Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91987 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] infected - please help


  • This topic is locked This topic is locked
21 replies to this topic

#16 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 25 September 2009 - 01:32 PM

OK, yes my mistake, sorry I forgot you were using Kaspersky as your AV

Please do this scanner instead, I don't expect it to find anything but better to be certain.


Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.


NEXT

Please post a fresh DDS log and Attach.txt and advise how your computer is running now and if there are any outstanding issues.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove


#17 fmedwards3

fmedwards3

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 25 September 2009 - 11:12 PM

Status update to let you know that I am still working. The online ESET scanner has been running 8+ hrs and reports 7 threats found, and is only 23% complete. Looks like it will take quite a while. I'll post the logs you asked about as soon as possible. Thanks again

#18 fmedwards3

fmedwards3

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 26 September 2009 - 09:11 AM

After many hours, the ESET online scanner reports finding 17 'threats'. My computer seems to be OK (normal). Even my USB flash drive is now recognized. ESET online scanner.txt ************************** ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK ESETSmartInstaller@High as downloader log: all ok esets_scanner_update returned -1 esets_gle=53251 # version=6 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=8144943f8425704e8d923f0f8d5a95c0 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2009-09-26 10:57:30 # local_time=2009-09-26 04:57:30 (-0600, Central Standard Time) # country="United States" # lang=1033 # osver=5.0.2195 NT Service Pack 4 # compatibility_mode=1281 63 100 99 2896584633728 # compatibility_mode=3585 63 50 0 0 # compatibility_mode=4355 63 655 0 0 # compatibility_mode=4354 63 655 0 0 # compatibility_mode=8449 63 655 0 0 # scanned=216856 # found=17 # cleaned=17 # scan_time=47403 C:\Documents and Settings\fmeadmin\My Documents\Downloads\MagicISO v5.3 (Build 0213).rar a variant of Win32/HackTool.Patcher.A application (deleted - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\fmeadmin\My Documents\Downloads\Windows Xp 9 In 1 (Pro Home Media Center Oem, Retail, Corp, Upgrade).iso a variant of Win32/HackTool.Patcher.C trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\fmeadmin\My Documents\Downloads\Symantec Norton Ghost10 BOOTABLE.ISO\NORTONGHOST10.0.iso probably a variant of Win32/Adware.Agent application (deleted - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\fmeadmin.DELLOPTIPLEX\Desktop\torrents\Win XP PRO SP3 (5503) VistaVG Ultimate Style + SATA-RAID (03-19-2008)\Win XP PRO SP3 (5503) VistaVG Ultimate Style + SATA-RAID (03-19-2008).iso Win32/CloseApp.A application (deleted - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\onyx\Norton2008-360-keygen.exe a variant of MSIL/TrojanDropper.Agent.E trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\onyx\Desktop\Cleanup Tools\SmitfraudFix\Process.exe Win32/PrcView application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\onyx\Desktop\Cleanup Tools\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\onyx\My Documents\TEX progs\WinEdt54\WinEdt[1].v5.4.20050701 Crack.rar a variant of Win32/HackTool.Patcher.A application (deleted - quarantined) 00000000000000000000000000000000 C C:\Program Files\Common Files\Microsoft Update Engine\stub_1.exe a variant of Win32/Injector.PZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Program Files\Common Files\Microsoft Update Engine\stub_2.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C C:\Program Files\Common Files\Microsoft Update Engine\stub_3.exe a variant of Win32/Injector.PZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Program Files\Faronics\Deep Freeze 6 Enterprise\DF6WksSeedRaw.dat probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Program Files\Malwarebytes' Anti-Malware\The patch for ( Malwarebytes' Anti-Malware 1.34 )\m.bytes'.anti-malware.v1.34-patch.exe probably a variant of Win32/HackTool.Patcher.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINNT\system32\drivers\UACcjcfpxxthl.sys.vir a variant of Win32/Olmarik.HI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\shared\Windows XP Ultimate Edition (by Johnny) [February2008-R3.6].iso probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\WINNT\Downloaded Installations\{82557381-A09A-407F-AAC8-9B05F0E3A655}\PC MightyMax v9.msi Win32/Adware.PCMightyMax application (deleted - quarantined) 00000000000000000000000000000000 C C:\_OTMoveIt\MovedFiles\07312008_173642\Documents and Settings\onyx\Desktop\software\NOD32.Antivirus.System.2.70.39.Incl.Fix-Emzky\NOD32.Antivirus.System.2.70.39.Incl.Fix-Emzky.rar Win32/HackAV.G application (deleted - quarantined) 00000000000000000000000000000000 C DDS.txt**************************** DDS (Ver_09-07-30.01) - NTFSx86 Run by onyx at 9:58:32.68 on Sat 09/26/2009 Internet Explorer: 6.0.2800.1106 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.510.107 [GMT -6:00] ============== Running Processes =============== C:\WINNT\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\WINNT\system32\hasplms.exe C:\WINNT\system32\hidserv.exe C:\Program Files\iPod Access for Windows\iPAHelper.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\Fastream IQ Web FTP Server Engine\IQWebFTPServerEngine.exe C:\WINNT\system32\MSTask.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\vmnetdhcp.exe C:\Program Files\VMware\VMware Player\vmware-authd.exe C:\WINNT\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\WINNT\system32\igfxtray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE C:\WINNT\system32\wuauclt.exe C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe C:\Documents and Settings\fmeadmin.DELLOPTIPLEX\Desktop\utorrent.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe C:\WINNT\system32\NOTEPAD.EXE C:\Documents and Settings\onyx\Desktop\software2\dds.pif ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe uRun: [ctfmon.exe] ctfmon.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [Synchronization Manager] mobsync.exe /logon mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe mRun: [PDF Converter Registry Controller] "c:\program files\scansoft\pdf converter\RegistryController.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop mExplorerRun: [Explorer Options2] w StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hp digital imaging monitor.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hp image zone fast start.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symantec fax starter edition port.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXE IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Open PDF in Word - c:\program files\scansoft\pdf converter\IEShellExt.dll /100 IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll LSP: c:\program files\vmware\vmware player\vsocklib.dll DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab DPF: Microsoft XML Parser for Java DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxp://tcapps.selu.edu/timecentre/Common/iemenu.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38458.7024884259 DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} - hxxp://tcapps.selu.edu/timecentre/Common/pvdt80.cab Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll Notify: klogon - c:\winnt\system32\klogon.dll Notify: NavLogon - c:\winnt\system32\NavLogon.dll Notify: WRNotifier - WRLogonNTF.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\onyx\applic~1\mozilla\firefox\profiles\5alwvt2f.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.selu.edu/|http://www.selu.edu/ FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R0 kl1;Kl1;c:\winnt\system32\drivers\kl1.sys [2008-4-16 112144] R0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [2008-1-29 33808] R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-5-11 64160] R0 stcp2v30;stcp2v30 Driver;c:\winnt\system32\drivers\stcp2v30.sys [2008-12-1 64960] R1 FSLX;FSLX;c:\winnt\system32\drivers\fslx.sys [2008-7-21 192256] R1 KLIF;Kaspersky Lab Driver;c:\winnt\system32\drivers\klif.sys [2009-5-12 215824] R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-4-25 201992] R2 hasplms;HASP License Manager;c:\winnt\system32\hasplms.exe -run --> c:\winnt\system32\hasplms.exe -run [?] R2 NFService;Fastream IQ Web/FTP Server;c:\progra~1\fastream iq web ftp server engine\IQWebFTPServerEngine.exe [2008-10-4 3220992] R2 vmci;VMware vmci;c:\winnt\system32\drivers\vmci.sys [2009-3-26 54960] R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2005-4-16 61712] R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\winnt\system32\drivers\klfltdev.sys [2008-3-13 23312] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\drivers\klim5.sys [2008-3-25 24592] S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?] S1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys --> c:\program files\symantec antivirus\savrt.sys [?] S1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\savrtpel.sys --> c:\program files\symantec antivirus\Savrtpel.sys [?] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?] S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2008-12-27 410976] S3 DigimHID;DigimHID;c:\winnt\system32\drivers\DigimHID.SYS [2008-8-18 5248] S3 NAVENG;NAVENG;c:\progra~1\common~1\symantec shared\virusdefs\20070820.048\naveng.sys [2008-8-8 81232] S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symantec shared\virusdefs\20070820.048\navex15.sys [2008-8-8 865904] S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\savroam.exe" --> c:\program files\symantec antivirus\SavRoam.exe [?] S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104] S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576] S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088] S4 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\rtvscan.exe" --> c:\program files\symantec antivirus\Rtvscan.exe [?] ============== File Associations =============== JSEFile=NOTEPAD.EXE %1 =============== Created Last 30 ================ 2009-09-26 09:58 16,384 a------t c:\winnt\system32\Perflib_Perfdata_428.dat 2009-09-25 15:20 <DIR> --d----- c:\program files\ESET 2009-09-25 11:43 16,384 a------t c:\winnt\system32\Perflib_Perfdata_45c.dat 2009-09-25 10:10 16,384 a------t c:\winnt\system32\Perflib_Perfdata_460.dat 2009-09-25 00:01 16,384 a------t c:\winnt\system32\Perflib_Perfdata_494.dat 2009-09-24 23:00 16,384 a------t c:\winnt\system32\Perflib_Perfdata_498.dat 2009-09-24 15:39 16,384 a------t c:\winnt\system32\Perflib_Perfdata_444.dat 2009-09-24 15:27 1,843,684 ----h--- c:\winnt\ShellIconCache 2009-09-24 13:53 16,384 a------t c:\winnt\system32\Perflib_Perfdata_450.dat 2009-09-24 10:36 229,888 a------- c:\winnt\PEV.exe 2009-09-24 10:36 161,792 a------- c:\winnt\SWREG.exe 2009-09-24 10:36 98,816 a------- c:\winnt\sed.exe 2009-09-23 15:19 1,538 a------- c:\winnt\system32\%LocalXml% 2009-09-23 07:55 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864} 2009-09-22 21:30 0 a--sh--- c:\winnt\klif.spi 2009-09-18 18:31 <DIR> --d----- C:\usr 2009-09-17 23:53 42,192 ac------ c:\winnt\system32\dllcache\atibt829.sys ==================== Find3M ==================== 2009-09-22 20:29 33,808 a------- c:\winnt\system32\drivers\klbg.sys 2009-09-22 20:29 107,547 a------- c:\winnt\system32\drivers\klin.dat 2009-09-22 20:29 95,259 a------- c:\winnt\system32\drivers\klick.dat 2009-09-10 14:54 38,224 a------- c:\winnt\system32\drivers\mbamswissarmy.sys 2009-09-10 14:53 18,520 a------- c:\winnt\system32\drivers\mbam.sys 2009-05-11 22:01 9,673,395 a------- c:\documents and settings\onyx\ATT_SST_Installer.exe 2007-11-22 12:31 21,952 ----h--- c:\program files\folder.htt 2007-11-22 12:31 271 ----h--- c:\program files\desktop.ini 2006-07-22 23:26 774,144 a------- c:\program files\RngInterstitial.dll 1999-12-07 06:00 32,528 a------- c:\winnt\inf\wbfirdma.sys 1998-12-08 20:53 186,368 a------- c:\program files\common files\IRAREG.DLL 1998-12-08 20:53 99,840 a------- c:\program files\common files\IRAABOUT.DLL 1998-12-08 20:53 70,144 a------- c:\program files\common files\IRAMDMTR.DLL 1998-12-08 20:53 48,640 a------- c:\program files\common files\IRALPTTR.DLL 1998-12-08 20:53 31,744 a------- c:\program files\common files\IRAWEBTR.DLL 1998-12-08 20:53 17,920 a------- c:\program files\common files\IRASRIAL.DLL ============= FINISH: 10:00:45.45 =============== DDS attach.txt******************************************** UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-07-30.01) Microsoft Windows 2000 Professional Boot Device: \Device\Harddisk0\Partition1 Install Date: System Uptime: 9/25/2009 5:41:48 AM (29 hours ago) Motherboard: Dell Computer Corporation | | OptiPlex GX150 Processor: Intel Pentium III processor | Microprocessor | 996/133mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 112 GiB total, 36.372 GiB free. D: is CDROM () ==== Disabled Device Manager Items ============= Class GUID: {36FC9E60-C465-11CF-8056-444553540000} Description: USB Mass Storage Device Device ID: USB\VID_12F7&PID_1E23\077B132E1A6D Manufacturer: Microsoft Name: USB Mass Storage Device PNP Device ID: USB\VID_12F7&PID_1E23\077B132E1A6D Service: USBSTOR ==== System Restore Points =================== No restore point in system. ==== Installed Programs ====================== A-PDF Merger 2.3 Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 8.1.3 AnswerWorks 5.0 English Runtime Ashampoo WinOptimizer 6.01 ATT-PRT22 Belarc Advisor 7.2 Bullzip PDF Printer 4.0.0.463 CCleaner (remove only) ConTEXT CP_AtenaShokunin1Config CP_CalendarTemplates1 CP_Package_Basic1 CP_Panorama1Config CueTour DeviceFunctionQFolder Diner Dash 2 DocumentViewer DocumentViewerQFolder Easy File Sharing Web Server 4.2 ESET Online Scanner v3 EVEREST Home Edition v2.20 ExactFile 1.0.0.15 FloorPlan 3D v11 Free Pascal 2.0.4 FullDPAppQFolder Google Earth HijackThis 2.0.2 HP Document Viewer 5.3 HP Image Zone 5.3 HP Imaging Device Functions 5.3 HP Product Assistant HP PSC & OfficeJet 5.3.B InstantShareDevices iPod Access for Windows v4.2.2 Kaspersky Internet Security 2009 Malwarebytes' Anti-Malware Malwarebytes' RogueRemover Micro Logic Info Select 2007 Microsoft .NET Framework 2.0 Service Pack 1 Microsoft Visual C++ 2005 Redistributable Money Manager Ex 0.9.4.2 Move Networks Media Player for Internet Explorer Mozilla Firefox (3.5.3) NX Client for Windows 3.2.0-13 PanoStandAlone PhotoGallery ProductContext Quicken 2009 RandMap ResumeMaker Professional Scan SkinsHP1 SmartDraw 2009 Software Virtualization Agent Sonic_PrimoSDK Spybot - Search & Destroy TeXnicCenter Version 1 Beta 7.01 (Greengrass) TI-SmartView™ - Trial Tina 8 - Industrial TurboFLOORPLAN Home & Landscape Pro TurboTax 2008 TurboTax 2008 WinPerFedFormset TurboTax 2008 WinPerProgramHelp TurboTax 2008 WinPerReleaseEngine TurboTax 2008 WinPerTaxSupport TurboTax 2008 WinPerUserEducation TurboTax 2008 wlaiper TurboTax 2008 wrapper UltraEdit 14.20 Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 VMware Player WinEdt WinSCP 4.1.7 ==== End Of File ===========================

#19 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 26 September 2009 - 09:42 AM

Hi,

You are clean,

Please do the following:

Visit ADOBEand download the latest version of Acrobat Reader (version 9.1)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT

Follow these steps to uninstall Combofix

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT

Now to remove the rest of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.


  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them

    Then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.

  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

    WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • For Firefox, I highly recommend this add-on to keep your PC even more secure.
    • NoScript - for blocking ads and other potential website attacks
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#20 fmedwards3

fmedwards3

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 26 September 2009 - 11:06 AM

Thanks for the info and again for your assistance.

#21 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 26 September 2009 - 11:17 AM

You are more than welcome stay safe :wavey: ~CB

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#22 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 30 September 2009 - 10:52 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users