Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Win32 - Trojan.Agent/Gen (Trojan.dropper/Win-NV) Removal He

Started by greyspace , Oct 10 2009 11:04 PM

  • This topic is locked This topic is locked
41 replies to this topic

#31 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 17 October 2009 - 12:53 AM

Hi Greyspace,

This infection has renamed a few files.

I need you to make a batchfile.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
@echo off
ren "C:\Program Files\Dell\QuickSet\quickset .exe" "quickset.exe"
ren "C:\Program Files\Synaptics\SynTP\syntpenh .exe" "syntpenh.exe" 
ren "C:\Program Files\GHL\Self-Installed\PowerISO\pwrisovm .exe" "pwrisovm.exe" 
del %0

In Notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "fix.bat"
  • Click Save
It should look like this: Posted Image

Locate fix.bat and double click it. A black screen may briefly flash on your screen, this is normal.

Reboot. Does it work now?

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

    Advertisements

Register to Remove

#32 greyspace

greyspace

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 17 October 2009 - 08:21 AM

Yes, that worked. Thanks so much!

Sorry for the interruption of how to delete those remaining files. Again, I appreciate all of your help.



Hi Greyspace,

This infection has renamed a few files.

I need you to make a batchfile.

Open a new Notepad session

  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
@echo off
ren "C:\Program Files\Dell\QuickSet\quickset .exe" "quickset.exe"
ren "C:\Program Files\Synaptics\SynTP\syntpenh .exe" "syntpenh.exe" 
ren "C:\Program Files\GHL\Self-Installed\PowerISO\pwrisovm .exe" "pwrisovm.exe" 
del %0

In Notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "fix.bat"
  • Click Save
It should look like this: Posted Image

Locate fix.bat and double click it. A black screen may briefly flash on your screen, this is normal.

Reboot. Does it work now?

Thanks


#33 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 17 October 2009 - 11:39 AM

Hi Greyspace,

Good. Let's see if there are any more such renamed files.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield
  • Do not copy the word CODE , please note the script starts with the :
    :filefind
* .*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#34 greyspace

greyspace

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 17 October 2009 - 03:46 PM

SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 14:43 on 17/10/2009 by GHL (Administrator - Elevation successful) ========== filefind ========== Searching for "* .*" C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Microsoft .NET Framework 1.1 Configuration.lnk --a--- 1011 bytes [22:22 11/08/2004] [22:22 11/08/2004] 5CBD38151113ED8B80137FEA34271B34 C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Microsoft .NET Framework 1.1 Wizards.lnk --a--- 1062 bytes [22:22 11/08/2004] [22:22 11/08/2004] AD04A1D1BCFCD1164D02CCD594ECCFD1 C:\Documents and Settings\All Users\Start Menu\Programs\COMODO\System Cleaner\Uninstall .lnk --a--- 1651 bytes [04:25 11/07/2009] [04:25 11/07/2009] 2068DB1841EBE1DED92E7EA6574898C1 C:\Documents and Settings\GHL\Favorites\Sudoku (sudoweb.com) .url --a--- 180 bytes [13:51 21/04/2007] [13:51 21/04/2007] 499EA662EFD9C9799F7B87856F1A64F4 C:\Documents and Settings\GHL\Favorites\Web Sudoku .url --a--- 118 bytes [13:46 21/04/2007] [13:46 21/04/2007] 9950F71CB6CCF1D0779267D9DF66DCFE C:\Program Files\Corel\Corel Snapfire Plus\corel photo downloader .exe --a--- 462336 bytes [19:20 14/08/2006] [19:20 14/08/2006] 36A9488852362865389D00707391B179 C:\Program Files\GHL\Self-Installed\superantispyware .exe --a--- 1830128 bytes [19:42 08/03/2009] [18:43 17/02/2009] 11AFBCA9EAC51CF988918BFFE935E6EE C:\Program Files\NetWaiting\netwaiting .exe --a--- 20480 bytes [03:09 04/04/2007] [07:24 10/09/2003] 676B1D0BFA5EF8005395AB43F33DE1F1 C:\Program Files\QuickMediaConverter\profile\divx 4-3 .xml --a--- 1076 bytes [07:08 24/12/2008] [07:08 24/12/2008] 2D81E26ED2855F00F73C7E6C88EF1328 C:\Qoobox\Quarantine\C\Documents and Settings\GHL\Application Data\svcst .exe.vir --a--- 306688 bytes [02:33 10/10/2009] [02:33 10/10/2009] B07425374A6DB579434AC8E7B8644F50 C:\Qoobox\Quarantine\C\Documents and Settings\GH\rundll32.exe nvhotkey .exe.vir --a--- 30720 bytes [02:54 10/10/2009] [03:18 10/10/2009] 0334B4EB4FBFB33C0F821D94BD30C7FA C:\Qoobox\Quarantine\C\Documents and Settings\GH\stsystra .exe.vir --a--- 30720 bytes [02:54 10/10/2009] [03:18 10/10/2009] 0334B4EB4FBFB33C0F821D94BD30C7FA C:\Qoobox\Quarantine\C\WINDOWS\system32\ctfmon .exe.vir --a--- 15360 bytes [22:00 11/08/2004] [00:12 14/04/2008] 5F1D5F88303D4A4DBC8E5F97BA967CC3 C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate .exe.vir --a--- 24576 bytes [02:33 10/10/2009] [02:33 10/10/2009] AF66D5A8542C4D938C15BF9DA485E32C C:\WINDOWS\system32\dla\tfswctrl .exe --a--- 127035 bytes [03:12 04/04/2007] [06:05 06/12/2004] 2CA827BA68D0CDB5437C40C6F53D7F20 C:\_OTM\MovedFiles\10142009_180428\Program Files\Adobe\acrotray .exe --a--- 30720 bytes [02:37 10/10/2009] [02:37 10/10/2009] 0334B4EB4FBFB33C0F821D94BD30C7FA C:\_OTM\MovedFiles\10142009_180428\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe --a--- 30720 bytes [02:33 10/10/2009] [02:33 10/10/2009] 0334B4EB4FBFB33C0F821D94BD30C7FA C:\_OTM\MovedFiles\10142009_180428\Program Files\GHL\Self-Installed\Tunebite\tunebite .exe --a--- 30720 bytes [02:33 10/10/2009] [02:33 10/10/2009] 0334B4EB4FBFB33C0F821D94BD30C7FA -=End Of File=-

#35 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 17 October 2009 - 09:01 PM

Hi Greyspace,

This should take care of the rest. Do the steps below, post back and if there aren't any problems, we'll clean up the tools.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word
CODE

@echo off
ren "C:\Documents and Settings\All Users\Start Menu\Programs\COMODO\System Cleaner\Uninstall .lnk" "Uninstall.lnk"
ren "C:\Program Files\NetWaiting\netwaiting .exe" "netwaiting.exe" 
ren "C:\Program Files\GHL\Self-Installed\superantispyware .exe "superantispyware.exe" 
ren "C:\Program Files\QuickMediaConverter\profile\divx 4-3 .xml" "divx 4-3.xml"
ren "C:\Program Files\Corel\Corel Snapfire Plus\corel photo downloader .exe" "corel photo downloader .exe" 
del %0

In Notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "fixit.bat"
  • Click Save
It should look like this: Posted Image

Locate fixit.bat and double click it. There may be a black screen briefly flash on your screen, this is normal.



Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Corel Photo Downloader"="c:\\program files\\Corel\\Corel Snapfire Plus\\Corel Photo Downloader.exe"

  • Ensure there is no space above the REGEDIT4.
  • ensure the text matches including the space between lines
  • in notepad go to FILE > SAVE AS and in the dropdown box, set the top box SAVE IN to DESKTOP
  • in the FILE NAME box type (including the " " marks), "fixit.reg"
Click save.

This will create a fixit.reg file on your desktop Posted Image

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Reboot your computer.

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#36 greyspace

greyspace

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 17 October 2009 - 09:23 PM

Hi, thanks again for your help. I was able to run both of the files as you instructed above. They seemed to have worked without a problem but I wasn't sure if there was a log I should post.

#37 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 17 October 2009 - 11:19 PM

Hi Greyspace, Sorry, I should have asked for a DDS.txt. It should show if everything worked. Please run DDS and post just the DDS.txt. Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#38 greyspace

greyspace

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 17 October 2009 - 11:36 PM

Thank you. Here is the DDS log: DDS (Ver_09-06-26.01) - NTFSx86 Run by GHL at 22:34:33.07 on Sat 10/17/2009 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1271 [GMT -7:00] AV: avast! antivirus 4.8.1356 [VPS 091017-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe svchost.exe svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Avast4\aswUpdSv.exe C:\Program Files\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\Explorer.EXE C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\rundll32.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\stsystra.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ZoneAlarm\zlclient.exe C:\PROGRA~1\Avast4\ashDisp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Avast4\ashMaiSv.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Avast4\ashWebSv.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\GHL\Self-Installed\Palm\Hotsync.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\GHL\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://google.com/ uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070403 BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: VideoRaptorIePlugin Class: {90c8e8f8-a7c9-41e4-92e4-c679ae6fb78d} - c:\program files\videoraptor\VideoRaptorIePlugin.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /installquiet mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe" mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe" mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\bambite\mbam.exe" /runcleanupscript mRun: [ZoneAlarm Client] "c:\program files\zonealarm\zlclient.exe" mRun: [avast!] c:\progra~1\avast4\ashDisp.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe StartupFolder: c:\docume~1\ghl\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\ghl\self-installed\palm\Hotsync.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100 Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Notify: !SASWinLogon - c:\program files\sas\SASWINLO.dll Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\sas\SASSEH.DLL ============= SERVICES / DRIVERS =============== R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-7-10 36512] R0 csdf;csdf;c:\windows\system32\drivers\csdf.sys [2009-7-10 39456] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-10 114768] R1 SASDIFSV;SASDIFSV;c:\program files\sas\sasdifsv.sys [2009-9-15 9968] R1 SASKUTIL;SASKUTIL;c:\program files\sas\SASKUTIL.SYS [2009-9-15 74480] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-10-10 353672] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-10 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2009-10-9 138680] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-2-4 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-2-4 47640] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-12 24652] R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2009-10-9 254040] R3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2009-10-9 352920] S3 SASENUM;SASENUM;c:\program files\sas\SASENUM.SYS [2009-9-15 7408] S4 LMIRfsClientNP;LMIRfsClientNP; [x] =============== Created Last 30 ================ 2009-10-14 00:05 <DIR> --d----- c:\windows\system32\Logs 2009-10-13 03:41 <DIR> --d----- C:\_OTM 2009-10-10 21:10 4,212 a---h--- c:\windows\system32\zllictbl.dat 2009-10-10 21:10 1,221,512 a------- c:\windows\system32\zpeng25.dll 2009-10-10 21:10 <DIR> --d----- c:\windows\system32\ZoneLabs 2009-10-10 21:10 <DIR> --d----- c:\program files\ZoneAlarm 2009-10-10 21:10 350,192 a------- c:\windows\system32\vsconfig.xml 2009-10-10 21:08 <DIR> --d----- c:\windows\Internet Logs 2009-10-10 21:08 33,952,648 a------- c:\program files\zaSetup_80_298_000_en.exe 2009-10-10 10:09 236,544 a------- c:\windows\PEV.exe 2009-10-10 10:09 161,792 a------- c:\windows\SWREG.exe 2009-10-10 10:09 98,816 a------- c:\windows\sed.exe 2009-10-10 10:09 <DIR> --d----- C:\Combo-Fix 2009-10-09 23:12 <DIR> --d----- c:\program files\Avast4 2009-10-09 20:58 <DIR> --d----- c:\program files\bambite 2009-10-09 20:54 <DIR> --d----- c:\program files\SAS 2009-10-09 20:53 <DIR> --d----- c:\program files\common files\Wise Installation Wizard 2009-10-09 20:24 <DIR> --d----- c:\windows\ERUNT 2009-10-09 20:23 <DIR> --d----- C:\!FixIEDef 2009-10-09 20:00 <DIR> --d----- c:\program files\SUPERAntiSpyware 2009-10-09 19:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-09-30 16:33 <DIR> --d----- c:\windows\system32\NtmsData ==================== Find3M ==================== 2009-10-15 13:24 48,935 a------- c:\windows\system32\nvModes.dat 2009-10-10 22:16 308,160 a------- c:\program files\avast_home_setup.exe 2009-10-09 19:33 14,336 -------- c:\windows\system32\svchost.exe 2009-09-11 07:18 136,192 a------- c:\windows\system32\msv1_0.dll 2009-09-11 07:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll 2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-09-10 01:11 2,744,087 a------- c:\program files\flac-1.2.1b.exe 2009-09-07 17:47 7,886,336 a------- c:\program files\moto setup.msi 2009-09-07 16:05 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll 2009-09-07 16:05 28,984 a------- c:\windows\system32\LMIport.dll 2009-09-07 16:05 87,352 a------- c:\windows\system32\LMIinit.dll 2009-09-07 16:05 25,248 a------- c:\windows\system32\LMImirr.dll 2009-09-07 16:05 11,552 a------- c:\windows\system32\LMImirr2.dll 2009-09-04 14:03 58,880 a------- c:\windows\system32\msasn1.dll 2009-09-04 14:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll 2009-08-26 01:00 247,326 a------- c:\windows\system32\strmdll.dll 2009-08-26 01:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll 2009-08-17 23:33 1,193,832 a------- c:\windows\system32\FM20.DLL 2009-08-13 08:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll 2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll 2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll 2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll 2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe 2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll 2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll 2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll 2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll 2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll 2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll 2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe 2009-08-04 08:13 2,145,280 -------- c:\windows\system32\ntoskrnl.exe 2009-08-04 08:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-08-04 07:20 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe 2009-08-04 07:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe 2009-08-04 07:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-08-01 18:38 6,008,376 a------- c:\program files\ashampoo_burning_studio_6_free_676_4280.exe 2009-07-28 21:37 119,808 a------- c:\windows\system32\t2embed.dll 2009-07-28 21:37 81,920 a------- c:\windows\system32\fontsub.dll 2009-07-28 21:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll 2009-07-28 21:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-23 10:52 278,221 a------- c:\program files\gmer.zip 2009-07-11 18:20 265,216 a------- c:\program files\TFC.exe 2009-07-11 18:18 794,112 a------- c:\program files\The_Comedian.exe 2009-07-11 05:50 812,344 a------- c:\program files\HJTInstall.exe 2009-07-10 21:24 5,575,824 a------- c:\program files\CSC_Setup_1.1.64946.38_xp_vista_server2003_x32.exe 2009-07-04 15:26 2,228,534 a------- c:\program files\audacity-win-1.2.6.exe 2009-07-04 11:04 23,442,487 a------- c:\program files\INSTALL.zip 2009-07-04 10:39 2,790,624 a------- c:\program files\x-audio-converter-CNET.exe 2009-07-04 10:27 6,698,028 a------- c:\program files\aaep.exe 2009-07-04 10:23 8,079,082 a------- c:\program files\audioextractor.exe 2009-07-04 10:19 3,176,437 a------- c:\program files\youtubedownloader.exe 2009-07-03 19:41 7,814,384 a------- c:\program files\audiocapture_wmf_setup.exe 2009-07-03 19:30 751,167 a------- c:\program files\sc11a.exe 2009-07-03 19:23 2,813,421 a------- c:\program files\m4a-to-mp3-converter.exe 2009-07-03 18:58 77,690,152 a------- c:\program files\iTunesSetup.exe 2009-07-03 11:34 434,832 a------- c:\program files\switchsetup.exe 2009-07-03 11:31 6,692,753 a------- c:\program files\Setup_FreeConverter.exe 2009-07-03 11:18 21,935,408 a------- c:\program files\QuickTimeInstaller.exe 2009-06-24 07:03 13,905,056 a------- c:\program files\aim6591.exe 2009-04-12 12:32 15,452,536 a------- c:\program files\IE7-WindowsXP-x86-enu.exe ============= FINISH: 22:35:09.00 ===============

#39 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 17 October 2009 - 11:48 PM

Hi Greyspace,

Everything looks ok.

If no other problems, we can clean up our tools. The quarantined files as well as the old infected System Restore points will be removed when we remove combofix and OTM with the instructions posted below.

From your desktop, please delete
  • any notepads/logs that we created
  • SystemLook.exe
  • DDS.scr
  • GMER.zip
  • Gmer.exe
  • fix.reg
  • fixit.reg

Next

Click the Start button, click Run. Copy and paste the following line into the run box and click OK
Combofix /u


Open OTM then click the Clean Up button. You may get prompted by your firewall that OTM wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.


Updates and upgrades

Since you have uninstalled Adobe Reader, you can download the current version HERE

You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum


Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Just add a resident antispyware program.

I suggest

Windows Defender
OR
Winpatrol


You should also use Spyware Blaster to help immunize your computer.

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.


-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.


- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis


- Ensure that Automatic Update is turned on so you get all the latest patches.
Click start, control panel, click Security Center.


- Keep your antivirus program updated, as well as any other security programs you have.


-Check this site out to check for out of date programs
Secunia Personal Software Inspector (PSI) 1.0


-More tips and programs can be found HERE


- You may also want to read this article By Tony Klein
http://www.freedomli...pic.php?t=22879

We will keep this thread open for a couple of days. Please post back if you have any problems or questions. Please post back when you have finished so this thread can be marked "Resolved".

Take care :adios:

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#40 greyspace

greyspace

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 19 October 2009 - 08:43 AM

Hi, thanks again so much for all of your time and help with this. I followed the steps above and think I did everything as specified. I wasn't sure if there were any other logs I needed to post or if there was anything else I needed to do. Again, I really appreacite all the work you've done to help me out.

    Advertisements

Register to Remove

#41 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 19 October 2009 - 08:55 PM

Hi Greyspace, You're very welcome. No, no logs to post. Take care and keep safe.

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#42 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 25 October 2009 - 03:52 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·