be better if the java was updated but the fix can be ran if you can't get java to update.

I switched to classic folders view. then went to start typed in Java, java was listed i double clicked, a black pop up with lots of writing appeared for only a second. I tried a few time but no louck.

Try right clicking the Java icon and clickimg "Run as Administrator instead of double clicking. Let me know how you make out.

I can't seem to access the site.

[Ultilee Stupid]

Same thing happened with java, just the black pop up. So i couldn't update it.

The OTL fix log



All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
C:\Users\Ultimo Lee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\9536d5d-534b1f7e moved successfully.
========== COMMANDS ==========


[EMPTYTEMP]

User: All Users

User: Caz
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1265152 bytes
->Java cache emptied: 36755 bytes
->FireFox cache emptied: 102966368 bytes
->Flash cache emptied: 66323 bytes

User: CHughes
->Temp folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 38784 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Ultimo Lee
->Temp folder emptied: 3276885 bytes
->Temporary Internet Files folder emptied: 112251 bytes
->Java cache emptied: 664290 bytes
->FireFox cache emptied: 128593691 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 53489 bytes

User: UltimoLee
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2048328 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 3600810 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: VJones
->Temp folder emptied: 45326 bytes
->Temporary Internet Files folder emptied: 10300067 bytes
->Java cache emptied: 1904128 bytes
->FireFox cache emptied: 45993093 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10215692 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 297.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 05122011_161436

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




On the website i'm wanting to access:

The "Vista Security 2011" Virus started again last wednesday night and i posted this thread, then did a system restore and the virus was no longer popping up in the tray. Between then and saturday when it happened again i was on surrealmoviez.info several times with no problems. could this indicate that it had nothing to with the site?

Also is their anything you can recommend i can download to block me accessing sites that are a threat? i've barely been on any sites in a week due to the fear of it happening again.

Also if the virus does pop up again what is the best thing for me to do? scan and remove with Malwarebytes or a system restore or something else?


Edit: On Java. i've just been playing a game and the Java symbol appeared on the windows tray near the clock. I opened the control panel > update says i last updated 11:57 02/07/10 i clicked the update button but nothing happens.

Edited by Ultilee Stupid, 12 May 2011 - 10:06 AM.

[oldman960]

Hi Ultilee Stupid,

Ok one thing at a time. Let's update the java the old fashion way. I don't know what you have disallowed or allowed in your firewall but Comodo may be responsible.

• Go to Java
• Scroll down to Java Platform, Standard Edition section. The subheading is Java SE 6 Update 24,
• Click the Download JRE button on the right.

If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

• Select the platform (Windows, in your case), mutli language.
• Accept the license agreement, click continue.

You do not have to install the Java Web Start ActiveX Control

• Scroll down and click on Windows Offline Installation,
• Save the file jre-6u 25-windows-i586.exe to your desktop;

Do not select Run . Do not install it yet.

When the download is complete, close your browser.

Click on the Start button > Control Panel

Depending on your setings, either
[*] click on the Uninstall a program option under the Programs category.
[*]If you are using the Classic View of the Control Panel, then you would double-click on the Programs and Features icon instead.
[/list] Uninstall the following program

Java™ 6 Update 21


Do not uninstall Java TM 6 Update 25 if found!

Reboot your computer.

• Right click on the saved file ( jre-6u25-windows-i586-p.exe) and click "Run as Administrator" to install the update.
• Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Also if the virus does pop up again what is the best thing for me to do? scan and remove with Malwarebytes or a system restore or something else?

System Restore is not the best solution. MBAM and seeking help is probably the best course of action. Prevention is the best. We'll try to beef up your security with a layered approach when we are done.

Between then and saturday when it happened again i was on surrealmoviez.info several times with no problems. could this indicate that it had nothing to with the site?

As mentioned this could have been a purely driveby incidence. This stuff is floating around the internet looking for a place to land. You do not necessarily need to be on a specific site or click on something. Also an internet connection is not just one single connection. A single webpage depending on content could mean several connection to various sites just to complete the page.

Infection can also be brought in by old vulnerable programs such as java. These programs have exploits that can be used by the evil doers to infect computers. Java is very good at updating their program to remove or patch the exploits.

Let me know how the java goes.

[Ultilee Stupid]

As mentioned this could have been a purely driveby incidence. This stuff is floating around the internet looking for a place to land. You do not necessarily need to be on a specific site or click on something. Also an internet connection is not just one single connection. A single webpage depending on content could mean several connection to various sites just to complete the page.

Ok, i'll still wait untill we've finished updating everything untill i try it then. Thanks

Infection can also be brought in by old vulnerable programs such as java. These programs have exploits that can be used by the evil doers to infect computers. Java is very good at updating their program to remove or patch the exploits.

Let me know how the java goes.

Went as planned, Java SE 6 Update 25 not 24, thats the only difference to what you've put above. Checked the programs in the control panel and it's installed. Java™ 6 Update 21 is gone

[oldman960]

Hi Ultilee Stupid,

Good job. Now let's see if we can remove Antivir. Try reinstalling it then uninstall it. You can get a new copy from Antivir PersonalEditionClassic

[Ultilee Stupid]

Hi Ultilee Stupid,

Good job. Now let's see if we can remove Antivir. Try reinstalling it then uninstall it. You can get a new copy from Antivir PersonalEditionClassic

Installed, then tried to uninstall after reboot but this popped up again.

Setup could not determine the feature control file or was not able to read it correctly
[Errorcode: 7]

Edit: I was recommended this to download to help i.d if a site is safe. Have you heard of it?

McAfee siteadvisor

Edited by Ultilee Stupid, 13 May 2011 - 05:39 PM.

[oldman960]

Hi Ultilee Stupid, That's a different error message. Try Revo uninstaller again.

[Ultilee Stupid]

It's the same error as post 29# Same thing happened with revo

[oldman960]

Hi Ultilee Stupid,

http://www.siteadvisor.com/#

It's similar to the Norton link you posted. It can be very trustworthy as a tool to help you determine if a site is safe or not. You still need to use your judgement as the ratings are based on user input.

Antivir is proving to be stubborn. Let's see if this tool can remove it. If not we'll do a manual removal.

Download and save to your desktop AppRemover

• Right click AppRemover.exe and click "Run as adminstrator"
• click Next
• Select Remove Security Application
• Wait until the application finishes scanning the computer and determines which security applications are installed.
• Choose the application that requires uninstallation, AntiVir
• Wait until the uninstallation process ends.

Was it successful?