Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Trojan malware removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: Trojan malware removal

Unread postby gringo_pr » April 27th, 2010, 11:22 pm

Hello

PC is working great.What can I do to avoid this type of infection? - I will give some suggestions when we are done.

I would like an online scan to make sure there is no left overs, I found out kaspersky is not running right now so do this one instead.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.


let me have this report and lets see if we can get this one done.

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico
Top
Advertisement
Register to Remove

Re: Trojan malware removal

Unread postby BoricuaWarrior » April 29th, 2010, 7:32 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=a7aa9379bec45a4f9a1c454a819f57b6
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-29 03:57:16
# local_time=2010-04-28 10:57:16 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 22639579 22639579 0 0
# compatibility_mode=5121 16776613 100 96 1344019 24503220 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=218762
# found=48
# cleaned=0
# scan_time=15344
C:\Documents and Settings\Angel\My Documents\Downloads\ZwinkySetup2.3.50.45.ZJman000.exe a variant of Win32/Toolbar.MyWebSearch.A application 00000000000000000000000000000000 I
C:\Downloads\TheGameOfLifeSetup-dm[1].exe Win32/Adware.Trymedia application 00000000000000000000000000000000 I
C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MSN Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MSN Messenger\riched20.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\F3CJPEG.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\F3DTACTL.DLL Win32/Adware.FunWeb application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\F3HISTSW.DLL Win32/Adware.FunWeb application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\F3HKSTUB.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL Win32/Adware.FunWeb application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL Win32/Adware.FunWeb application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\F3POPSWT.DLL Win32/Adware.FunWeb application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\F3REGHK.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL Win32/Adware.FunWeb application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\F3RESTUB.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\F3SCHMON.EXE Win32/Adware.FunWeb application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL Win32/FunWeb application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\M3HIGHIN.EXE Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\M3HTML.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\M3IDLE.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\M3MEDINT.EXE Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\M3MSG.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\M3NTSTBR.JAR Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\M3SKIN.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\MWSSVC.EXE Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\NoAdware4\noadwareutils.dll Win32/NoAdware application 00000000000000000000000000000000 I
C:\Program Files\OneStepSrch\osopt.exe a variant of Win32/Adware.OneStep.B application 00000000000000000000000000000000 I
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090705-132323-948.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090705-132324-431.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090707-200903-433.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090707-200903-631.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\WINDOWS\system32\f3PSSavr.scr Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
E:\Qoobox\Quarantine\E\Documents and Settings\Owner\Local Settings\Application Data\4234251911.dll.vir a variant of Win32/Kryptik.DVH trojan 00000000000000000000000000000000 I
E:\Qoobox\Quarantine\E\Documents and Settings\Owner\Local Settings\Application Data\MSASCui.exe.vir probably a variant of Win32/Kryptik.DUC trojan 00000000000000000000000000000000 I
E:\Qoobox\Quarantine\E\WINDOWS\system32\nevigapi.exe.vir a variant of Win32/Kryptik.COO trojan 00000000000000000000000000000000 I
E:\Qoobox\Quarantine\E\WINDOWS\system32\spool\prtprocs\w32x86\00006096.tmp.vir a variant of Win32/Kryptik.DLZ trojan 00000000000000000000000000000000 I
BoricuaWarrior
Active Member
 
Posts: 10
Joined: April 10th, 2010, 2:51 pm
Top

Re: Trojan malware removal

Unread postby gringo_pr » April 29th, 2010, 8:14 pm

Hello

just some clean up to do

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File:: 
C:\Program Files\MSN Messenger\msimg32.dll 
C:\Program Files\MSN Messenger\riched20.dll 
C:\Documents and Settings\Angel\My Documents\Downloads\ZwinkySetup2.3.50.45.ZJman000.exe 
C:\Downloads\TheGameOfLifeSetup-dm[1].exe 
C:\WINDOWS\system32\f3PSSavr.scr

Folder:: 
C:\Program Files\AskSBar
C:\Program Files\MyWebSearch
C:\Program Files\NoAdware4
C:\Program Files\OneStepSrch


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall


let me have this report


gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico
Top

Re: Trojan malware removal

Unread postby BoricuaWarrior » May 1st, 2010, 12:28 am

ComboFix 10-04-30.03 - Owner 04/30/2010 22:43:20.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.123 [GMT -5:00]
Running from: e:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: e:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active


FILE ::
"c:\documents and settings\Angel\My Documents\Downloads\ZwinkySetup2.3.50.45.ZJman000.exe"
"c:\downloads\TheGameOfLifeSetup-dm[1].exe"
"c:\program files\MSN Messenger\msimg32.dll"
"c:\program files\MSN Messenger\riched20.dll"
"c:\windows\system32\f3PSSavr.scr"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Angel\My Documents\Downloads\ZwinkySetup2.3.50.45.ZJman000.exe
c:\downloads\TheGameOfLifeSetup-dm[1].exe
c:\program files\AskSBar
c:\program files\AskSBar\bar\1.bin\A2FFXTBR.JAR
c:\program files\AskSBar\bar\1.bin\A2FFXTBR.MANIFEST
c:\program files\AskSBar\bar\1.bin\A2HIGHIN.EXE
c:\program files\AskSBar\bar\1.bin\A2NTSTBR.JAR
c:\program files\AskSBar\bar\1.bin\A2NTSTBR.MANIFEST
c:\program files\AskSBar\bar\1.bin\A2PLUGIN.DLL
c:\program files\AskSBar\bar\1.bin\NPASKSBR.DLL
c:\program files\AskSBar\bar\Cache\0009B569
c:\program files\AskSBar\bar\Cache\0009C6FD
c:\program files\AskSBar\bar\Cache\0009CA1A.bin
c:\program files\AskSBar\bar\Cache\0009CEBE.bin
c:\program files\AskSBar\bar\Cache\0009D620.bin
c:\program files\AskSBar\bar\Cache\0009D778.bin
c:\program files\AskSBar\bar\Cache\0009D891.bin
c:\program files\AskSBar\bar\Cache\0009D97C.bin
c:\program files\AskSBar\bar\Cache\files.ini
c:\program files\AskSBar\bar\History\search2
c:\program files\AskSBar\bar\Settings\prevcfg2.htm
c:\program files\MSN Messenger\msimg32.dll
c:\program files\MSN Messenger\riched20.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\2.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\2.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\2.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\2.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\2.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\2.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\common-x.css
c:\program files\MyWebSearch\bar\Avatar\COMMON\common.css
c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\include.js
c:\program files\MyWebSearch\bar\Avatar\COMMON\index.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\loader.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\loading.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\logo.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
c:\program files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\window.ico
c:\program files\MyWebSearch\bar\Cache\0045B49A.bin
c:\program files\MyWebSearch\bar\Cache\0045B892.bin
c:\program files\MyWebSearch\bar\Cache\0045BA96.bin
c:\program files\MyWebSearch\bar\Cache\0045BCC8.bin
c:\program files\MyWebSearch\bar\Cache\008D92EB
c:\program files\MyWebSearch\bar\Cache\008DAEA1
c:\program files\MyWebSearch\bar\Cache\008DB8E2.bin
c:\program files\MyWebSearch\bar\Cache\008DCB51.bin
c:\program files\MyWebSearch\bar\Cache\008E2BA1.bin
c:\program files\MyWebSearch\bar\Cache\008E776F.bin
c:\program files\MyWebSearch\bar\Cache\008E7BE4.bin
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Message\COMMON\ask_logo.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.htm
c:\program files\MyWebSearch\bar\Message\COMMON\center.htm
c:\program files\MyWebSearch\bar\Message\COMMON\index.htm
c:\program files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
c:\program files\MyWebSearch\bar\Message\COMMON\mws_logo.gif
c:\program files\MyWebSearch\bar\Message\COMMON\protect.htm
c:\program files\MyWebSearch\bar\Message\COMMON\shocked.gif
c:\program files\MyWebSearch\bar\Message\COMMON\stop.gif
c:\program files\MyWebSearch\bar\Message\COMMON\systray.htm
c:\program files\MyWebSearch\bar\Message\COMMON\systrayp.htm
c:\program files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
c:\program files\MyWebSearch\bar\Message\COMMON\warn.gif
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\NoAdware4
c:\program files\NoAdware4\noadware4_122205.na
c:\program files\NoAdware4\noadwareutils.dll
c:\program files\OneStepSrch
c:\program files\OneStepSrch\home.js
c:\program files\OneStepSrch\osopt.exe
c:\program files\OneStepSrch\readme.html
c:\program files\OneStepSrch\uninstall.exe
c:\windows\system32\f3PSSavr.scr
e:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
e:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
e:\program files\WindowsUpdate

----- BITS: Possible infected sites -----

hxxp://download.yimg.com
.
((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.

2010-04-28 23:38 . 2010-04-28 23:38 -------- d-----w- e:\program files\ESET
2010-04-25 16:35 . 2010-04-25 16:35 -------- d-----w- e:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-25 14:57 . 2010-04-25 14:57 503808 ----a-w- e:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50605279-n\msvcp71.dll
2010-04-25 14:57 . 2010-04-25 14:57 499712 ----a-w- e:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50605279-n\jmc.dll
2010-04-25 14:57 . 2010-04-25 14:57 348160 ----a-w- e:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50605279-n\msvcr71.dll
2010-04-25 14:57 . 2010-04-25 14:57 61440 ----a-w- e:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-15802882-n\decora-sse.dll
2010-04-25 14:57 . 2010-04-25 14:57 12800 ----a-w- e:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-15802882-n\decora-d3d.dll
2010-04-25 14:57 . 2010-04-12 22:29 411368 ----a-w- e:\windows\system32\deployJava1.dll
2010-04-25 14:56 . 2010-04-25 14:56 79488 ----a-w- e:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-04-25 14:53 . 2010-04-25 14:53 -------- d-----w- e:\program files\Common Files\Java
2010-04-16 21:48 . 2010-04-16 21:48 -------- d-----w- E:\found.002
2010-04-07 03:50 . 2010-04-07 03:50 3693160 ----a-w- e:\documents and settings\All Users\Application Data\Yahoo!\yau\{EBE50007-C164-4F0B-BD0B-681F16023F02}\ytb_8.1.4.26_2.1.3_ysp_2.0.1.13_mail_bts_pub_us_setup_.exe
2010-04-05 23:25 . 2010-04-05 23:25 -------- d--h--w- e:\windows\PIF
2010-04-05 01:50 . 2010-04-05 01:50 -------- d-sh--w- e:\documents and settings\GISET\IECompatCache
2010-04-04 05:46 . 2010-04-04 05:46 52224 ----a-w- e:\documents and settings\GISET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-04 05:46 . 2010-04-04 05:46 117760 ----a-w- e:\documents and settings\GISET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-04 05:45 . 2010-04-04 05:45 -------- d-----w- e:\documents and settings\GISET\Application Data\SUPERAntiSpyware.com
2010-04-04 02:23 . 2010-04-04 02:23 52224 ----a-w- e:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-04 02:23 . 2010-04-04 02:23 117760 ----a-w- e:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-04 02:23 . 2010-04-04 02:23 -------- d-----w- e:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-04 02:23 . 2010-04-04 02:23 -------- d-----w- e:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-04 02:01 . 2010-03-30 05:46 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 02:00 . 2010-04-04 02:00 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-04 02:00 . 2010-03-30 05:45 20824 ----a-w- e:\windows\system32\drivers\mbam.sys
2010-04-04 02:00 . 2010-04-25 16:35 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2010-04-04 00:52 . 2010-04-04 00:52 -------- d-sh--w- e:\documents and settings\Administrator\IETldCache
2010-04-04 00:01 . 2010-04-04 00:01 -------- d-----w- e:\documents and settings\GISET\Local Settings\Application Data\Yahoo
2010-04-03 23:54 . 2010-04-03 23:54 -------- d-sh--w- e:\documents and settings\NetworkService\IETldCache
2010-04-03 23:52 . 2010-04-03 23:54 -------- d--h--w- e:\documents and settings\GISET\Application Data\yahoo!
2010-04-02 20:28 . 2010-04-02 22:29 -------- d-----w- e:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2010-04-02 20:26 . 2010-04-02 20:26 262144 ----a-w- E:\ntuser.dat
2010-04-02 20:25 . 2010-04-25 20:27 -------- d-----w- e:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-02 20:25 . 2010-04-02 20:28 -------- d-----w- e:\documents and settings\Owner\Application Data\Yahoo!
2010-04-02 20:23 . 2010-04-02 20:25 -------- d-----w- e:\documents and settings\All Users\Application Data\Yahoo!
2010-04-02 20:23 . 2009-12-14 22:52 607472 ----a-w- e:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2010-04-02 20:20 . 2010-04-02 20:26 -------- d-----w- e:\program files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 03:21 . 2009-08-22 14:37 256 ----a-w- e:\windows\system32\pool.bin
2010-04-25 20:27 . 2009-08-07 20:41 -------- d-----w- e:\documents and settings\All Users\Application Data\DVD Shrink
2010-04-25 14:57 . 2009-08-07 21:27 -------- d-----w- e:\program files\Java
2010-04-25 14:53 . 2009-08-16 18:36 -------- d-----w- e:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-22 02:31 . 2010-03-24 00:47 -------- d-----w- e:\documents and settings\GISET\Application Data\FrostWire
2010-04-22 00:53 . 2009-08-07 21:26 -------- d-----w- e:\program files\FrostWire
2010-04-04 00:12 . 2004-08-04 12:00 96512 ----a-w- e:\windows\system32\drivers\atapi.sys
2010-04-02 23:31 . 2009-08-07 18:46 -------- d-----w- e:\program files\McAfee
2010-04-01 05:50 . 2009-08-09 02:59 -------- d-----w- e:\documents and settings\Owner\Application Data\FrostWire
2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- e:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\10166\AdobeARM.exe
2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- e:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\10166\AdobeExtractFiles.dll
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- e:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\10166\ReaderUpdater.exe
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- e:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\10166\AcrobatUpdater.exe
2010-03-24 01:02 . 2010-03-24 01:02 0 ----a-w- e:\documents and settings\GISET\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2010-03-23 03:26 . 2010-03-23 03:26 85088 ----a-w- e:\documents and settings\GISET\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-22 03:11 . 2010-03-22 03:11 -------- d-----w- e:\program files\TenchisTV
2010-03-22 03:11 . 2010-03-22 03:11 -------- d-----w- e:\program files\Conduit
2010-03-17 04:11 . 2009-07-31 23:25 85088 ----a-w- e:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-16 16:35 . 2010-03-20 02:20 52224 ----a-w- e:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\md9clpzm.default\extensions\{ece24dcf-8548-4655-b392-47a388721482}\components\FFExternalAlert.dll
2010-03-16 16:35 . 2010-03-20 02:20 101376 ----a-w- e:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\md9clpzm.default\extensions\{ece24dcf-8548-4655-b392-47a388721482}\components\RadioWMPCore.dll
2010-03-10 06:15 . 2004-08-04 12:00 420352 ------w- e:\windows\system32\vbscript.dll
2010-03-05 03:10 . 2010-03-05 03:09 -------- d-----w- e:\program files\Veetle
2010-03-05 03:05 . 2010-03-05 03:02 -------- d-----w- e:\documents and settings\GISET\Application Data\Move Networks
2010-03-05 03:03 . 2010-03-05 03:02 198650 ----a-w- e:\documents and settings\GISET\Application Data\Move Networks\MoveMediaPlayerWin_071802000001.exe
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- e:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- e:\windows\system32\drivers\mrxsmb.sys
2010-02-17 14:10 . 2004-08-04 12:00 2189952 ----a-w- e:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- e:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- e:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- e:\windows\system32\drivers\tcpip6.sys
2004-03-11 20:27 . 2009-08-07 19:21 40960 ----a-w- e:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ece24dcf-8548-4655-b392-47a388721482}"= "e:\program files\TenchisTV\tbTenc.dll" [2010-03-09 2355224]

[HKEY_CLASSES_ROOT\clsid\{ece24dcf-8548-4655-b392-47a388721482}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ece24dcf-8548-4655-b392-47a388721482}"= "e:\program files\TenchisTV\tbTenc.dll" [2010-03-09 2355224]

[HKEY_CLASSES_ROOT\clsid\{ece24dcf-8548-4655-b392-47a388721482}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="e:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-19 5248312]
"Search Protection"="e:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="e:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"mcagent_exe"="e:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="e:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"RemoteControl"="e:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-09 32768]
"InCD"="e:\program files\Ahead\InCD\InCD.exe" [2004-04-06 1298542]
"NeroFilterCheck"="e:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"igfxtray"="e:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="e:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="e:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"FastTVSync"="e:\program files\Common Files\InterVideo\FastTVSync\FastTVSync.exe" [2004-03-11 245760]
"GrooveMonitor"="e:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RoxWatchTray"="e:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"Adobe ARM"="e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"lxczbmgr.exe"="e:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"FaxCenterServer"="e:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"snpstd3"="e:\windows\vsnpstd3.exe" [2006-09-19 827392]
"YSearchProtection"="e:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"SunJavaUpdateSched"="e:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

e:\documents and settings\GISET\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - e:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - e:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-11-12 1447184]
InterVideo Scheduler server.lnk - e:\program files\InterVideo\DVD5R\SchSvr.exe [2009-8-8 147456]
InterVideo WinCinema Manager.lnk - e:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-8-8 184320]
Picture Package Menu.lnk - e:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2009-8-8 151552]
Picture Package VCD Maker.lnk - e:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2009-8-8 106496]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\FrostWire\\FrostWire.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"e:\\WINDOWS\\system32\\lxczcoms.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;e:\program files\McAfee\SiteAdvisor\McSACore.exe [8/7/2009 1:49 PM 93320]
S1 SASDIFSV;SASDIFSV;\??\g:\sasdifsv.sys --> g:\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\g:\saskutil.sys --> g:\SASKUTIL.SYS [?]
S3 SASENUM;SASENUM;\??\g:\sasenum.sys --> g:\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-16 e:\windows\Tasks\McDefragTask.job
- e:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-07 17:22]

2009-10-01 e:\windows\Tasks\McQcTask.job
- e:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-07 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=%s
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - e:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\md9clpzm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: e:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\md9clpzm.default\extensions\{ece24dcf-8548-4655-b392-47a388721482}\components\FFExternalAlert.dll
FF - component: e:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\md9clpzm.default\extensions\{ece24dcf-8548-4655-b392-47a388721482}\components\RadioWMPCore.dll
FF - component: e:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: e:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_0.dll
FF - plugin: e:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: e:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: e:\program files\Veetle\Player\npvlc.dll
FF - plugin: e:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: e:\program files\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truee:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-30 23:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
e:\windows\system32\igfxdev.dll
.
Completion time: 2010-04-30 23:07:42
ComboFix-quarantined-files.txt 2010-05-01 04:07
ComboFix2.txt 2010-04-24 17:04

Pre-Run: 51,192,225,792 bytes free
Post-Run: 51,289,305,088 bytes free

- - End Of File - - 6C8C58E836DF2874E8E47429D04C882B
BoricuaWarrior
Active Member
 
Posts: 10
Joined: April 10th, 2010, 2:51 pm
Top

Re: Trojan malware removal

Unread postby gringo_pr » May 1st, 2010, 1:44 am

Hello

Very well done!! This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point.

:Uninstall ComboFix:

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Image

:DeFogger:

    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

    Your Emulation drivers are now re-enabled.

:Make your Internet Explorer more secure:


:Turn On Automatic Updates:

    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:
    you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also

    I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
    • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

    • Malwarebytes' Anti-Malware- Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
      totally free but for real-time protection you will have to pay a small one-time fee.
    • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.


please read this great article by miekiemoes How to prevent Malware:
and
this great article by Tony Klein So How Did I Get Infected In First Place

Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........

Malware Complaints
If you were infected .... Stand Up and be Counted.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico
Top

Re: Trojan malware removal

Unread postby Dakeyras » May 3rd, 2010, 9:36 am

As this topic is resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Top
Advertisement
Register to Remove
Previous
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 439 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index