TechSpot

Help removing Trojan horse(s) & other problems

Solved
By gooodjunkk
Aug 13, 2010
  1. Hello,

    I am having serious problems. Yesterday afternoon my AVG antivirus resident shield detected 2 trojan horse backdoor generic 12.cegh infections, so I sent them to the virus vault. A little later, Malwarebytes informed me that a file named ltk.exe was trying to do something malicious & asked if I should let the program proceed. I said no. Meanwhile Malwarebytes was blocking websites left & right. I found ltk.exe, ltm.exe, ltn.exe, etc in my computer & deleted them.

    The problem I am having now is every once in a while a new internet explorer window will pop up & open a webpage offering to refinance my mortgage or some other junk, something called "Security Suite" is running on my computer, scanning for viruses (& finding a bunch), constantly sending me security alerts about infected files on my computer & asking me to buy the software to remove the threats, my AVG antivirus & Malwarebytes are apparently infected & inaccessible, among other things.

    Anyway, I read the 8 steps at the top of this forum & went through & did each step. I have the gmer & dds logs on my desktop but can't open them. I get an error message telling me that notepad.exe is infected. I can't get to the Malwarebytes log either, but if I remember correctly it it found 1 infected file & 2 registry entries & sent everything to the vault.

    Please help, if you can.

    Thank you
     
  2. crunchie

    crunchie Malware Helper Posts: 761

    Hi and welcome to TechSpot forums :).

    ====

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
     
  3. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    Hi Crunchie,

    Thanks so much for responding to my post. My problems have changed. After my first post but before your reply I booted into safe mode & ran malwarebytes & spybot & both found & fixed some stuff. See Mbam log below. Spybot found & fixed something called Fraud.Sysguard & CouponBar. I don't know if it helps, but I attached a report from Spybot.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org
    Database version: 4425
    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702
    8/13/2010 9:20:45 AM
    mbam-log-2010-08-13 (09-20-45).txt
    Scan type: Quick scan
    Objects scanned: 134270
    Time elapsed: 10 minute(s), 11 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\Temp\mejl.tmp\setup.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

    So, by the time I read your post, things had changed, but still having problems with ads popping up in IE & Malwarebytes website blocking working double time; notifying me constantly of successful website blocks. Also ever since yesterday when I got the first message from AVG resident shield my system boots up slower than normal & is just slower in general... sluggish.

    Anyway, maybe I shouldn't have, but I went ahead & downloaded ComboFix & followed instructions in your reply (instead of posting what I'd already done, etc.), but 7 hours after starting CF, it was still scanning, so I rebooted & came back here.

    I'm not sure what to do now. I haven't had any messages from malwarebytes website blocker since I've been here, nor any pop up ads (yet... only been here a couple minutes). System still boots very slowly though & is still sluggish.

    Any thoughts on how I should proceed from here?

    Thanks again for your help.
     

    Attached Files:

  4. crunchie

    crunchie Malware Helper Posts: 761

    Can you boot into safe mode and try to run combofix again.
    If it takes more than about 30 minutes, post back and we'll try something else.
     
  5. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    I will try.. (I'll be back) Thanks
     
  6. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    Yay! It worked. I got a message before CF started that AVG real time scanning needed to be disabled before proceeding. So, I disabled it (or so I thought)... pressed "OK" & got another message saying was still enabled but that CF would go ahead & run anyway, but at my own risk. Tried to figure out how to disable before I pressed "OK" again, but I'm not sure it can be done once booted up in safe mode. Anyway, I did run it "at my own risk" with real time scanning enabled.

    Log file is attached.
     

    Attached Files:

  7. crunchie

    crunchie Malware Helper Posts: 761

    Looks ok. Are you able to open those DDS logs now?
     
  8. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    Yes, should I run them again or post the old ones?
     
  9. crunchie

    crunchie Malware Helper Posts: 761

    Run them again please.
     
  10. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    Ok, I did the 8 steps again. Here are the logs.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4431

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/14/2010 9:47:54 PM
    mbam-log-2010-08-14 (21-47-54).txt

    Scan type: Quick scan
    Objects scanned: 131644
    Time elapsed: 6 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-15 01:11:49
    Windows 5.1.2600 Service Pack 3
    Running: z7jlymmj.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uglyypod.sys


    ---- System - GMER 1.0.15 ----

    SSDT IPVNMon.sys (IPVNMon/Visual Networks) ZwDeviceIoControlFile [0xF7B29803]

    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF77F7300]

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMSetAttributesEx] [F7B29744] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterMiniport] [F7B2951E] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7B2971A] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7B296A7] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMSetAttributesEx] [F7B29744] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7B29380] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterMiniport] [F7B2951E] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7B29380] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7B296A7] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7B2971A] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMSetAttributesEx] [F7B29744] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMRegisterMiniport] [F7B2951E] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMSetAttributesEx] [F7B29744] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterMiniport] [F7B2951E] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisIMRegisterLayeredMiniport] [F7B2948B] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7B29380] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7B296A7] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisMSetAttributesEx] [F7B29744] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7B2971A] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\raspti.sys[NDIS.SYS!NdisMSetAttributesEx] [F7B29744] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\raspti.sys[NDIS.SYS!NdisMRegisterMiniport] [F7B2951E] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7B29380] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7B2971A] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7B296A7] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7B2971A] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7B296A7] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7B29380] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7B29380] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7B296A7] IPVNMon.sys (IPVNMon/Visual Networks)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7B2971A] IPVNMon.sys (IPVNMon/Visual Networks)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs B0764400

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Control\SecurePipeServers\winreg@Description Registry Server
    Reg HKLM\SYSTEM\ControlSet001\Control\SecurePipeServers\winreg\AllowedPaths (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?
    Reg HKLM\SYSTEM\ControlSet002\Control\SecurePipeServers\winreg@Description Registry Server
    Reg HKLM\SYSTEM\ControlSet002\Control\SecurePipeServers\winreg\AllowedPaths (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?
    Reg HKLM\SYSTEM\ControlSet003\Control\SecurePipeServers\winreg@Description Registry Server
    Reg HKLM\SYSTEM\ControlSet003\Control\SecurePipeServers\winreg\AllowedPaths (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?
    Reg HKLM\SYSTEM\ControlSet004\Control\SecurePipeServers\winreg@Description Registry Server
    Reg HKLM\SYSTEM\ControlSet004\Control\SecurePipeServers\winreg\AllowedPaths (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?
    Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg@Description Registry Server
    Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
    Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?
    Reg HKLM\SYSTEM\ControlSet006\Control\SecurePipeServers\winreg@Description Registry Server
    Reg HKLM\SYSTEM\ControlSet006\Control\SecurePipeServers\winreg\AllowedPaths (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet006\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  11. crunchie

    crunchie Malware Helper Posts: 761

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    Code:
    DDS::
    mURLSearchHooks: H - No File
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - No File
    TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Save the above as CFScript.txt

    4. Physically disconnect from the internet.

    5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
    • Combofix.txt
    Please take note:

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
     
  12. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    Here is the combofix log

    ComboFix 10-08-12.03 - Owner 08/15/2010 7:50.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2031.1520 [GMT -7:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((( Files Created from 2010-07-15 to 2010-08-15 )))))))))))))))))))))))))))))))
    .

    2010-08-13 12:26 . 2010-08-13 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\qldfhicrt
    2010-08-13 07:59 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-13 07:59 . 2010-08-13 07:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-13 07:59 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-12 21:53 . 2010-08-12 21:53 57344 --sha-r- c:\windows\system32\TsWpfWrpx.dll
    2010-08-12 21:52 . 2010-08-12 21:52 -------- d-----w- c:\documents and settings\Owner\Application Data\41C28C7638D87F0CA4294A5BC8D8943F
    2010-08-06 09:57 . 2010-08-06 09:57 438 ----a-w- c:\program files\080620102570757.bat
    2010-08-06 07:15 . 2010-08-06 07:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Oberon Media
    2010-08-06 07:14 . 2010-08-06 09:57 -------- d-----w- c:\program files\MSN Games
    2010-07-30 04:06 . 2010-07-30 04:06 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
    2010-07-20 15:33 . 2010-07-20 15:33 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2010-07-20 15:33 . 2010-07-20 15:33 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
    2010-07-20 15:33 . 2010-07-20 15:33 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-15 08:26 . 2010-05-26 21:54 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
    2010-08-12 12:14 . 2005-06-25 11:34 -------- d-----w- c:\program files\Paint Shop Pro 6
    2010-08-06 08:21 . 2009-12-12 09:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-07-30 03:55 . 2009-07-23 07:16 -------- d-----w- c:\program files\Graboid
    2010-07-30 03:54 . 2009-07-23 07:22 -------- d-----w- c:\program files\VideoLAN
    2010-07-28 03:58 . 2005-06-25 11:44 -------- d-----w- c:\program files\Punch! Pro
    2010-07-15 15:09 . 2008-12-11 14:34 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-15 15:09 . 2010-07-15 15:09 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-15 15:08 . 2008-12-11 14:34 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-07-11 05:03 . 2005-06-25 12:48 72 ----a-w- c:\windows\popcinfo.dat
    2010-07-10 10:58 . 2010-07-10 10:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
    2010-06-14 14:31 . 2004-08-26 18:01 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-05 13:47 . 2010-06-05 13:47 14366 ----a-w- c:\windows\skype.dat
    2010-06-05 13:47 . 2010-06-05 13:45 32854 ----a-w- c:\windows\iniLS.dat
    2010-06-02 16:49 . 2008-12-11 14:34 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-05-27 19:00 . 2010-05-26 22:14 1880 ----a-w- c:\windows\AUTOLNCH.REG
    2010-05-27 18:36 . 2005-06-25 18:19 51984 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-05-26 21:37 . 2010-05-26 21:06 168242 ----a-w- c:\windows\hphins33.dat
    2005-06-24 08:02 . 2005-06-24 08:02 0 --sha-w- c:\windows\SMINST\HPCD.sys
    .

    ------- Sigcheck -------

    [7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
    [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
    [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
    [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
    [-] 2003-03-31 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\drivers\atapi.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
    "hpppta"="c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe" [2001-12-13 98304]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoCommonGroups"= 0 (0x0)
    "NoFileSharing"= 1 (0x1)
    "NoPrintSharing"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoSimpleStartMenu"= 0 (0x0)
    "NoSMMyDocs"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\Symantec\WinFax\WfxSeh32.Dll" [1998-07-27 38400]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-07-15 15:09 12536 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.sys

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
    backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
    backup=c:\windows\pss\Billminder.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Support Center.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Broadband Support Center.lnk
    backup=c:\windows\pss\Broadband Support Center.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 4.0.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax DllCmd 4.0.lnk
    backup=c:\windows\pss\eFax DllCmd 4.0.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 4.0.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu 4.0.lnk
    backup=c:\windows\pss\eFax Tray Menu 4.0.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk
    backup=c:\windows\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
    backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TurboUSA HiSpeed.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TurboUSA HiSpeed.lnk
    backup=c:\windows\pss\TurboUSA HiSpeed.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TurboUSA HiSpeed.lnk.disabled]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TurboUSA HiSpeed.lnk.disabled
    backup=c:\windows\pss\TurboUSA HiSpeed.lnk.disabledCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^GE Mouse.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\GE Mouse.lnk
    backup=c:\windows\pss\GE Mouse.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IP Ware Demo.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IP Ware Demo.lnk
    backup=c:\windows\pss\IP Ware Demo.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^VirtuaGirl.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\VirtuaGirl.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
    2009-07-31 23:00 1626112 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2009-11-18 23:13 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
    2002-12-11 01:32 155648 ----a-w- c:\program files\Logitech\ImageStudio\ISStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
    2002-12-11 01:31 61440 ----a-w- c:\program files\Logitech\ImageStudio\LogiTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
    2005-06-08 21:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
    2005-06-08 22:24 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
    2005-06-08 22:14 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
    2002-12-11 00:54 127022 ----a-w- c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
    2005-07-20 00:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
    2010-04-29 22:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
    2010-04-29 22:39 437584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MEDIC]
    2006-12-28 02:04 192512 ----a-w- c:\program files\MEDIC\bin\sprtcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
    2000-02-15 00:36 43008 ----a-w- c:\windows\system32\WFXSNT40.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "mcupdmgr.exe"=3 (0x3)
    "McAfeeAntiSpyware"=2 (0x2)
    "navapsvc"=3 (0x3)
    "Avg7UpdSvc"=2 (0x2)
    "Avg7Alrt"=2 (0x2)
    "wfxsvc"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "ccSetMgr"=2 (0x2)
    "ccPwdSvc"=3 (0x3)
    "ccEvtMgr"=2 (0x2)
    "idsvc"=3 (0x3)
    "gusvc"=2 (0x2)
    "gupdate1ca109a4feb59f4"=2 (0x2)
    "fsssvc"=3 (0x3)
    "VSS"=3 (0x3)
    "upnphost"=3 (0x3)
    "Themes"=3 (0x3)
    "RasAuto"=3 (0x3)
    "mnmsrvc"=3 (0x3)
    "Messenger"=3 (0x3)
    "FontCache3.0.0.0"=3 (0x3)
    "FastUserSwitchingCompatibility"=3 (0x3)
    "EapHost"=3 (0x3)
    "Dot3svc"=3 (0x3)
    "clr_optimization_v2.0.50727_32"=3 (0x3)
    "ClipSrv"=3 (0x3)
    "aspnet_state"=3 (0x3)
    "W32Time"=2 (0x2)
    "WSearch"=2 (0x2)
    "TermService"=3 (0x3)
    "lanmanserver"=2 (0x2)
    "srservice"=2 (0x2)
    "RasMan"=2 (0x2)
    "lanmanworkstation"=2 (0x2)
    "Alerter"=2 (0x2)
    "MSDTC"=3 (0x3)
    "SwPrv"=3 (0x3)
    "Netlogon"=3 (0x3)
    "NtLmSsp"=3 (0x3)
    "napagent"=3 (0x3)
    "xmlprov"=3 (0x3)
    "WmdmPmSN"=3 (0x3)
    "RSVP"=3 (0x3)
    "SNMPTRAP"=3 (0x3)
    "SNMP"=2 (0x2)
    "SCardSvr"=3 (0x3)
    "lxdxCATSCustConnectService"=2 (0x2)
    "AppMgmt"=3 (0x3)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "medicsp2"=c:\program files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
    "SlipStream"="c:\program files\TurboUSA\turbocore.exe"
    "PCSuiteTrayApplication"=c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "113:TCP"= 113:TCP:4.79.142.206/255.255.255.255:Disabled:ShieldsUP!

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/11/2008 7:34 AM 216400]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/11/2008 7:34 AM 243024]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 8:09 AM 308136]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/13/2010 12:59 AM 20952]
    R3 QCEmerald;Logitech QuickCam Web(PID_0850);c:\windows\system32\drivers\lvce.sys [10/7/2006 1:38 AM 44544]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/13/2010 12:59 AM 304464]
    S3 MouseMaestro;MouseMaestro;c:\windows\system32\drivers\maestro8.sys [7/28/2009 2:58 PM 8104]
    S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [1/5/2008 12:39 AM 13532]
    S4 gupdate1ca109a4feb59f4;Google Update Service (gupdate1ca109a4feb59f4);c:\program files\Google\Update\GoogleUpdate.exe [7/29/2009 3:17 PM 133104]
    S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/18/2007 2:59 PM 24652]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - IPVNMon

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-29 22:16]

    2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-29 22:16]

    2010-08-15 c:\windows\Tasks\User_Feed_Synchronization-{4CA5E084-3902-41C5-AEF5-18AF9700DD82}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = 127.0.0.1
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-15 07:58
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2150821798-68253348-304826555-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    Completion time: 2010-08-15 08:01:10
    ComboFix-quarantined-files.txt 2010-08-15 15:00
    ComboFix2.txt 2010-08-14 07:25

    Pre-Run: 35,618,652,160 bytes free
    Post-Run: 35,588,128,768 bytes free

    Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
    - - End Of File - - D0BF70B4C3E652339306A257119AC327
     
  13. crunchie

    crunchie Malware Helper Posts: 761

    Do you still have the problem?
     
  14. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    I think it's fixed. Thanks a bunch for your help!
     
  15. crunchie

    crunchie Malware Helper Posts: 761

    • Click START then RUN and copy/paste the following bolded text into the Run box and click OK:

      ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

    • [​IMG]

    ============

    Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.
    • You will need to use Internet Explorer to complete this scan.
    • You will need to temporarily Disable your current Anti-virus program.
    • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
    • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

    NOTE: If you are unable to complete the ESET scan, please try another from the list below:

     
  16. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    Here is the ESET log:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=ab3207012866ca45b56e047016e767d0
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-08-16 04:34:27
    # local_time=2010-08-15 09:34:27 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 34904722 34904722 0 0
    # compatibility_mode=1024 16777191 100 0 12184419 12184419 0 0
    # compatibility_mode=1536 16777215 100 0 0 0 0 0
    # compatibility_mode=3585 16777214 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=136064
    # found=5
    # cleaned=0
    # scan_time=6617
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
    K:\DnldAps\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I
    K:\DnldAps\usrat.exe multiple threats 00000000000000000000000000000000 I
    K:\DnldAps\wherewasgod.exe multiple threats 00000000000000000000000000000000 I
     
  17. crunchie

    crunchie Malware Helper Posts: 761

    Ok. If you run ESET again you will be able to select those files for removal. You will have to rescan.
    Let me know if there is anything else :).
     
  18. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    So, check the "remove found threats" box & scan again, yes?
     
  19. crunchie

    crunchie Malware Helper Posts: 761

    Yes :). (10 character limit :()
     
  20. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    Everything seems to be working fine since I rescanned & removed threats. I can't thank you enough for your help. I really appreciate it. :)
     
  21. crunchie

    crunchie Malware Helper Posts: 761

    No worries :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.