Last week I had got infected with some type of virus that was changing my wallpaper to the blue screen with a link saying something on the lines of "your computer is infected with sypware" and I was also recieving false virus warning and task manager wouldn't open. From reading post I downloaded and ran combo fix and that seemed to fix all the problem I was having with that. The blue wallpaper and false warning went away and I was able again to access task manager. Only thing I see wrong with my PC now is that when ever I go to a search site like google my result links keep getting redirected. If you would look under the back arrow on the IE back toolbar you can ever see the words "redirect" and "jump". I ran windows defender and it found a couple spyware files it deleted. But I just searched google again and got redirected. Just wondering if you had any ideas on how to clean this sypware or what ever it is out of my pc.
Google search results are getting redirected
- Thread starter Ronian30
- Start date
I have to break it into 2 parts..... Part 1
ComboFix 08-04-13.1 - Owner 2008-04-13 15:30:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.135 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Common Files\ssembl~1
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\conf.inf
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\ky.sxc
C:\WINDOWS\licencia.txt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mscon.sio
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\ntnut.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\awtsTNEv.dll
C:\WINDOWS\system32\efcBussq.dll
C:\WINDOWS\system32\enkubncr.dll
C:\WINDOWS\system32\fhtbxrow.dll
C:\WINDOWS\system32\lxdatlwu.ini
C:\WINDOWS\system32\uninstall.exe
C:\WINDOWS\system32\uwltadxl.dll
C:\WINDOWS\system32\vENTstwa.ini
C:\WINDOWS\system32\vENTstwa.ini2
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll
D:\Autorun.inf
----- BITS: Possible infected sites -----
hxxp://80.93.48.74
.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.
2008-04-13 15:11 . 2008-04-13 15:21 101,136 --a------ C:\WINDOWS\BM935feef2.xml
2008-04-13 15:11 . 2008-04-13 15:11 3,648 --a------ C:\WINDOWS\system32\jboarmsi.dll
2008-04-13 03:05 . 2008-04-13 03:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-13 03:04 . 2008-04-13 03:04 196,096 --a------ C:\WINDOWS\yvqjqrqd.dll
2008-04-13 03:04 . 2008-04-13 03:04 70,144 --a------ C:\WINDOWS\tqdavkpk.dll
2008-04-13 03:04 . 2008-04-13 03:04 70,144 --a------ C:\Documents and Settings\All Users\Application Data\notcrcfm.dll
2008-03-17 18:58 . 2008-03-17 18:58 2,359,350 --a------ C:\WINDOWS\Manny2.bmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 19:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-25 01:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Roxio
2008-03-18 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
2008-03-18 20:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\1ClickDVDCopy
2008-03-17 19:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-03-12 20:21 --------- d-----w C:\Program Files\Java
2008-03-10 20:51 18,816 ----a-w C:\WINDOWS\system32\drivers\dvd43llh.sys
2008-03-10 20:51 --------- d-----w C:\Program Files\dvd43
2008-02-25 23:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\FrostWire
2008-02-19 20:25 --------- d-----w C:\Program Files\Apple Software Update
2007-03-13 21:38 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2007-03-13 21:38 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2003-04-10 10:51 32 --sha-w C:\WINDOWS\{DA550BF1-5AE0-4007-B9B0-C9FF520E8090}.dat
2003-11-06 21:43 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2003-04-10 10:51 32 --sha-w C:\WINDOWS\system32\{1BADA6CB-9766-4CB8-9EA3-38879756A4DF}.dat
.
ComboFix 08-04-13.1 - Owner 2008-04-13 15:30:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.135 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Common Files\ssembl~1
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\conf.inf
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\ky.sxc
C:\WINDOWS\licencia.txt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mscon.sio
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\ntnut.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\awtsTNEv.dll
C:\WINDOWS\system32\efcBussq.dll
C:\WINDOWS\system32\enkubncr.dll
C:\WINDOWS\system32\fhtbxrow.dll
C:\WINDOWS\system32\lxdatlwu.ini
C:\WINDOWS\system32\uninstall.exe
C:\WINDOWS\system32\uwltadxl.dll
C:\WINDOWS\system32\vENTstwa.ini
C:\WINDOWS\system32\vENTstwa.ini2
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll
D:\Autorun.inf
----- BITS: Possible infected sites -----
hxxp://80.93.48.74
.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.
2008-04-13 15:11 . 2008-04-13 15:21 101,136 --a------ C:\WINDOWS\BM935feef2.xml
2008-04-13 15:11 . 2008-04-13 15:11 3,648 --a------ C:\WINDOWS\system32\jboarmsi.dll
2008-04-13 03:05 . 2008-04-13 03:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-13 03:04 . 2008-04-13 03:04 196,096 --a------ C:\WINDOWS\yvqjqrqd.dll
2008-04-13 03:04 . 2008-04-13 03:04 70,144 --a------ C:\WINDOWS\tqdavkpk.dll
2008-04-13 03:04 . 2008-04-13 03:04 70,144 --a------ C:\Documents and Settings\All Users\Application Data\notcrcfm.dll
2008-03-17 18:58 . 2008-03-17 18:58 2,359,350 --a------ C:\WINDOWS\Manny2.bmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 19:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-25 01:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Roxio
2008-03-18 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
2008-03-18 20:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\1ClickDVDCopy
2008-03-17 19:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-03-12 20:21 --------- d-----w C:\Program Files\Java
2008-03-10 20:51 18,816 ----a-w C:\WINDOWS\system32\drivers\dvd43llh.sys
2008-03-10 20:51 --------- d-----w C:\Program Files\dvd43
2008-02-25 23:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\FrostWire
2008-02-19 20:25 --------- d-----w C:\Program Files\Apple Software Update
2007-03-13 21:38 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2007-03-13 21:38 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2003-04-10 10:51 32 --sha-w C:\WINDOWS\{DA550BF1-5AE0-4007-B9B0-C9FF520E8090}.dat
2003-11-06 21:43 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2003-04-10 10:51 32 --sha-w C:\WINDOWS\system32\{1BADA6CB-9766-4CB8-9EA3-38879756A4DF}.dat
.
Part 2
Reg Loading Points
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
C:\Program Files\Bat\Bat.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db41de82-1dd1-11b2-b7fd-fbaf280c36b9}]
2008-04-13 03:04 70144 --a------ C:\WINDOWS\tqdavkpk.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 19:44 831557 C:\WINDOWS\system32\nview.dll]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [ ]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-10-12 18:13 7086080]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51 118784]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 19:44 4595712]
"nwiz"="nwiz.exe" [2003-03-03 19:44 323584 C:\WINDOWS\system32\nwiz.exe]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11 54296]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11 58392]
"Lwinst Run Profiler"=".\Lwtest.exe" [ ]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 19:44 65536]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-25 17:54 100056]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55 155648]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2008-03-01 15:49 826880]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:56 158208]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ZyYWSYBlxC"= C:\Documents and Settings\All Users\Application Data\mxsfglgt\alktynyd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\irfk]
C:\WINDOWS\NITEAIM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\DOCUME~1\Owner\LOCALS~1\Temp\ie.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\notcrcfm]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\notcrcfm.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-07-31 22:28 81920 C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-05-13 17:07 319488 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-05-22 01:20 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu72.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Service Manager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zvpbhzdu]
C:\WINDOWS\system32\ypwxipit.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24374:TCP"= 24374:TCP:BitComet 24374 TCP
"24374:UDP"= 24374:UDP:BitComet 24374 UDP
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S2 MSSysInterv1;MSSysInterv;C:\WINDOWS\winself.exe service []
S3 BUSlink;BUSlink MP3 USB Drive;C:\WINDOWS\system32\Drivers\BUSlink.sys [2002-11-01 22:52]
S3 xlink;XLink Driver (xlink.sys);C:\WINDOWS\system32\Drivers\xlink.sys [2001-01-02 18:53]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
"2008-04-13 19:46:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-13 16:57:55 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
.
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 15:46:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
.
DLLs Loaded Under Running Processes
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Other Running Processes .
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-13 15:55:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 19:54:42
Pre-Run: 70,238,896,128 bytes free
Post-Run: 72,035,069,952 bytes free
Reg Loading Points
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
C:\Program Files\Bat\Bat.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db41de82-1dd1-11b2-b7fd-fbaf280c36b9}]
2008-04-13 03:04 70144 --a------ C:\WINDOWS\tqdavkpk.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 19:44 831557 C:\WINDOWS\system32\nview.dll]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [ ]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-10-12 18:13 7086080]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51 118784]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 19:44 4595712]
"nwiz"="nwiz.exe" [2003-03-03 19:44 323584 C:\WINDOWS\system32\nwiz.exe]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11 54296]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11 58392]
"Lwinst Run Profiler"=".\Lwtest.exe" [ ]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 19:44 65536]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-25 17:54 100056]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55 155648]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2008-03-01 15:49 826880]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:56 158208]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ZyYWSYBlxC"= C:\Documents and Settings\All Users\Application Data\mxsfglgt\alktynyd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\irfk]
C:\WINDOWS\NITEAIM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\DOCUME~1\Owner\LOCALS~1\Temp\ie.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\notcrcfm]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\notcrcfm.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-07-31 22:28 81920 C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-05-13 17:07 319488 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-05-22 01:20 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu72.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Service Manager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zvpbhzdu]
C:\WINDOWS\system32\ypwxipit.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24374:TCP"= 24374:TCP:BitComet 24374 TCP
"24374:UDP"= 24374:UDP:BitComet 24374 UDP
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S2 MSSysInterv1;MSSysInterv;C:\WINDOWS\winself.exe service []
S3 BUSlink;BUSlink MP3 USB Drive;C:\WINDOWS\system32\Drivers\BUSlink.sys [2002-11-01 22:52]
S3 xlink;XLink Driver (xlink.sys);C:\WINDOWS\system32\Drivers\xlink.sys [2001-01-02 18:53]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
"2008-04-13 19:46:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-13 16:57:55 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
.
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 15:46:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
.
DLLs Loaded Under Running Processes
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Other Running Processes .
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-13 15:55:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 19:54:42
Pre-Run: 70,238,896,128 bytes free
Post-Run: 72,035,069,952 bytes free
kritius
Posts: 2,077 +0
COMBOFIX-Script
Please download ATF Cleaner by Atribune.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
P2P Warning!
HighjackThis Instructions
Do not add anything to the ignore list.
Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:File:: C:\WINDOWS\BM935feef2.xml C:\WINDOWS\system32\jboarmsi.dll C:\WINDOWS\yvqjqrqd.dll C:\WINDOWS\tqdavkpk.dll C:\Documents and Settings\All Users\Application Data\notcrcfm.dll C:\WINDOWS\mrofinu72.exe Folder:: C:\Program Files\Bat C:\Documents and Settings\All Users\Application Data\mxsfglgt Registry:: [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db41de82-1dd1-11b2-b7fd-fbaf280c36b9}] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "ZyYWSYBlxC"=- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\notcrcfm] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zvpbhzdu] - Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
P2P Warning!
- IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
Frostwire, BitTorrent
Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here
I would recommend that you uninstall Frostwire, BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.
HighjackThis Instructions
- Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
- Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
- After installing, the program launches automatically, select Scan now and save a log
- After the scan is complete attach the log into your reply.
Do not add anything to the ignore list.
Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.
kritius
Posts: 2,077 +0
Have you decided to keep the p2p software?
This next step is purely optional however viewpoint is considered foistware and is not needed on your computer,
Go to Start > Run and copy/paste or type: taskmgr
Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder
Fix entries using HiJackThis
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
COMBOFIX-Script
Please download ATF Cleaner by Atribune.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
This next step is purely optional however viewpoint is considered foistware and is not needed on your computer,
Go to Start > Run and copy/paste or type: taskmgr
- Under the Processes tab find the following tasks or processes:
ViewpointService.exe
ViewMgr.exe - Highlight and click "End Process".
- Exit Task Manager.
- Press "OK".
- Click the "Extended tab".
- Scroll down the list and find the service called "Viewpoint Manager Service"
- When you find the service, double-click on it.
- In the Properties Window > General Tab that opens, click the "Stop" button.
- From the drop-down menu next to "Startup Type", click on "Disabled".
- Now click "Apply", then "OK" and close any open windows.
Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder
Fix entries using HiJackThis
- Launch HiJackThis
- Click the Do a system scan only button
- Put a check next to the entries listed below
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
- IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
- Click the Fix checked button and close HiJackThis
- Reboot HijackThis if necessary
COMBOFIX-Script
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:File:: C:\DOCUME~1\Owner\LOCALS~1\Temp\ie.exe C:\Documents and Settings\All Users\Application Data\notcrcfm.dll C:\WINDOWS\mrofinu72.exe C:\WINDOWS\system32\ypwxipit.exe C:\WINDOWS\winself.exe Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\notcrcfm] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zvpbhzdu] - Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
kritius
Posts: 2,077 +0
COMBOFIX-Script
I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.
Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:Folder:: C:\Documents and Settings\All Users\Application Data\Viewpoint - Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.
Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
o Extended (If available, otherwise use standard)
o Scan Options:
o Scan Archives
o Scan Mail Bases - Click OK
- Under select a target to scan, select My Computer
- The scan will take a while so be patient and let it run.
- Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
- Click the Save Report As... button (see red arrow below)
- In the Save as... prompt, select Desktop
- In the File name box, name the file
- In the Save as type prompt, select Text file (see below)
- Include the report in your next post.
Here are the 2 logs u needed. hey after the last combo fix run when the log popped up and I closed the log the pc kinda froze. the log closed but my desktop icons and taskbar didn't come back, I could move the mouse but couldn't do anything. so I just ctrl, alt deleted and restarted, and everything came back, was that ok? everything seems to be working fine... just wondering be/c it had not done that in the last 2 or 3 scans...
kritius
Posts: 2,077 +0
C:\Program Files\Norton AntiVirus\Quarantine\<=====Delete the contents of this folder but not the folder itself
C:\QooBox\Quarantine\<=====Delete the contents of this folder but not the folder itself
Please download the OTMoveIt2 by OldTimer.
C:\QooBox\Quarantine\<=====Delete the contents of this folder but not the folder itself
Please download the OTMoveIt2 by OldTimer.
- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:[kill explorer] C:\Program Files\mIRC\mirc.exe C:\Program Files\MySearch C:\Setup Files\AGSetup0609.exe C:\Setup Files\bittorrent-3.4.1.exe C:\Setup Files\mirc61.exe purity [start explorer] - Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt2
sorry it took so long to get back to ya,, hadn't been home for a couple days... here is the results below..
Explorer killed successfully
C:\Program Files\mIRC\mirc.exe moved successfully.
C:\Program Files\MySearch\bar\History moved successfully.
C:\Program Files\MySearch\bar\Cache moved successfully.
C:\Program Files\MySearch\bar\1.bin moved successfully.
C:\Program Files\MySearch\bar moved successfully.
C:\Program Files\MySearch moved successfully.
C:\Setup Files\AGSetup0609.exe moved successfully.
C:\Setup Files\bittorrent-3.4.1.exe moved successfully.
C:\Setup Files\mirc61.exe moved successfully.
< purity >
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04272008_215531
Explorer killed successfully
C:\Program Files\mIRC\mirc.exe moved successfully.
C:\Program Files\MySearch\bar\History moved successfully.
C:\Program Files\MySearch\bar\Cache moved successfully.
C:\Program Files\MySearch\bar\1.bin moved successfully.
C:\Program Files\MySearch\bar moved successfully.
C:\Program Files\MySearch moved successfully.
C:\Setup Files\AGSetup0609.exe moved successfully.
C:\Setup Files\bittorrent-3.4.1.exe moved successfully.
C:\Setup Files\mirc61.exe moved successfully.
< purity >
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04272008_215531
Similar threads
