Ping.exe xp antivirus 2012 search redirects

By giantpanda · 14 replies
Dec 27, 2011
  1. i resently upgraded my motherboard and i guess while installing drivers i got something...

    in my task manager i keep seeing ping.exe and it takes up up to 100% of my cpu.

    while search on google i keep getting redirected to random site,

    i had a problem with xp antivirus 2012 popping up whenever i opened anything but i ran a scan with spybot-sd and it appears to be gone

    i have window xp if that helps at all
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Welcome to TechSpot, Giant Panda!

    Let's get some basics first, then we'll make sure all of the XP Antivirus 2012 is gone:

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
  3. giantpanda

    giantpanda TS Rookie Topic Starter

    Malwarebytes' Anti-Malware

    Database version: 911122704

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    12/27/2011 3:56:38 PM
    mbam-log-2011-12-27 (15-56-38).txt

    Scan type: Quick scan
    Objects scanned: 205972
    Time elapsed: 15 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 5
    Registry Data Items Infected: 4
    Folders Infected: 1
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (Adware.GameVance) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (Adware.GameVance) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RelevantKnowledge (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Trojan.Agent) -> Value: Policies -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU (Trojan.Agent) -> Value: HKCU -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Trojan.Agent) -> Value: Policies -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM (Trojan.Agent) -> Value: HKLM -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\matthew.YOUR-3DFB6AE27C.001\Local Settings\Application Data\xom.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\documents and settings\matthew.your-3dfb6ae27c.000\application data\antispywarebot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.

    Files Infected:
    c:\windows\temp\oiu0.42202161191372256.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\windows\temp\oiu0.6951081937186443.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\matthew.your-3dfb6ae27c.001\local settings\application data\xom.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
  4. giantpanda

    giantpanda TS Rookie Topic Starter

    GMER -
    Rootkit quick scan 2011-12-27 16:11:08
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-10 Hitachi_HDP725016GLA380 rev.GMBOA52A
    Running: k1xejsy3.exe; Driver: C:\DOCUME~1\MATTHE~1.001\LOCALS~1\Temp\pxtdypow.sys

    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA66A3BDA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA66A3A45]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA66F87A2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----

    that is what it showed up with when i opened it i have another one that i got after i clicked on scan. the other one has like 5 times the max character limit though, but if u want that one i can post it
  5. giantpanda

    giantpanda TS Rookie Topic Starter

    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.2180
    Run by matthew at 19:54:31 on 2011-12-27
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3327.2279 [GMT -5:00]
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    ============== Running Processes ===============
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    d:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
    C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    D:\Program Files\Logitech Gaming Software\LCore.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    D:\Program Files\iTunes\iTunesHelper.exe
    D:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    d:\Program Files\Java\jre6\bin\jqs.exe
    D:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
    D:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    D:\Program Files\iPod\bin\iPodService.exe
    D:\Program Files\DNA\btdna.exe
    D:\Program Files\RocketDock\RocketDock.exe
    C:\Documents and Settings\matthew.YOUR-3DFB6AE27C.001\Local Settings\Apps\2.0\KWP0CTNH.WNN\26RCKYCD.MWD\curs..tion_eee711038731a406_0004.0000_2ad57791d5c42008\CurseClient.exe
    C:\Documents and Settings\matthew.YOUR-3DFB6AE27C.001\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\matthew.YOUR-3DFB6AE27C.001\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\matthew.YOUR-3DFB6AE27C.001\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\matthew.YOUR-3DFB6AE27C.001\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    D:\Program Files\iTunes\iTunes.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
    C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
    C:\Documents and Settings\matthew.YOUR-3DFB6AE27C.001\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    ============== Pseudo HJT Report ===============
    uSearch Bar = hxxp://
    uStart Page = hxxp://
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\program files\spybot - search & destroy\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
    uRun: [msnmsgr] "d:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Google Update] "c:\documents and settings\matthew.your-3dfb6ae27c.001\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Steam] "d:\program files\steam\steam.exe" -silent
    uRun: [BitTorrent DNA] "d:\program files\dna\btdna.exe"
    uRun: [RocketDock] "d:\program files\rocketdock\RocketDock.exe"
    uRun: [Skype] "d:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [DW6] "d:\program files\the weather channel fw\desktop\DesktopWeather.exe"
    mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"
    mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"
    mRun: [FaxCenterServer] "c:\program files\\lexmark fax solutions\fm3032.exe" /s
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] d:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Launch LCore] "d:\program files\logitech gaming software\LCore.exe" /minimized
    mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
    mRun: [HDAudDeck] d:\program files\via\viaudioi\hdadeck\HDeck.exe 1
    mRun: [avast] "d:\program files\avast software\avast\avastUI.exe" /nogui
    mRunOnce: [AvgUninstallURL] cmd.exe /c start"&"inst=NzctNDAyMDQ3MDU5LUJBKzEtS1YzKzctWEwrMS1UMS1VQ0FMTCsxLVVDQUxMMisyLVRCOCsyLUZMKzgtRjhNKzEtRjhNOEErMy1GOE05QSszLUY4TTExQSsx
    StartupFolder: c:\documents and settings\matthew.your-3dfb6ae27c.001\start menu\programs\startup\CurseClientStartup.ccip
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://
    TCP: DhcpNameServer =
    TCP: Interfaces\{19777B77-E75F-45CC-8ECF-99F919EDD53D} : DhcpNameServer =
    TCP: Interfaces\{72A9DE9F-B76E-4C66-BD70-9C83E326A336} : DhcpNameServer =
    TCP: Interfaces\{F45BDC1F-705A-4A2F-B644-A644A4F91A24} : DhcpNameServer =
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    mASetup: {L17VSL2L-WD2S-DW7D-3O30-B267UDHUP01J} - c:\windows\system32\install\Svchost.exe
    ============= SERVICES / DRIVERS ===============
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-27 435032]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-27 314456]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-27 20568]
    R2 avast! Antivirus;avast! Antivirus;d:\program files\avast software\avast\AvastSvc.exe [2011-12-27 44768]
    R2 KaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\KaraokeSer.exe [2011-12-26 88688]
    R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-4 24652]
    R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2011-12-27 62576]
    R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2011-7-7 19720]
    R3 LGSHidFilt;Logitech Gaming KMDF HID Filter Driver;c:\windows\system32\drivers\LGSHidFilt.Sys [2011-7-7 41880]
    R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2011-7-7 14856]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-12-26 2799728]
    R4 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidseh.sys --> c:\windows\system32\drivers\AVGIDSEH.Sys [?]
    R4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2009-5-16 99248]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys --> c:\windows\system32\drivers\Ambfilt.sys [?]
    S3 ByakkoDriver;ByakkoDriver;\??\c:\docume~1\matthe~1.001\locals~1\temp\276293359.12-20-2009 --> c:\docume~1\matthe~1.001\locals~1\temp\276293359.12-20-2009 [?]
    S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2009-4-30 69692]
    S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\matthe~1.001\locals~1\temp\upa178.tmp --> c:\docume~1\matthe~1.001\locals~1\temp\UPA178.tmp [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-4-6 23064]
    S3 UsbFltr;Razer Copperhead Driver;c:\windows\system32\drivers\copperhd.sys [2011-6-3 11596]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    =============== Created Last 30 ================
    2011-12-27 20:39:35 -------- d-----w- c:\documents and settings\matthew.your-3dfb6ae27c.001\application data\Malwarebytes
    2011-12-27 20:39:15 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-12-27 20:39:05 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-27 20:39:01 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
    2011-12-27 20:26:20 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-12-27 20:25:51 41184 ----a-w- c:\windows\avastSS.scr
    2011-12-27 20:25:34 -------- d-----w- d:\program files\AVAST Software
    2011-12-27 20:25:34 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
    2011-12-27 08:57:51 62576 ----a-r- c:\windows\system32\drivers\l1c51x86.sys
    2011-12-27 08:51:53 0 ----a-w- c:\windows\ativpsrm.bin
    2011-12-27 08:51:45 311296 ----a-r- c:\windows\system32\atiiiexx.dll
    2011-12-27 08:51:44 446464 ----a-r- c:\windows\system32\ATIDEMGX.dll
    2011-12-27 00:41:27 8704 ----a-r- c:\windows\system32\viahdcpl.cpl
    2011-12-27 00:41:12 88688 ----a-r- c:\windows\system32\KaraokeSer.exe
    2011-12-27 00:41:11 254000 ----a-r- c:\windows\system32\A3D.dll
    2011-12-27 00:41:10 254000 ----a-r- c:\windows\system32\Audio3D.dll
    2011-12-27 00:41:09 2799728 ----a-r- c:\windows\system32\drivers\viahduaa.sys
    2011-12-27 00:40:21 331184 ------w- c:\windows\system32\difxapi.dll
    2011-12-27 00:40:19 -------- d-----w- d:\program files\VIA
    2011-12-27 00:03:47 577536 ----a-w- c:\windows\soundman.exe
    2011-12-27 00:03:47 49152 ----a-w- c:\windows\system32\ChCfg.exe
    2011-12-27 00:03:47 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
    2011-12-27 00:03:47 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
    2011-12-27 00:03:46 18804736 ----a-w- c:\windows\system32\alsndmgr.cpl
    2011-12-27 00:03:46 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
    2011-12-27 00:02:57 -------- d-----w- d:\program files\Realtek AC97
    2011-12-27 00:02:54 315392 ----a-w- c:\windows\alcupd.exe
    2011-12-27 00:02:54 217088 ----a-w- c:\windows\alcrmv.exe
    2011-12-26 23:06:37 -------- d-----w- c:\documents and settings\matthew.your-3dfb6ae27c.001\application data\AVG2012
    2011-12-26 23:04:30 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
    2011-12-26 22:58:05 -------- d-----w- d:\program files\Realtek
    2011-12-26 22:58:00 1698408 ----a-w- c:\windows\RtlExUpd.dll
    2011-12-26 22:57:58 757760 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iKernel.dll
    2011-12-26 22:57:58 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\ctor.dll
    2011-12-26 22:57:58 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\DotNetInstaller.exe
    2011-12-26 22:57:58 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
    2011-12-26 22:57:58 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iscript.dll
    2011-12-26 22:57:58 204800 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iuser.dll
    2011-12-26 22:57:57 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\setup.dll
    2011-12-26 22:57:57 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iGdi.dll
    2011-12-26 22:52:38 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
    2011-12-26 22:52:07 -------- d-----w- d:\program files\AVG
    2011-12-26 22:44:59 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-12-26 21:36:54 -------- d-----w- c:\documents and settings\all users\application data\WeCareReminder
    ==================== Find3M ====================
    2011-12-27 09:17:11 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
    ============= FINISH: 20:05:30.15 ===============
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Please go ahead and run Combofix so we can get some of the bad entries out. You will need to temporarily uninstall AVG as follows:

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avast Free Version
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
  7. giantpanda

    giantpanda TS Rookie Topic Starter

    im running combofix now.

    on a side note whenever i restart my system it stays on the loading screen for a very long time, problly like 5 mins or so, when it finishes and starts to open my programs it alos takes a long time, i know we are not done witht the cleaning process just making a note of that
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Okay, we'll take a look at the delay when finished.
  9. giantpanda

    giantpanda TS Rookie Topic Starter

    sry for taking so long combofix has been running for like 3 and a half hours now, i dont know how long it is supposed to take. will post as soon as it finishes
  10. giantpanda

    giantpanda TS Rookie Topic Starter

    combfix is going on 6 hours now is this normal? i know u get emails everytime i reply i just want to know if im doing this correctly
  11. giantpanda

    giantpanda TS Rookie Topic Starter

    ok i letcombofix run all night and around 2am i get an error which i problly should have writte down to remember but i forgot and than in the blue windowit read please wait so i left it on all night. but when i woke up this morning it is still saying please wait do u want me to exit out of combofix?
  12. giantpanda

    giantpanda TS Rookie Topic Starter

    so i rebooted my system and it is up now but there is no log for combofix what would u like me to do now?
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    No you're not doing this correctly- I have 3 emails for these few sentences. To add to a post-anything except logs-click on the Edit button. That will open the posts and you can add the sentence or question there
    Since you're having a problem with Combofix, let's uninstall it for now:

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Go through the following instead:Please run the scans in the order I have them listed:
    XP Antivirus 2012
    1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
    2. Clicking on any executable loads the malware
    3. Display fake security alerts on the infected computer.
    4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
    5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.
    To fix #5, you start here: Download a Registry file that will fix these changes.
    Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
    • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
    • Double click the FixNCR.reg file
    • You should now be able to run the .exe files.
    Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.
    To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKill is malware, ignore it> it's from the malware.
    Do not reboot your computer after running RKill as the malware programs will start again.
    This malware frequently comes with the TDSS rootkit, so do the following:
    • Download the file and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    If you have to reboot after TDSS, then boot back in to Sfe Mode again
    Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    Please leave the logs in your next reply.
  14. giantpanda

    giantpanda TS Rookie Topic Starter

    this is what i got from the eset scan

    D:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan

    Malwarebytes Anti-Malware

    Database version: v2011.12.29.04

    Windows XP Service Pack 2 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 6.0.2900.2180
    matthew :: MATT [administrator]

    12/29/2011 1:20:38 PM
    mbam-log-2011-12-29 (13-20-38).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 315220
    Time elapsed: 2 hour(s), 17 minute(s), 16 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    D:\Qoobox\Quarantine\d\Documents and Settings\matt\Local Settings\Temp\E_N4\HtmlView.fne.vir (Worm.AutoRun) -> Quarantined and deleted successfully.

  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    New Holiday Notice! I will not be working on the threads Sat. Dec. 31 or Sunday Jan. 1 I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.

    I will review the logs on Monday

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...