Solved Infected with Win64:Sirefef-A, Win32:Sirefef-PF and Win32:Atraps-PF - Windows XP SP3

Status
Not open for further replies.
So far, as far as I can tell, the system is running smoothly. The toolbars have been removed, and Avast is no longer detecting random virus attacks. I haven't had any issues with random clicking sounds either. What I did notice, however, is that for some reason when I put a disc into one of my drives, the autorum function no longer appears. Does that have anything to do with the programs we ran?
 
Sorry for the multiple posts, but I want to keep you updated as much as I can so we're on the same page once we can continue cleaning this thing up.
I've done a scan of my H Drive with Avast, since I didn't want to be unproductive today, it found two infected files. I know we still had two left over in the system volume, but these two seem to be named differently? Here's a screenshot, since I can't find an option to extract a log:

Edit: Image removed

Please let me know if the provided info from the last few posts is enough to go on, or if we need to repeat something. I'm ready to go on and I really appreciate your help!
 
You're almost through.

Open notepad and copy and paste the following text in the quote box into the window:
sc stop "AntiVirService"
sc delete "AntiVirService"
Click to expand...
  • Save this as fixservices.bat> save it to your desktop.
  • Choose to save as All files.
  • Doubleclick fixservices.bat and let the program run.
  • A small black dos window will flash, this is normal.
  • When done you can delete the remove.bat file.
------------------
Open notepad and copy and paste the following text in the quote box into the window:
sc stop "AntiVirSchedulerService"
sc delete "AntiVirSchedulerService
Click to expand...
  • Save this as fixservices.bat, save it to your desktop.
  • Choose to save as All files.
  • Double click fixservices.bat and let the program run
  • A small black dos window will flash, this is normal.
  • When done you can delete the remove.bat file.
=============================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"I:\\DC++\\DCPlusPlus.exe"=-
"I:\\Azureus\\Azureus.exe"=-
"h:\\Programme\\Vuze\\Azureus.exe"=-
RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
Clearjavacache::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
I removed the unnecessary parts from the autorun, at least as far as I could Identify them,
Click to expand...
NOTE: Autorun and starting on boot are not the same. I had you uncheck some processes on the Startup Menu that didn't need to start on boot.
====================
These has got to be a reason the system is freezing. You have enough RAM- but it would be best if you ran the Memtest to see if any chip isn't functioning.
=======================
One more scan:
First, set up a Directory for HijackThis as follows:
Right click Start> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
Exit Explorer
You now have a folder C:\HijackThis
----------------------------------
Download HijackThis and save to your desktop.
  • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
  • Extract it to the directory on your hard drive you created C:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.
NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
Time for the next logs. ComboFix did NOT freeze this time. But I'd like to run a Memtest, which sort of program would I use for that?

Here is the ComboFix log:

ComboFix 12-07-07.04 - Korcas 07.07.2012 19:03:48.4.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1031.18.3327.2561 [GMT 2:00]
Running from: h:\dokumente und einstellungen\Korcas\Desktop\ComboFix.exe
Command switches used :: h:\dokumente und einstellungen\Korcas\Desktop\CFScript.txt
AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-07 to 2012-07-07 )))))))))))))))))))))))))))))))
.
.
2012-07-06 03:49 . 2012-07-06 03:49 -------- d-----w- H:\_OTM
2012-07-05 17:12 . 2012-07-05 17:12 -------- d-----w- h:\programme\ESET
2012-07-04 16:32 . 2012-07-04 16:32 -------- d-----w- h:\dokumente und einstellungen\Korcas\Anwendungsdaten\Malwarebytes
2012-07-04 16:32 . 2012-07-04 16:32 -------- d-----w- h:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2012-07-04 16:32 . 2012-04-04 13:56 22344 ----a-w- h:\windows\system32\drivers\mbam.sys
2012-07-03 05:16 . 2012-07-03 05:16 -------- d-----w- h:\windows\system32\wbem\Repository
2012-06-14 02:47 . 2012-05-11 14:40 521728 -c----w- h:\windows\system32\dllcache\jsdbgui.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 16:21 . 2010-12-28 17:32 54232 ----a-w- h:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2012-02-25 08:54 18544 ----a-w- h:\windows\system32\drivers\aswKbd.sys
2012-07-03 16:21 . 2011-11-11 06:24 721000 ----a-w- h:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2011-11-11 06:24 202928 ----a-w- h:\windows\system32\drivers\aswNdis2.sys
2012-07-03 16:21 . 2010-12-28 17:32 21256 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2010-12-28 17:32 353688 ----a-w- h:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2010-12-28 17:32 35928 ----a-w- h:\windows\system32\drivers\aswRdr.sys
2012-07-03 16:21 . 2010-12-28 17:32 97608 ----a-w- h:\windows\system32\drivers\aswmon2.sys
2012-07-03 16:21 . 2010-12-28 17:32 89624 ----a-w- h:\windows\system32\drivers\aswmon.sys
2012-07-03 16:21 . 2011-11-11 06:24 113776 ----a-w- h:\windows\system32\drivers\aswFW.sys
2012-07-03 16:21 . 2010-12-28 17:32 25256 ----a-w- h:\windows\system32\drivers\aavmker4.sys
2012-07-03 16:21 . 2010-12-28 17:32 41224 ----a-w- h:\windows\avastSS.scr
2012-07-03 16:21 . 2010-12-28 17:32 227648 ----a-w- h:\windows\system32\aswBoot.exe
2012-07-02 02:27 . 2012-04-01 15:06 426184 ----a-w- h:\windows\system32\FlashPlayerApp.exe
2012-07-02 02:27 . 2011-07-01 18:33 70344 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 13:19 . 2009-10-17 14:26 329240 ----a-w- h:\windows\system32\wucltui.dll
2012-06-02 13:19 . 2009-10-17 14:26 210968 ----a-w- h:\windows\system32\wuweb.dll
2012-06-02 13:19 . 2009-10-17 14:26 219160 ----a-w- h:\windows\system32\wuaucpl.cpl
2012-06-02 13:19 . 2008-10-16 12:08 15896 ----a-w- h:\windows\system32\wuapi.dll.mui
2012-06-02 13:19 . 2008-10-16 12:07 18456 ----a-w- h:\windows\system32\wuaueng.dll.mui
2012-06-02 13:19 . 2009-10-17 14:26 53784 ----a-w- h:\windows\system32\wuauclt.exe
2012-06-02 13:19 . 2009-10-17 14:26 35864 ----a-w- h:\windows\system32\wups.dll
2012-06-02 13:19 . 2008-10-16 12:09 45080 ----a-w- h:\windows\system32\wups2.dll
2012-06-02 13:19 . 2008-10-16 12:08 15896 ----a-w- h:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19 . 2007-07-27 12:00 97304 ----a-w- h:\windows\system32\cdm.dll
2012-06-02 13:19 . 2008-10-16 12:08 23576 ----a-w- h:\windows\system32\wucltui.dll.mui
2012-06-02 13:19 . 2009-10-17 14:26 577048 ----a-w- h:\windows\system32\wuapi.dll
2012-06-02 13:19 . 2009-10-17 14:26 1933848 ----a-w- h:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2007-07-27 12:00 604160 ----a-w- h:\windows\system32\crypt32.dll
2012-05-16 15:07 . 2007-07-27 12:00 916992 ----a-w- h:\windows\system32\wininet.dll
2012-05-15 13:56 . 2007-07-27 12:00 1863296 ----a-w- h:\windows\system32\win32k.sys
2012-05-11 14:40 . 2007-07-27 12:00 43520 ----a-w- h:\windows\system32\licmgr10.dll
2012-05-11 14:40 . 2007-07-27 12:00 1469440 ------w- h:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2007-07-27 12:00 385024 ----a-w- h:\windows\system32\html.iec
2012-05-05 03:14 . 2007-07-27 12:00 2150912 ----a-w- h:\windows\system32\ntoskrnl.exe
2012-05-05 03:14 . 2004-08-04 00:50 2029056 ----a-w- h:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2009-10-17 14:24 139656 ----a-w- h:\windows\system32\drivers\rdpwd.sys
2002-11-19 23:01 . 2006-02-17 15:51 28672 ----a-w- h:\programme\opera\program\plugins\PlugDef.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-05_17.07.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-06 18:21 . 2012-07-06 18:21 16384 h:\windows\temp\Perflib_Perfdata_5f0.dat
- 2007-07-27 12:00 . 2012-07-05 16:54 67740 h:\windows\system32\perfc009.dat
+ 2007-07-27 12:00 . 2012-07-06 18:25 67740 h:\windows\system32\perfc009.dat
- 2007-07-27 12:00 . 2012-07-05 16:54 48036 h:\windows\system32\perfc007.dat
+ 2007-07-27 12:00 . 2012-07-06 18:25 48036 h:\windows\system32\perfc007.dat
+ 2007-07-27 12:00 . 2012-07-06 18:25 432784 h:\windows\system32\perfh009.dat
- 2007-07-27 12:00 . 2012-07-05 16:54 432784 h:\windows\system32\perfh009.dat
- 2007-07-27 12:00 . 2012-07-05 16:54 316246 h:\windows\system32\perfh007.dat
+ 2007-07-27 12:00 . 2012-07-06 18:25 316246 h:\windows\system32\perfh007.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- h:\programme\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBPanel"="h:\programme\Vtune\TBPanel.exe" [2009-05-12 2158592]
"AdobeBridge"="I:\adobecs5.5\Adobe Bridge CS5.1\Bridge.exe" [2011-03-02 12008296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="h:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-07-27 208952]
"MSPY2002"="h:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2007-07-27 59392]
"PHIME2002ASync"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
"PHIME2002A"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"Adobe ARM"="h:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Trojancheck 6 Guard"="h:\programme\Trojancheck 6\tcguard.exe" [2002-11-14 590336]
"ISUSPM Startup"="h:\progra~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="h:\programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"AdobeAAMUpdater-1.0"="h:\programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
"SwitchBoard"="h:\programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="h:\programme\Gemeinsame Dateien\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe Acrobat Speed Launcher"="I:\adobecs5.5\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]
"Acrobat Assistant 8.0"="I:\adobecs5.5\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]
"avast"="h:\programme\Alwil Software\Avast5\avastUI.exe" [2012-07-03 4273976]
"SunJavaUpdateSched"="h:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2011-06-09 254696]
"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"nwiz"="h:\programme\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
"Malwarebytes' Anti-Malware"="I:\malwarebytes' anti-malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\startupfolder\H:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Gamma Loader.lnk]
path=h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Gamma Loader.lnk
backup=h:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\H:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^HP Digital Imaging Monitor.lnk]
path=h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\HP Digital Imaging Monitor.lnk
backup=h:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\H:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]
path=h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
backup=h:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AshSnap]
2011-04-01 07:10 1528176 ----a-w- I:\ashampoo snap 4\ashsnap.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-28 22:15 136176 ----atw- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-11-21 02:10 3293184 ----a-w- h:\programme\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2010-11-22 13:20 2736128 ----a-w- h:\programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:22 1695232 ------w- h:\programme\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 09:17 421888 ----a-w- I:\quicktime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 14:12 26192168 ----a-r- I:\skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"I:\\mIRC\\mirc.exe"=
"I:\\Trillian\\trillian.exe"=
"h:\\Programme\\Java\\jre6\\bin\\javaw.exe"=
"h:\\Programme\\VideoLAN\\VLC\\vlc.exe"=
"h:\\Dokumente und Einstellungen\\Korcas\\Lokale Einstellungen\\Anwendungsdaten\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"I:\\Skype\\Plugin Manager\\skypePM.exe"=
"I:\\Skype\\Phone\\Skype.exe"=
"h:\\Programme\\Opera\\opera.exe"=
"h:\\Programme\\Google\\Google Talk\\googletalk.exe"=
"I:\\AdobeCS5.5\\Adobe Flash Builder 4.5\\FlashBuilder.exe"=
"h:\\Programme\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"h:\\Programme\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
"I:\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
"I:\\Opera\\opera.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7935:TCP"= 7935:TCP:Adobe Flash Builder 4.5
.
R0 aswNdis;avast! Firewall NDIS Filter Service;h:\windows\system32\drivers\aswNdis.sys [11.11.2011 08:24 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;h:\windows\system32\drivers\aswNdis2.sys [11.11.2011 08:24 202928]
R1 aswFW;avast! TDI Firewall driver;h:\windows\system32\drivers\aswFW.sys [11.11.2011 08:24 113776]
R1 aswKbd;aswKbd;h:\windows\system32\drivers\aswKbd.sys [25.02.2012 10:54 18544]
R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [11.11.2011 08:24 721000]
R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [28.12.2010 19:32 353688]
R1 ISODisk;ISODisk;h:\windows\system32\drivers\ISODisk.sys [25.06.2011 09:41 9600]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [28.12.2010 19:32 21256]
R2 avast! Firewall;avast! Firewall;h:\programme\Alwil Software\Avast5\afwServ.exe [11.11.2011 08:24 133912]
R2 MBAMService;MBAMService;I:\malwarebytes' anti-malware\mbamservice.exe [04.07.2012 18:32 654408]
R2 nvUpdatusService;NVIDIA Update Service Daemon;h:\programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [06.03.2012 23:02 2214504]
R2 TabletServicePen;TabletServicePen;h:\windows\system32\Pen_Tablet.exe [18.10.2009 21:34 4497704]
R2 WTouchService;WTouch Service;h:\programme\WTouch\WTouchService.exe [18.10.2009 21:35 113448]
R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [04.07.2012 18:32 22344]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;h:\windows\system32\drivers\viahduaa.sys [20.12.2009 20:00 1381632]
R3 wacmoumonitor;Wacom Mode Helper;h:\windows\system32\drivers\wacmoumonitor.sys [18.10.2009 21:34 16168]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;h:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [01.04.2012 17:06 250056]
S3 appliandMP;appliandMP;h:\windows\system32\DRIVERS\appliand.sys --> h:\windows\system32\DRIVERS\appliand.sys [?]
S3 SwitchBoard;SwitchBoard;h:\programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe [19.02.2010 13:37 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-11-22 13:18 451872 ----a-w- h:\programme\Gemeinsame Dateien\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-07 h:\windows\Tasks\AdobeAAMUpdater-1.0-GREYBOX-Korcas.job
- h:\programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-06-26 06:46]
.
2012-07-07 h:\windows\Tasks\avast! Emergency Update.job
- h:\programme\Alwil Software\Avast5\AvastEmUpdate.exe [2012-06-30 16:21]
.
2012-07-07 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1757981266-725345543-1003Core.job
- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-04-28 22:15]
.
2012-07-07 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1757981266-725345543-1003UA.job
- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-04-28 22:15]
.
.
------- Supplementary Scan -------
.
IE: An vorhandene PDF-Datei anfügen - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Adobe Reader Speed Launcher - I:\reader\Reader\Reader_sl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-07 19:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(5348)
h:\windows\system32\webcheck.dll
.
Completion time: 2012-07-07 19:09:06
ComboFix-quarantined-files.txt 2012-07-07 17:09
ComboFix2.txt 2012-07-06 18:24
ComboFix3.txt 2012-07-06 03:46
ComboFix4.txt 2012-07-05 17:10
.
Pre-Run: 8 Verzeichnis(se), 13.594.959.872 Bytes frei
Post-Run: 9 Verzeichnis(se), 14.461.534.208 Bytes frei
.
- - End Of File - - 456DFF7C11E471E7594F636EB88FCD1F
 
Here the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:14:10, on 07.07.2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Programme\WTouch\WTouchService.exe
H:\Programme\Alwil Software\Avast5\afwServ.exe
H:\Programme\WTouch\WTouchUser.exe
H:\Programme\Alwil Software\Avast5\AvastSvc.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Programme\Java\jre6\bin\jqs.exe
H:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
I:\Malwarebytes' Anti-Malware\mbamservice.exe
H:\Programme\BurnAware Professional\nmsaccessu.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\Pen_Tablet.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe
H:\Programme\Trojancheck 6\tcguard.exe
H:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
I:\AdobeCS5.5\Acrobat 10.0\Acrobat\Acrotray.exe
H:\Programme\Alwil Software\Avast5\avastUI.exe
H:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
H:\WINDOWS\system32\RunDLL32.exe
I:\Malwarebytes' Anti-Malware\mbamgui.exe
H:\Programme\Vtune\TBPanel.exe
I:\AdobeCS5.5\Adobe Bridge CS5.1\Bridge.exe
H:\Programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
H:\WINDOWS\explorer.exe
I:\Opera\opera.exe
I:\Opera\pluginwrapper\opera_plugin_wrapper.exe
H:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - I:\AdobeCS5.5\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - H:\Programme\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - I:\AdobeCS5.5\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - H:\Programme\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] H:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe ARM] "H:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Trojancheck 6 Guard] H:\Programme\Trojancheck 6\tcguard.exe
O4 - HKLM\..\Run: [ISUSPM Startup] H:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "H:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "H:\Programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] H:\Programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "H:\Programme\Gemeinsame Dateien\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "I:\AdobeCS5.5\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "I:\AdobeCS5.5\Acrobat 10.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [avast] "H:\Programme\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] H:\Programme\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "I:\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [TBPanel] H:\Programme\Vtune\TBPanel.exe /A
O4 - HKCU\..\Run: [AdobeBridge] "I:\AdobeCS5.5\Adobe Bridge CS5.1\Bridge.exe" -stealth
O4 - HKUS\S-1-5-21-436374069-1757981266-725345543-1004\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: An vorhandene PDF-Datei anfügen - res://H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Linkziel an vorhandene PDF-Datei anhängen - res://H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Linkziel in Adobe PDF konvertieren - res://H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Programme\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - H:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - H:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - H:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - H:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: avast! Antivirus - AVAST Software - H:\Programme\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Firewall - AVAST Software - H:\Programme\Alwil Software\Avast5\afwServ.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - I:\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NMSAccessU - Unknown owner - H:\Programme\BurnAware Professional\nmsaccessu.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - H:\Programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - H:\Programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - H:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: WTouch Service (WTouchService) - Wacom Technology, Corp. - H:\Programme\WTouch\WTouchService.exe

--
End of file - 9167 bytes

As for the files I have now quarantined in the Avast container... Should I leave them there, or will it hamper the cleanup process? If you want, I can just release them from the container.
 
Computer has been running smoothly for the past day. Are we in the green in terms of viruses or are there still steps we need to take? I'd like to have this machine clean before wednesday, as I'll have to do a couple of money transactions, and will of course, not log into my bank account, while there still are issues to be taken care of.

Thank you for your continued assistance.
 
Just finished another full Avast scan. Besides those two quarantined files, the machine seems to be clean.
Looks like we can wrap this one up with the next steps, what do you say?
 
Updating this topic so it won't be closed due to inactivity. Definitely ready for the next steps of the cleaning process.
 
I'm very sorry for the delay. I have turned all of my threads over to DragonMasterJay to finish. I thought I had noted all of the threads, but may have missed yours.

I am sending message to him now. He will be with you as soon as possible.
 
  • Like
Reactions: Korcas
Thanks for getting back to me. I was worried that I'd been forgotten. Thank you for your awesome assistance so far Bobbye!
 
Hello! Okay..let's do this an easy way.

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
services.exe
%userprofile%\AppData\Local\*.*
%systemroot%\Installer\*.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
That was a quick scan. Here the results:

SystemLook 30.07.11 by jpshortstuff
Log created at 21:15 on 10/07/2012 by Korcas
Administrator - Elevation successful

========== filefind ==========

Searching for "services.exe"
H:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe --a---- 111104 bytes [17:36 17/10/2009] [11:14 09/02/2009] F0A7D59AF279326528715B206669B86C
H:\WINDOWS\$NtServicePackUninstall$\services.exe -----c- 108544 bytes [17:44 17/10/2009] [12:00 27/07/2007] EDB6B81761BD60F32F740BBC40AFB676
H:\WINDOWS\$NtUninstallKB956572$\services.exe -----c- 109056 bytes [17:53 17/10/2009] [02:22 14/04/2008] 4BB6A83640F1D1792AD21CE767B621C6
H:\WINDOWS\erdnt\cache\services.exe --a---- 111104 bytes [17:10 05/07/2012] [11:21 09/02/2009] A3EDBE9053889FB24AB22492472B39DC
H:\WINDOWS\ServicePackFiles\i386\services.exe ------- 109056 bytes [02:22 14/04/2008] [02:22 14/04/2008] 4BB6A83640F1D1792AD21CE767B621C6
H:\WINDOWS\system32\services.exe --a---- 111104 bytes [12:00 27/07/2007] [11:21 09/02/2009] A3EDBE9053889FB24AB22492472B39DC
H:\WINDOWS\system32\dllcache\services.exe -----c- 111104 bytes [17:36 17/10/2009] [11:21 09/02/2009] A3EDBE9053889FB24AB22492472B39DC

Searching for "%userprofile%\AppData\Local\*.*"
No files found.

Searching for "%systemroot%\Installer\*.*"
No files found.

-= EOF =-
 
Let's see if your computer is clean...

ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
Okay, I'd ran ESET before, so I know it'll take in between three to four hours, so I'll have to keep it for tomorrow. But one question in between scanning with ESET and further actions. I have two system volume files in quarantine with Avast. Should I just go ahead, and delete these, or will we catch those files with a different program eventually?

I want to make sure that ESET has a chance of catching these.
 
Awesome. Expect the next update around this time tomorrow. Stupid work interfering with the cleanups. ;)

Thank you for taking on my case!
 
Okay, I ran ESET, and finished the Scan. However... it doesn't seem to have saved a new log file?
File Properties do say it was changed today, so here it is anyway. One file was located, and moved to quarantine, should I delete it from quarantine too?

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=86e63b1d358d574baec76fdcf7d5b0f7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-05 08:38:58
# local_time=2012-07-05 10:38:58 (+0100, Westeuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 47954549 47954549 0 0
# compatibility_mode=8192 67108863 100 0 106 106 0 0
# scanned=409162
# found=3
# cleaned=0
# scan_time=12273
H:\Dokumente und Einstellungen\Korcas\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\60\58ad53fc-4f1e2865 Java/Exploit.CVE-2012-0507.CM trojan (unable to clean) 00000000000000000000000000000000 I
H:\System Volume Information\_restore{3B94F78F-1988-441F-AAF2-6781DE5D1F65}\RP943\A0167282.ini Win32/Sirefef.EZ trojan (unable to clean) 00000000000000000000000000000000 I
H:\System Volume Information\_restore{3B94F78F-1988-441F-AAF2-6781DE5D1F65}\RP943\A0167293.dll a variant of Win32/Medfos.AM trojan (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=86e63b1d358d574baec76fdcf7d5b0f7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-11 08:06:30
# local_time=2012-07-11 10:06:30 (+0100, Westeuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 48470780 48470780 0 0
# compatibility_mode=8192 67108863 100 0 516337 516337 0 0
# scanned=406357
# found=1
# cleaned=1
# scan_time=12492
H:\_OTM\MovedFiles\07062012_060729\H_Dokumente und Einstellungen\Korcas\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\60\58ad53fc-4f1e2865 Java/Exploit.CVE-2012-0507.CM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


What worries me, is that it located neither of the files that are quarantined in Avast. Should I deleted them from Avast's quarantine, or will we clean them another way?
 
Ah, I see, there are two logs in this one. The first part is from my first scan from the 5th, where I didn't allow the program to clean infected files. So I guess you should refer to the second part. The two System Volume Files from the first part are currently quarantined in Avast, the Java installer file from the second shot is quarantined in ESET.

I haven't deleted any of them, if it's okay to do so, I will.
 
They should be deleted. Avast software automatically guards the quarantine with self-protection. They won't be detected usually.

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death
 
No issues so far. The computer is smoothly as far as I can tell. Concerning svchost, though, there are about... five entries of svchost running in my task manager, is that normal?

No system crashes or any sorts of blue screens, either.

I haven't gotten any anti virus alerts, neither real nor fake. So everything seems to be fine, by now.

So I guess, unless you have any further worries, we can clean it up and wrap this case?
 
Yes, it is normal for svchost.exe entries occurring multiple times.

If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran TFC
  • Ran Security Check
Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
 
Will take a bit, to run all these steps. Going to post the logs and updates on this tomorrow at around the same time! Thank you for your help so far, and have a good day!
 
Status
Not open for further replies.

Similar threads

losdavos
Malware removal help, please and thank you!
Replies
1
Views
802
losdavos
losdavos
A
Microsoft left a kernel-level, zero-day bug in Windows for six months before patching it
Replies
9
Views
214
LimyG
LimyG
M
Virus warning popup
Replies
1
Views
531
Mark Fuller
M

Latest posts

Back