Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

help can't remove malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: help can't remove malware

Unread postby jemma_79 » November 15th, 2007, 5:19 pm

ComboFix 07-11-08.1 - user 2007-11-15 21:08:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.347 [GMT 0:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\WINDOWS\bonrep.dll
C:\WINDOWS\ipwypktx.dll
C:\WINDOWS\kbdctrl.dll
C:\WINDOWS\neobus.dll
C:\WINDOWS\qdertu.exe
C:\WINDOWS\system32\ahroxun-edat.exe
C:\WINDOWS\system32\udsacoot.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\user\Desktop\Error Cleaner.url
C:\Documents and Settings\user\Desktop\Favorites\Error Cleaner.url
C:\Documents and Settings\user\Desktop\Favorites\Privacy Protector.url
C:\Documents and Settings\user\Desktop\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\user\Desktop\Privacy Protector.url
C:\Documents and Settings\user\Desktop\Spyware&Malware Protection.url
C:\WINDOWS\bonrep.dll
C:\WINDOWS\dat.txt
C:\WINDOWS\ipwypktx.dll
C:\WINDOWS\kbdctrl.dll
C:\WINDOWS\neobus.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\qdertu.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\ahroxun-edat.exe . . . . failed to delete
C:\WINDOWS\system32\udsacoot.exe . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 00:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 23:08 <DIR> d-------- C:\Deckard
2007-11-11 20:38 3,702 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-11 20:23 <DIR> d-------- C:\WINDOWS\system\SmitfraudFix
2007-11-11 20:22 1,043,074 --a------ C:\WINDOWS\system\SmitfraudFix.exe
2007-11-11 20:10 <DIR> d-------- C:\Program Files\SmitfraudFix
2007-11-11 19:37 <DIR> d-------- C:\SmitfraudFix
2007-11-08 02:36 <DIR> d-------- C:\WINDOWS\system32\runtime
2007-11-08 02:36 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-11-08 02:36 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-08 02:36 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-07 22:37 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2007-11-07 22:37 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2007-11-07 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-11-07 20:48 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 21:15 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac.exe
2007-11-15 14:51 --------- d-----w C:\Documents and Settings\user\Application Data\PlayFirst
2007-11-09 13:46 401,720 ----a-w C:\Program Files\hijack.exe
2007-11-08 02:36 --------- d-----w C:\Program Files\SilverCreekCommonFiles
2007-11-08 02:36 --------- d-----w C:\Program Files\Google
2007-11-08 02:36 --------- d-----w C:\Documents and Settings\user\Application Data\AOL
2007-11-08 02:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
2007-11-08 02:35 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-07 23:13 --------- d-----w C:\Program Files\MSN Messenger
2007-11-07 19:55 67,777 ----a-w C:\Program Files\log malware.txt
2007-11-07 16:23 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2007-10-29 13:30 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(251).exe
2007-10-29 12:35 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(252).exe
2007-10-29 10:53 --------- d-----w C:\Program Files\Windows Live
2007-10-29 10:49 --------- d-----w C:\Program Files\Hardwood Spades
2007-10-29 10:26 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(253).exe
2007-10-29 10:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-28 22:08 --------- d-----w C:\Program Files\Common Files\Real
2007-10-23 21:19 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(245).exe
2007-10-23 15:36 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(246).exe
2007-10-23 15:06 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(247).exe
2007-10-23 14:45 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(248).exe
2007-10-23 14:32 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(249).exe
2007-10-22 21:05 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(250).exe
2007-09-28 08:42 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-09-28 08:42 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-09-28 08:42 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-09-28 08:42 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-28 08:42 138,512 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-28 08:42 1,126,328 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-09-18 18:52 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-18 18:52 --------- d-----w C:\Program Files\Trymedia
2007-09-18 18:52 --------- d-----w C:\Program Files\Silver Creek Installer
2007-09-18 18:52 --------- d-----w C:\Program Files\Hardwood Backgammon
2007-09-18 18:52 --------- d-----w C:\Program Files\Common Files\CasinoVegasShared
2007-09-18 18:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-18 18:51 --------- d-----w C:\Program Files\namtai_eyetoy_drivers
2007-09-18 18:48 --------- d-----w C:\Program Files\KYE
2007-09-18 18:48 --------- d-----w C:\Program Files\Common Files\snpstd
2007-09-18 15:43 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(136).exe
2007-09-18 14:52 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(137).exe
2007-09-18 13:05 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(138).exe
2007-09-18 12:00 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(139).exe
2007-09-18 08:31 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(140).exe
2007-09-17 20:37 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(141).exe
2007-09-17 08:06 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(142).exe
2007-09-17 07:47 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(143).exe
2007-09-16 20:09 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(144).exe
2007-09-16 16:57 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(145).exe
2007-09-16 13:25 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(146).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(244).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(243).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(242).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(241).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(240).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(239).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(238).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(237).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(236).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(235).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(234).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(233).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(232).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(231).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(230).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(229).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(228).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(227).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(226).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(225).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(224).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(223).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(222).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(221).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(220).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(219).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(218).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(217).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(216).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(215).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(214).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(213).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(212).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(211).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(210).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(209).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(208).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(207).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(206).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(205).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(204).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(203).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(202).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(201).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(200).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(199).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(198).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(197).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(196).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(195).exe
2007-05-28 20:41:22 49,152 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007052120070528\index.dat
2007-05-28 20:41:22 49,152 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007052820070529\index.dat
2007-05-29 20:49:39 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007052920070530\index.dat
2007-05-30 19:12:14 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007053020070531\index.dat
2007-05-31 19:38:44 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007053120070601\index.dat
2007-06-02 18:05:32 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007060220070603\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

- Not a PE file.

---- Directory of C:\WINDOWS\system32\runtime ----



((((((((((((((((((((((((((((( snapshot@2007-11-15_ 2.35.38.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-15 02:34:11 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-15 21:15:10 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-15 02:34:11 131,072 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-15 21:15:10 131,072 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-15 02:34:11 819,200 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-15 21:15:10 819,200 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-15 02:34:12 24,064 ----a-w C:\WINDOWS\Temp\ouxtikeah.dll
+ 2007-11-15 21:15:10 24,064 ----a-w C:\WINDOWS\Temp\ouxtikeah.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 08:48 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 10:04 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-12 05:19]
"nwiz"="nwiz.exe" [2006-07-12 05:19 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-12 05:19]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"TI WLAN"="C:\Program Files\Wireless LAN Utility\TIWLANCu.exe" [2007-03-22 17:54]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-22 08:05]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"EPSON Stylus Photo R240 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.exe" [2005-04-25 05:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [2006-09-07 08:21]
"WheelMouse"="C:\Program Files\A4Tech\Mouse\Amoumain.exe" [2006-09-07 08:17]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 12:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-28 22:08]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-28 08:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-08-16 15:19]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}]
C:\WINDOWS\system32\atpakib-deas.dll 2006-02-28 12:00 5120 C:\WINDOWS\system32\atpakib-deas.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]
Debugger=C:\WINDOWS\system32\ahroxun-edat.exe

S3 Intels51;Intel(R) 536EP V.92 Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys
S3 TNET1130;802.11 WLAN;C:\WINDOWS\system32\DRIVERS\TNET1130.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{484F4D45-3248-4f4d-4532-484F4D453248}]
C:\WINDOWS\system32\udsacoot.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 20:47:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 21:15:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 21:17:15 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-15 02:36
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:17:43, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ekvakuh-easac.exe
C:\WINDOWS\system32\ekvakuh-easac.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wireless LAN Utility\tiwlnsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Wireless LAN Utility\TIWLANCu.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wireless LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-GB ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-a8637465bb4ac20b.spaces.live ... nPUpld.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://fortunelounge.microgaming.com/g ... lashAX.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://smiley.oberon-media.com/online/o ... der_v6.cab
O20 - Winlogon Notify: {BC84DF00-BC38-9902-8082-6FCBF2D87A0B} - C:\WINDOWS\system32\atpakib-deas.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wireless LAN Utility\tiwlnsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9640 bytes
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm
Advertisement
Register to Remove

Re: help can't remove malware

Unread postby random/random » November 15th, 2007, 7:07 pm

Do you know what these files are for?

2007-10-23 21:19 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(245).exe
2007-10-23 15:36 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(246).exe
2007-10-23 15:06 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(247).exe
2007-10-23 14:45 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(248).exe
2007-10-23 14:32 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(249).exe
2007-10-22 21:05 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(250).exe
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Re: help can't remove malware

Unread postby jemma_79 » November 15th, 2007, 8:49 pm

no i haven't a clue
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm

Re: help can't remove malware

Unread postby jemma_79 » November 16th, 2007, 4:47 am

what are they?
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm

Re: help can't remove malware

Unread postby random/random » November 16th, 2007, 1:19 pm

what are they?


I don't know, that's why I asked you

Let's try to find out what they are:

Then please upload this file:

C:\WINDOWS\system32\ekvakuh-easac(245).exe

To either jotti or virustotal & copy and paste the results as a reply to this topic
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Re: help can't remove malware

Unread postby jemma_79 » November 17th, 2007, 5:43 pm

| Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File ekvakuh-easac_245_.exe received on 11.17.2007 22:30:02 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 27/32 (84.38%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 47 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 Win-Trojan/Agent.30489
AntiVir 7.6.0.34 2007.11.16 TR/Drop.Age.apd.1.E
Authentium 4.93.8 2007.11.17 W32/Dropper.gen6
Avast 4.7.1074.0 2007.11.17 Win32:Trojan-gen {UPX}
AVG 7.5.0.503 2007.11.17 Downloader.Agent.ICS
BitDefender 7.2 2007.11.17 Trojan.Downloader.Agent.APD
CAT-QuickHeal 9.00 2007.11.17 TrojanDownloader.Agent.apd
ClamAV 0.91.2 2007.11.17 Trojan.Downloader-2870
DrWeb 4.44.0.09170 2007.11.17 Trojan.DownLoader.20145
eSafe 7.0.15.0 2007.11.14 suspicious Trojan/Worm
eTrust-Vet 31.2.5304 2007.11.17 Win32/VMalum.ZZM
Ewido 4.0 2007.11.17 Downloader.Agent.apd
FileAdvisor 1 2007.11.17 -
Fortinet 3.11.0.0 2007.10.19 W32/Agent.APD!tr.dldr
F-Prot 4.4.2.54 2007.11.16 W32/Dropper.gen6
F-Secure 6.70.13030.0 2007.11.17 Trojan-Downloader.Win32.Agent.apd
Ikarus T3.1.1.12 2007.11.17 Trojan-Downloader.Win32.Agent.apd
Kaspersky 7.0.0.125 2007.11.17 Trojan-Downloader.Win32.Agent.apd
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.17 TrojanDownloader:Win32/Agent
NOD32v2 2665 2007.11.17 Win32/TrojanDownloader.Agent.NIV
Norman 5.80.02 2007.11.16 W32/Agent.BCZB
Panda 9.0.0.4 2007.11.17 Trj/Agent.DYN
Prevx1 V2 2007.11.17 W32.Malware.gen
Rising 20.18.51.00 2007.11.17 Trojan.DL.Agent.gdw
Sophos 4.23.0 2007.11.17 Troj/Agent-FBW
Sunbelt 2.2.907.0 2007.11.17 -
Symantec 10 2007.11.17 Trojan Horse
TheHacker 6.2.9.133 2007.11.17 Trojan/Downloader.Agent.apd
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.17 -
Webwasher-Gateway 6.0.1 2007.11.16 Trojan.Drop.Age.apd.1.E
Additional information
File size: 30489 bytes
MD5: 440315fdc9bb825b69b03f81dd5ba281
SHA1: bca94af95f81be5ea475e99d62a0c890ce787e73
packers: UPX
packers: UPX
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp? ... 00CD3F728F


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.


VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com


Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: ekvakuh-easac(245).exe
Status: INFECTED/MALWARE
MD5: 440315fdc9bb825b69b03f81dd5ba281
Packers detected: Analyzing...
Bit9 reports: File not found

Scanner results
Scan taken on 17 Nov 2007 21:38:36 (GMT)
A-Squared Found Trojan-Downloader.Win32.Agent.apd
AntiVir Found TR/Drop.Age.apd.1.E
ArcaVir Found Trojan.Downloader.Agent.Apd
Avast Found Win32:Trojan-gen {UPX}
AVG Antivirus Found Downloader.Agent.ICS
BitDefender Found Trojan.Downloader.Agent.APD
ClamAV Found Trojan.Downloader-2870
CPsecure Found Troj.Downloader.W32.Agent.apd
Dr.Web Found Trojan.DownLoader.20145
F-Prot Antivirus Found W32/Dropper.gen6
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Agent.apd
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.apd
NOD32 Found Win32/TrojanDownloader.Agent.NIV
Norman Virus Control Found W32/Agent.BCZB
Panda Antivirus Found Trj/Agent.DYN
Rising Antivirus Found Trojan.DL.Agent.gdw
Sophos Antivirus Found Troj/Agent-FBW, Troj/Agent-FFN, Mal/Generic-A, Mal/Behav-009
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: myspacefotos5.zip (MD5: 0207ed5da77971ee31277b1fdb1eab7c, size: 49822 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir Heur.W32
Avast X
AVG Antivirus BackDoor.Ircbot.CCR
BitDefender X
ClamAV X
CPsecure BackDoor.W32.Rbot.eje
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 Win32/Delf.NEH
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.
Frequently asked questions - Feedback - Privacy policy
Page generated by JTPL
© 2004-2007 Jordi Bosveld <jotti@jotti.org>
Class Mail, method attach : file /tmp/SCANNERMAIL473f600147475/undetected.zip can't be found
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm

Re: help can't remove malware

Unread postby random/random » November 17th, 2007, 6:44 pm

Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.

del /a /f /q "C:\WINDOWS\system32\ekvakuh-easac*.exe" > delreport.txt
notepad delreport.txt


Save it to your Desktop as cleanup.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: cleanup.bat

Locate cleanup.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal
Once it has finished, a notepad window will open, copy and paste the contents of that notepad window as a reply to this topic
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Re: help can't remove malware

Unread postby jemma_79 » November 17th, 2007, 8:07 pm

C:\WINDOWS\system32\ekvakuh-easac.exe
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm

Re: help can't remove malware

Unread postby random/random » November 17th, 2007, 8:14 pm

Please run combofix.exe again and post the log it produces
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Re: help can't remove malware

Unread postby jemma_79 » November 18th, 2007, 1:10 am

ComboFix 07-11-08.1 - user 2007-11-18 5:03:14.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.430 [GMT 0:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-15 00:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 23:08 <DIR> d-------- C:\Deckard
2007-11-11 20:38 3,702 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-11 20:23 <DIR> d-------- C:\WINDOWS\system\SmitfraudFix
2007-11-11 20:22 1,043,074 --a------ C:\WINDOWS\system\SmitfraudFix.exe
2007-11-11 20:10 <DIR> d-------- C:\Program Files\SmitfraudFix
2007-11-11 19:37 <DIR> d-------- C:\SmitfraudFix
2007-11-08 02:36 <DIR> d-------- C:\WINDOWS\system32\runtime
2007-11-08 02:36 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-11-08 02:36 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-08 02:36 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-07 22:37 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2007-11-07 22:37 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2007-11-07 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-11-07 20:48 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-18 04:38 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac.exe
2007-11-15 14:51 --------- d-----w C:\Documents and Settings\user\Application Data\PlayFirst
2007-11-09 13:46 401,720 ----a-w C:\Program Files\hijack.exe
2007-11-08 02:36 --------- d-----w C:\Program Files\SilverCreekCommonFiles
2007-11-08 02:36 --------- d-----w C:\Program Files\Google
2007-11-08 02:36 --------- d-----w C:\Documents and Settings\user\Application Data\AOL
2007-11-08 02:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
2007-11-08 02:35 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-07 23:13 --------- d-----w C:\Program Files\MSN Messenger
2007-11-07 19:55 67,777 ----a-w C:\Program Files\log malware.txt
2007-11-07 16:23 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2007-10-29 10:53 --------- d-----w C:\Program Files\Windows Live
2007-10-29 10:49 --------- d-----w C:\Program Files\Hardwood Spades
2007-10-29 10:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-28 22:08 --------- d-----w C:\Program Files\Common Files\Real
2007-09-28 08:42 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-09-28 08:42 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-09-28 08:42 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-09-28 08:42 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-28 08:42 138,512 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-28 08:42 1,126,328 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-09-18 18:52 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-18 18:52 --------- d-----w C:\Program Files\Trymedia
2007-09-18 18:52 --------- d-----w C:\Program Files\Silver Creek Installer
2007-09-18 18:52 --------- d-----w C:\Program Files\Hardwood Backgammon
2007-09-18 18:52 --------- d-----w C:\Program Files\Common Files\CasinoVegasShared
2007-09-18 18:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-18 18:51 --------- d-----w C:\Program Files\namtai_eyetoy_drivers
2007-09-18 18:48 --------- d-----w C:\Program Files\KYE
2007-09-18 18:48 --------- d-----w C:\Program Files\Common Files\snpstd
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-17 01:51 123,461 ----a-w C:\Program Files\Common Files\Hewlett-Packard.zip
2007-07-05 00:27 1,708,148 ----a-w C:\Documents and Settings\All Users\Documents.zip
2007-06-06 02:21 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-05-08 11:08 31,248 ----a-w C:\Program Files\tmpreflt.sys
2007-05-08 11:08 252,128 ----a-w C:\Program Files\Tmfilter.sys
2007-05-08 11:08 197,648 ----a-w C:\Program Files\tmxpflt.sys
2007-05-08 11:08 1,051,456 ----a-w C:\Program Files\VsapiNT.sys
2007-03-23 12:57 132 ----a-w C:\Documents and Settings\user\Application Data\wklnhst.dat
2004-06-22 08:04 94,438 ------w C:\Program Files\hposcu08.inf
2004-06-22 08:04 9,777 ------w C:\Program Files\hpzipr13.inf
2004-06-22 08:04 9,773 ------w C:\Program Files\hpousc08.inf
2004-06-22 08:04 70,656 ------w C:\Program Files\msvcirt.dll
2004-06-22 08:04 7,579 ------w C:\Program Files\hpound08.inf
2004-06-22 08:04 66,431 ------w C:\Program Files\hpoprl04.dat
2004-06-22 08:04 65,420 ------w C:\Program Files\hpoprl05.dat
2004-06-22 08:04 65 ------w C:\Program Files\dxprl.dat
2004-06-22 08:04 6,704 ------w C:\Program Files\hpounp08.inf
2004-06-22 08:04 53,670 ------w C:\Program Files\hposcu08.cat
2004-06-22 08:04 52,349 ------w C:\Program Files\hpzius13.cat
2004-06-22 08:04 52,349 ------w C:\Program Files\HPZius12.cat
2004-06-22 08:04 51,467 ------w C:\Program Files\hpzist13.cat
2004-06-22 08:04 51,467 ------w C:\Program Files\hpzist12.cat
2004-06-22 08:04 51,467 ------w C:\Program Files\hpzipr13.cat
2004-06-22 08:04 51,467 ------w C:\Program Files\HPZipr12.cat
2004-06-22 08:04 51,467 ------w C:\Program Files\hpzid413.cat
2004-06-22 08:04 51,467 ------w C:\Program Files\HPZid412.cat
2004-06-22 08:04 51,026 ------w C:\Program Files\HPOunp08.cat
2004-06-22 08:04 50,615 ------w C:\Program Files\hpzid412.inf
2004-06-22 08:04 5,538 ------w C:\Program Files\hpzist12.inf
2004-06-22 08:04 49,212 ------w C:\Program Files\hpzjvp01.dll
2004-06-22 08:04 458,752 ------w C:\Program Files\tls704d.dll
2004-06-22 08:04 447,400 ------w C:\Program Files\hpoprn08.cat
2004-06-22 08:04 442,425 ------w C:\Program Files\hpzjpp01.dll
2004-06-22 08:04 4,779 ------w C:\Program Files\hpoglu08.inf
2004-06-22 08:04 4,768 ------w C:\Program Files\hpoprl01.dat
2004-06-22 08:04 4,144 ------w C:\Program Files\hpousb08.inf
2004-06-22 08:04 4,132 ------w C:\Program Files\hpzist13.inf
2004-06-22 08:04 4,014 ------w C:\Program Files\hpoprl08.dat
2004-06-22 08:04 399 ------w C:\Program Files\hpzprl01.dat
2004-06-22 08:04 314 ------w C:\Program Files\hpqprl01.dat
2004-06-22 08:04 3,448 ------w C:\Program Files\hpohub08.inf
2004-06-22 08:04 297 ------w C:\Program Files\Readme.html
2004-06-22 08:04 290,873 ------w C:\Program Files\hpzjut01.dll
2004-06-22 08:04 28,722 ------w C:\Program Files\hpzjlog.dll
2004-06-22 08:04 270,336 ------w C:\Program Files\hpzglu10.exe
2004-06-22 08:04 270,336 ------w C:\Program Files\hpzc3212.dll
2004-06-22 08:04 26,768 ------w C:\Program Files\usbhub.sys
2004-06-22 08:04 254,005 ------w C:\Program Files\msvcrt.dll
2004-06-22 08:04 22,636 ------w C:\Program Files\hpzid413.inf
2004-06-22 08:04 22,608 ------w C:\Program Files\usbprint.sys
2004-06-22 08:04 205 ------w C:\Program Files\hpzprl02.dat
2004-06-22 08:04 200,704 ------w C:\Program Files\hpzpnp10.dll
2004-06-22 08:04 20,168 ------w C:\Program Files\hpzius12.inf
2004-06-22 08:04 2,542 ------w C:\Program Files\hpoprl02.dat
2004-06-22 08:04 19,578 ------w C:\Program Files\hpoprl03.dat
2004-06-22 08:04 176,128 ------w C:\Program Files\hpzscr10.dll
2004-06-22 08:04 17,176 ------w C:\Program Files\hpomdl04.dat
2004-06-22 08:04 16,416 ------w C:\Program Files\HPZUCI12.DLL
2004-06-22 08:04 14,845 ------w C:\Program Files\hpoapd01.dat
2004-06-22 08:04 14,815 ------w C:\Program Files\hpzius13.inf
2004-06-22 08:04 137,124 ------w C:\Program Files\hpoprn08.inf
2004-06-22 08:04 12,922 ------w C:\Program Files\hpzipr12.inf
2004-06-22 08:04 12,288 ------w C:\Program Files\usbmon.dll
2004-06-22 08:04 1,980 ------w C:\Program Files\hpoprl07.dat
2004-06-22 08:04 1,479 ------w C:\Program Files\license.txt
2004-06-22 08:04 1,391 ------w C:\Program Files\readme.txt
2004-06-22 08:04 1,073,152 ------w C:\Program Files\Setup.exe
2004-03-17 17:13 1,028,368 ----a-w C:\Program Files\vbrun60sp6.exe
2007-05-28 20:41:22 49,152 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007052120070528\index.dat
2007-05-28 20:41:22 49,152 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007052820070529\index.dat
2007-05-29 20:49:39 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007052920070530\index.dat
2007-05-30 19:12:14 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007053020070531\index.dat
2007-05-31 19:38:44 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007053120070601\index.dat
2007-06-02 18:05:32 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007060220070603\index.dat
.

((((((((((((((((((((((((((((( snapshot@2007-11-15_ 2.35.38.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-10 00:58:22 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-11-16 07:28:11 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-10-10 00:58:22 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-11-16 07:28:11 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-10-10 00:58:22 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-11-16 07:28:11 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-10-10 00:58:22 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-11-16 07:28:11 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-10-10 00:58:22 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-11-16 07:28:11 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-10-10 00:58:22 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-11-16 07:28:11 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-10-10 00:58:22 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-11-16 07:28:12 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-10-10 00:58:22 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-11-16 07:28:12 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-10-10 00:58:22 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-11-16 07:28:11 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-10-10 00:58:22 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-11-16 07:28:11 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-10-10 00:58:22 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-11-16 07:28:12 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-10-10 00:58:22 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-11-16 07:28:11 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-10-10 00:58:22 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-11-16 07:28:11 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-11-15 02:34:11 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-18 04:38:11 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-15 02:34:11 131,072 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-18 04:38:11 131,072 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-15 02:34:11 819,200 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-18 04:38:11 819,200 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w C:\WINDOWS\system32\shell32.dll
- 2007-06-19 07:24:36 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
- 2007-11-15 02:34:12 24,064 ----a-w C:\WINDOWS\Temp\ouxtikeah.dll
+ 2007-11-18 04:38:11 24,064 ----a-w C:\WINDOWS\Temp\ouxtikeah.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 08:48 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 10:04 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-12 05:19]
"nwiz"="nwiz.exe" [2006-07-12 05:19 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-12 05:19]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"TI WLAN"="C:\Program Files\Wireless LAN Utility\TIWLANCu.exe" [2007-03-22 17:54]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-22 08:05]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"EPSON Stylus Photo R240 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.exe" [2005-04-25 05:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [2006-09-07 08:21]
"WheelMouse"="C:\Program Files\A4Tech\Mouse\Amoumain.exe" [2006-09-07 08:17]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 12:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-28 22:08]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-28 08:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-08-16 15:19]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}]
C:\WINDOWS\system32\atpakib-deas.dll 2006-02-28 12:00 5120 C:\WINDOWS\system32\atpakib-deas.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]
Debugger=C:\WINDOWS\system32\ahroxun-edat.exe

R3 TNET1130;802.11 WLAN;C:\WINDOWS\system32\DRIVERS\TNET1130.sys
S3 Intels51;Intel(R) 536EP V.92 Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{484F4D45-3248-4f4d-4532-484F4D453248}]
C:\WINDOWS\system32\udsacoot.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-18 04:47:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 05:06:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-18 5:07:37
C:\ComboFix2.txt ... 2007-11-15 21:17
C:\ComboFix3.txt ... 2007-11-15 02:36
.
--- E O F ---
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm

Re: help can't remove malware

Unread postby jemma_79 » November 18th, 2007, 7:27 am

C:\Documents and Settings\user\Desktop>del /a /f /q "C:\WINDOWS\system32\ekvakuh
-easac*.exe" 1>delreport.txt
The process cannot access the file because it is being used by another process.

C:\Documents and Settings\user\Desktop>notepad delreport.txt
this is whats displayed when i run cleanup.bat
plus in the notepad window C:\WINDOWS\system32\ekvakuh-easac.exe is all that displays
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm

Re: help can't remove malware

Unread postby random/random » November 18th, 2007, 9:27 am

cleanup.bat deleted the files it was meant to, so that's ok

Let's try to get rid of the remaining malware:

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Then close all windows except HijackThis and click Fix Checked

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Code: Select all
    File::
    C:\WINDOWS\Temp\ouxtikeah.dll
    C:\WINDOWS\system32\udsacoot.exe
    C:\WINDOWS\system32\ahroxun-edat.exe
    C:\WINDOWS\system32\atpakib-deas.dll
    C:\WINDOWS\system32\ekvakuh-easac.exe
    Folder::
    C:\WINDOWS\system32\runtime
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{484F4D45-3248-4f4d-4532-484F4D453248}]
    
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Re: help can't remove malware

Unread postby jemma_79 » November 18th, 2007, 3:53 pm

before log was produced the pc restarted itself boots into ms dod windows screen is shown loads but then theres blue screen nothing more opens
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm

Re: help can't remove malware

Unread postby random/random » November 18th, 2007, 4:51 pm

Can you boot into safe mode?

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

Please let me know if that is successful
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Re: help can't remove malware

Unread postby jemma_79 » November 18th, 2007, 5:39 pm

can't reboot into safe mode
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware