Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

FakeAlert-T, Unable to remove

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

FakeAlert-T, Unable to remove

Unread postby bwick » March 25th, 2008, 7:12 am

Hi, Believe my pc has been affected by FakeAlert-T Trojan with symptoms identical to link below
http://vil.nai.com/vil/content/v_143406.htm

Tried to remove it by latest Macaffe Dat 5258/Engine5200 but it had detected number of trojans but still I could not get rid of number of Fake alerts and fake Windows Security Center systems warning. Kindly help.
Thanks bwick

See hijack log before running combofix then after running combofix etc

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:08 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [noskrnl] C:\WINDOWS\noskrnl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = equant.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = equant.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = equant.com
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

--
End of file - 4707 bytes

Have done combo fix and got below/ also see hijack after running combo
ComboFix 08-03-25.4 - wick 2008-03-27 19:59:53.1 - NTFSx86
Running from: C:\Documents and Settings\wick\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\noskrnl.config
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\SoftwareDistribution\Download\aa19f15378aa75d2b2c7ba5771e0c521\_install.exe
C:\WINDOWS\SoftwareDistribution\Download\aa19f15378aa75d2b2c7ba5771e0c521\update\_install.exe
C:\WINDOWS\SoftwareDistribution\Download\adc42e4e6905251cac80b18a8dccd42a\_install.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\lrito.ini
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LRITO5E29-3968
-------\Service_lrito5e29-3968


((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-27 20:02 . 2008-03-27 20:04 <DIR> d-------- C:\Program Files\seekmo
2008-03-27 19:23 . 2008-03-27 19:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-26 19:28 . 2008-03-26 19:31 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-03-25 20:07 . 2008-03-27 19:49 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-22 22:41 . 2008-03-22 22:41 <DIR> d-------- C:\Program Files\zango
2008-03-22 22:41 . 2008-03-22 22:41 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-22 22:41 . 2008-03-22 22:41 <DIR> d-------- C:\Program Files\stc
2008-03-22 22:41 . 2008-03-22 22:41 <DIR> d-------- C:\Program Files\180solutions
2008-03-22 22:41 . 2008-03-22 22:41 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-22 22:41 . 2008-03-22 22:41 <DIR> d-------- C:\Program Files\180search assistant
2008-03-22 22:40 . 2008-03-22 22:40 32,512 --a------ C:\WINDOWS\autodisc32.dll
2008-03-22 22:40 . 2008-03-22 22:40 29,952 --a------ C:\WINDOWS\changeurl_30.dll
2008-03-22 22:40 . 2008-03-22 22:40 27,648 --a------ C:\WINDOWS\athprxy32.dll
2008-03-22 22:40 . 2008-03-22 22:40 26,368 --a------ C:\WINDOWS\ati2dvag32.dll
2008-03-22 22:40 . 2008-03-22 22:40 21,504 --a------ C:\WINDOWS\apphelp32.dll
2008-03-22 22:40 . 2008-03-22 22:40 16,896 --a------ C:\WINDOWS\asycfilt32.dll
2008-03-22 22:40 . 2008-03-22 22:40 15,872 --a------ C:\WINDOWS\avifile32.dll
2008-03-22 22:40 . 2008-03-22 22:40 15,360 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-03-22 22:40 . 2008-03-22 22:40 11,776 --a------ C:\WINDOWS\audiosrv32.dll
2008-03-22 22:40 . 2008-03-22 22:40 11,520 --a------ C:\WINDOWS\asferror32.dll
2008-03-21 20:02 . 2008-03-21 20:02 90,544 --a------ C:\WINDOWS\system32\kuilgfvx.exe
2008-03-21 20:02 . 2008-03-21 20:02 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-03-21 20:01 . 2008-03-21 20:01 17,408 --a------ C:\WINDOWS\system32\dtivmdlj.exe
2008-03-21 19:42 . 2008-03-21 19:42 8,300 --a------ C:\WINDOWS\desctemp.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 15:10 --------- d-----w C:\Program Files\Nortel Networks
2008-03-24 15:08 --------- d-----w C:\Program Files\DivX
2008-03-24 15:08 --------- d-----w C:\Program Files\Dialer
2008-02-26 13:54 15,872 ----a-w C:\WINDOWS\system32\eiigpcsy.exe
2008-02-18 09:03 22,528 ----a-w C:\WINDOWS\system32\ioyvgtur.exe
2008-02-01 16:35 --------- d-----w C:\Program Files\CCleaner
2008-01-30 17:25 --------- d-----w C:\Documents and Settings\wick\Application Data\Apple Computer
2008-01-30 16:37 --------- d-----w C:\Program Files\QuickTime
2008-01-30 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-30 16:35 --------- d-----w C:\Program Files\Apple Software Update
2008-01-30 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" [2007-04-04 15:19 131072]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 08:00 98304]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-23 23:14 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Nortel Networks\\Extranet.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"G:\\BWSHARE\\PumpKIN.exe"=

R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2004-03-26 18:16]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2004-03-26 18:15]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2004-03-26 18:15]
S2 QYDWWLTM;QYDWWLTM;C:\WINDOWS\system32\qydwwltm.psu []
S2 WinAcPci;WinAcPci;C:\WINDOWS\system32\DRIVERS\WinAcPci.sys [1998-10-27 22:07]

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 16:35:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 20:05:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\QYDWWLTM]
"ImagePath"="\??\C:\WINDOWS\system32\qydwwltm.psu"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
.
**************************************************************************
.
Completion time: 2008-03-27 20:12:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-27 14:42:33
.
2008-03-26 14:05:57 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:31 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = equant.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = equant.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = equant.com
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

--
End of file - 3786 bytes
bwick
Active Member
 
Posts: 14
Joined: March 25th, 2008, 6:02 am
Top
Advertisement
Register to Remove

Re: FakeAlert-T, Unable to remove

Unread postby chryssi2001 » March 30th, 2008, 8:27 am

Hello bwick,

I will be assisting you with your malware issues.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
IMPORTANT NOTE:
If you are using Windows Vista you must right click on the desktop icon and choose Run as Administrator all tools.
---------------------------------------------------
You shouldn't be running Combofix without a helpers quidance.
---------------------------------------------------
I will check your Combofix report but i also need a new HijackThis log.

Comparing both of your HijackThis logs, a lot of lines are missing in the 2nd log.
Did you remove them? Since i am going to help you, please do not anything without me telling you so, so we can clean your pc.
---------------------------------------------------
Meanwhile i want you to install Recovery Console.

RECOVERY CONSOLE

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
---------------------------------------------------
Post back:
Recovery Console report.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Top

Re: FakeAlert-T, Unable to remove

Unread postby bwick » March 31st, 2008, 5:50 am

Thanks Dear

I shall get back to you with new logs as soon as possible.

Cheers Bwick
bwick
Active Member
 
Posts: 14
Joined: March 25th, 2008, 6:02 am
Top

Re: FakeAlert-T, Unable to remove

Unread postby bwick » March 31st, 2008, 6:02 am

Hi Chryssi

Hijack logs posted were
1) Before running combofix
2) After running combofix

I did not remove any lines from 2nd report. However 'Fake alert' problem disappeared after running combofix. Shall get back to you once recovery console is installed.

Thanks bwick
bwick
Active Member
 
Posts: 14
Joined: March 25th, 2008, 6:02 am
Top

Re: FakeAlert-T, Unable to remove

Unread postby chryssi2001 » March 31st, 2008, 7:54 am

Hello bwick,

I've checked the last HijackThis log you posted.

I need a new HijackThis log which shows me a fresh icon.
Please post one with the Recovery Console report.

You can reboot your pc after installing the Recovery Console.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Top

Re: FakeAlert-T, Unable to remove

Unread postby bwick » March 31st, 2008, 11:48 am

Hi

See below CF-RC after installing recovery console and HJT log taken just before installing RC

Can I reboot the pc now ?

Thanks bwick



WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:50 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = equant.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = equant.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = equant.com
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

--
End of file - 3753 bytes
bwick
Active Member
 
Posts: 14
Joined: March 25th, 2008, 6:02 am
Top

Re: FakeAlert-T, Unable to remove

Unread postby chryssi2001 » March 31st, 2008, 11:54 am

Yes please reboot the pc.

I will be back in a while. :)
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Top

Re: FakeAlert-T, Unable to remove

Unread postby bwick » March 31st, 2008, 12:18 pm

Hi

Before reboot I wanted to take HJT log but accidently clicked Combofix which ran successfully and then I have rebooted and took fresh HJT log. Both are appended below. Also I have noticed ms icon 'updates are ready for installation' click to install etc. How do I know if this is genuine or another virus or something ?
Thanks

ComboFix 08-03-25.4 - wick 2008-03-31 21:37:39.2 - NTFSx86
Running from: C:\Documents and Settings\wick\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\seekmo

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-31 21:35 . 2008-03-31 21:35 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-27 19:23 . 2008-03-27 19:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-26 19:28 . 2008-03-26 19:34 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-03-25 20:07 . 2008-03-27 19:49 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-22 22:41 . 2008-03-22 22:41 <DIR> d-------- C:\Program Files\zango
2008-03-22 22:41 . 2008-03-22 22:41 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-22 22:41 . 2008-03-22 22:41 <DIR> d-------- C:\Program Files\stc
2008-03-22 22:41 . 2008-03-22 22:41 <DIR> d-------- C:\Program Files\180solutions
2008-03-22 22:41 . 2008-03-22 22:41 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-22 22:41 . 2008-03-22 22:41 <DIR> d-------- C:\Program Files\180search assistant
2008-03-22 22:40 . 2008-03-22 22:40 32,512 --a------ C:\WINDOWS\autodisc32.dll
2008-03-22 22:40 . 2008-03-22 22:40 29,952 --a------ C:\WINDOWS\changeurl_30.dll
2008-03-22 22:40 . 2008-03-22 22:40 27,648 --a------ C:\WINDOWS\athprxy32.dll
2008-03-22 22:40 . 2008-03-22 22:40 26,368 --a------ C:\WINDOWS\ati2dvag32.dll
2008-03-22 22:40 . 2008-03-22 22:40 21,504 --a------ C:\WINDOWS\apphelp32.dll
2008-03-22 22:40 . 2008-03-22 22:40 16,896 --a------ C:\WINDOWS\asycfilt32.dll
2008-03-22 22:40 . 2008-03-22 22:40 15,872 --a------ C:\WINDOWS\avifile32.dll
2008-03-22 22:40 . 2008-03-22 22:40 15,360 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-03-22 22:40 . 2008-03-22 22:40 11,776 --a------ C:\WINDOWS\audiosrv32.dll
2008-03-22 22:40 . 2008-03-22 22:40 11,520 --a------ C:\WINDOWS\asferror32.dll
2008-03-21 20:02 . 2008-03-21 20:02 90,544 --a------ C:\WINDOWS\system32\kuilgfvx.exe
2008-03-21 20:02 . 2008-03-21 20:02 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-03-21 20:01 . 2008-03-21 20:01 17,408 --a------ C:\WINDOWS\system32\dtivmdlj.exe
2008-03-21 19:42 . 2008-03-21 19:42 8,300 --a------ C:\WINDOWS\desctemp.dat
2008-02-26 19:27 . 2008-02-27 21:40 12,830 --a------ C:\WINDOWS\system32\diperto.ini
2008-02-26 19:24 . 2008-02-26 19:24 15,872 --a------ C:\WINDOWS\system32\eiigpcsy.exe
2008-02-19 19:11 . 2008-02-19 19:11 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-18 14:33 . 2008-02-18 14:33 22,528 --a------ C:\WINDOWS\system32\ioyvgtur.exe
2008-02-01 22:05 . 2008-02-01 22:05 <DIR> d-------- C:\Program Files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 15:10 --------- d-----w C:\Program Files\Nortel Networks
2008-03-24 15:08 --------- d-----w C:\Program Files\DivX
2008-03-24 15:08 --------- d-----w C:\Program Files\Dialer
2008-03-22 17:11 30,720 ----a-w C:\WINDOWS\shdocpe.dll
2008-03-22 17:11 27,904 ----a-w C:\WINDOWS\shdocpl.dll
2008-03-22 17:11 26,880 ----a-w C:\WINDOWS\avisynthex32.dll
2008-03-22 17:11 24,320 ----a-w C:\WINDOWS\msapasrc.dll
2008-03-22 17:11 21,248 ----a-w C:\WINDOWS\aviwrap32.dll
2008-03-22 17:11 19,712 ----a-w C:\WINDOWS\msa64chk.dll
2008-03-22 17:11 19,456 ----a-w C:\WINDOWS\ntnut.exe
2008-03-22 17:11 15,360 ----a-w C:\WINDOWS\winsb.dll
2008-03-22 17:11 10,752 ----a-w C:\WINDOWS\browserad.dll
2008-01-30 17:25 --------- d-----w C:\Documents and Settings\wick\Application Data\Apple Computer
2008-01-30 16:37 --------- d-----w C:\Program Files\QuickTime
2008-01-30 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-30 16:35 --------- d-----w C:\Program Files\Apple Software Update
2008-01-30 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
.

((((((((((((((((((((((((((((( snapshot@2008-03-27_20.12.02.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-04-25 20:32:22 144,896 ----a-w C:\WINDOWS\$hf_mig$\KB935840\SP2QFE\schannel.dll
+ 2006-01-19 19:29:19 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB935840\spmsg.dll
+ 2006-01-19 19:29:19 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB935840\spuninst.exe
+ 2006-01-19 19:29:19 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB935840\update\spcustom.dll
+ 2006-01-19 19:29:19 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB935840\update\update.exe
+ 2006-01-19 19:29:19 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB935840\update\updspapi.dll
- 2004-08-04 12:00:00 721,920 ------w C:\WINDOWS\SoftwareDistribution\Download\526e15b6e1b5300357490c8089b5f84e\backup\sp2gdr\lsasrv.dll
- 2004-08-04 12:00:00 721,920 ------w C:\WINDOWS\SoftwareDistribution\Download\526e15b6e1b5300357490c8089b5f84e\backup\sp2qfe\lsasrv.dll
- 2004-08-04 12:00:00 451,456 ------w C:\WINDOWS\SoftwareDistribution\Download\962449eaea2a809dd7a3a95c81a023bd\backup\sp2gdr\mrxsmb.sys
- 2004-08-04 12:00:00 176,512 ------w C:\WINDOWS\SoftwareDistribution\Download\962449eaea2a809dd7a3a95c81a023bd\backup\sp2gdr\rdbss.sys
- 2004-08-03 17:45:18 451,456 ------w C:\WINDOWS\SoftwareDistribution\Download\962449eaea2a809dd7a3a95c81a023bd\backup\sp2qfe\mrxsmb.sys
- 2004-08-04 12:00:00 176,512 ------w C:\WINDOWS\SoftwareDistribution\Download\962449eaea2a809dd7a3a95c81a023bd\backup\sp2qfe\rdbss.sys
- 2004-08-04 12:00:00 144,896 -c--a-w C:\WINDOWS\system32\dllcache\schannel.dll
+ 2007-04-25 14:21:15 144,896 -c--a-w C:\WINDOWS\system32\dllcache\schannel.dll
- 2004-08-04 12:00:00 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
+ 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
- 2005-10-12 23:12:25 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2006-01-19 19:29:19 14,048 ------w C:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" [2007-04-04 15:19 131072]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 08:00 98304]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-23 23:14 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Nortel Networks\\Extranet.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"G:\\BWSHARE\\PumpKIN.exe"=

R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2004-03-26 18:16]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2004-03-26 18:15]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2004-03-26 18:15]
S2 QYDWWLTM;QYDWWLTM;C:\WINDOWS\system32\qydwwltm.psu []

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 16:35:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 21:42:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\QYDWWLTM]
"ImagePath"="\??\C:\WINDOWS\system32\qydwwltm.psu"
.
Completion time: 2008-03-31 21:44:55
ComboFix-quarantined-files.txt 2008-03-31 16:14:50
ComboFix2.txt 2008-03-27 14:42:42
.
2008-03-27 17:32:50 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:15 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = equant.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = equant.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = equant.com
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

--
End of file - 3753 bytes
bwick
Active Member
 
Posts: 14
Joined: March 25th, 2008, 6:02 am
Top

Re: FakeAlert-T, Unable to remove

Unread postby chryssi2001 » March 31st, 2008, 1:02 pm

Hello bwick,

Before reboot I wanted to take HJT log but accidently clicked Combofix which ran successfully and then I have rebooted and took fresh HJT log. Both are appended below. Also I have noticed ms icon 'updates are ready for installation' click to install etc. How do I know if this is genuine or another virus or something ?

I had the new HijackThis you posted before installing the Recovery Console.
The new Combofix you posted had additional infection, so we have to deal with it soonest possible as it regenerates.

Is MS icon updates warning on your taskbar? Do you have updates enabled?
If yes those should be new updates. Is this the usuall day you have your updates set to install? You should know. ;)
Please install them after following my steps. Do not install them now.
Your pc is too much infected.

Try to follow carefully my instructions, if you are not sure about something just ask.
----------------------------------------------
Even if i don't see any P2P Programs installed on your pc, i have to post this:

P2P PROGRAMS

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the P2P programs.

If you choose not to remove them, please do not use them until this computer is clean.
----------------------------------------------
We have to uninstall Combofix.
Combofix is updated very often and the version you have is an older one.
We need the new one to create a fix for your pc.
----------------------------------------------
UNINSTALL COMBOFIX

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image
You can also delete any logs it has produced, and empty your Recycle bin.
----------------------------------------------
Download ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file from one of the three below listed places and place it at your DESKTOP :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Do not run it yet!
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=29068

Collect::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\system32\kuilgfvx.exe
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\dtivmdlj.exe
C:\WINDOWS\system32\diperto.ini
C:\WINDOWS\system32\eiigpcsy.exe
C:\WINDOWS\system32\ioyvgtur.exe
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\ntnut.exe
C:\WINDOWS\winsb.dll
C:\WINDOWS\browserad.dll
C:\WINDOWS\system32\qydwwltm.psu

Folder::
C:\Program Files\zango
C:\Program Files\Sysmnt
C:\Program Files\stc
C:\Program Files\180solutions
C:\Program Files\180searchassistant
C:\Program Files\Dialer

Driver::
QYDWWLTM
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Top

Re: FakeAlert-T, Unable to remove

Unread postby bwick » April 1st, 2008, 5:43 am

Was not running p2p programmes on this particular pc ( is utorrent such a program?). However used this pc to view some files loaded via utorrent on another pc.
I shall follow your instructions and come back with new logs.
Thanks bwick
bwick
Active Member
 
Posts: 14
Joined: March 25th, 2008, 6:02 am
Top

Re: FakeAlert-T, Unable to remove

Unread postby chryssi2001 » April 1st, 2008, 9:56 am

bwick wrote:Was not running p2p programmes on this particular pc ( is utorrent such a program?). However used this pc to view some files loaded via utorrent on another pc.
I shall follow your instructions and come back with new logs.
Thanks bwick


Yes utorrent is a P2P program. You have too many infections on your pc, that's why i felt i had to warn you about using P2P programs dangers.
Here is a list for bad and good P2P programs.
http://www.malwareremoval.com/p2pindex.php

I want to add a comment here, that even is a P2P program it's self is clean, it can still bring infections to a pc with the way it functions to download various stuff like music, and others on a pc.

I'll wait for the reports :)
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Top

Re: FakeAlert-T, Unable to remove

Unread postby bwick » April 1st, 2008, 1:51 pm

Here are the combofix and HJT logs. During combofix activation my dialer program got deleted as dialer folder was included in the cFScript file. However we managed to get it reinstalled to access internet.

ComboFix 08-03-30.5 - wick 2008-04-01 22:50:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.39 [GMT 5.5:30]
Running from: C:\Documents and Settings\wick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\wick\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\Dialer
C:\Program Files\Dialer\cmdial32.dll
C:\Program Files\Dialer\dialer.cnt
C:\Program Files\Dialer\dialer.exe
C:\Program Files\Dialer\dialer.hlp
C:\Program Files\Dialer\dunerror.txt
C:\Program Files\Dialer\ERA\ERA.bmp
C:\Program Files\Dialer\ERA\ERA.pop
C:\Program Files\Dialer\Exports\dummy.txt
C:\Program Files\Dialer\Imports\dummy.txt
C:\Program Files\Dialer\Install\dummy.txt
C:\Program Files\Dialer\Install\SecurId.dll
C:\Program Files\Dialer\license.doc
C:\Program Files\Dialer\ntlogin.exe
C:\Program Files\Dialer\PlugIns\dummy.txt
C:\Program Files\Dialer\PlugIns\generic.dll
C:\Program Files\Dialer\PlugIns\securid.dll
C:\Program Files\Dialer\PlugIns\x28rla.dll
C:\Program Files\Dialer\profiles.pro
C:\Program Files\Dialer\readme.doc
C:\Program Files\Dialer\rnaph.dll
C:\Program Files\Dialer\user1sid.lay
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\browserad.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\imsins.BAK
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\ntnut.exe
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\system32\diperto.ini
C:\WINDOWS\system32\dtivmdlj.exe
C:\WINDOWS\system32\eiigpcsy.exe
C:\WINDOWS\system32\ioyvgtur.exe
C:\WINDOWS\system32\kuilgfvx.exe
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\winsb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QYDWWLTM
-------\Service_QYDWWLTM


((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-03-27 19:23 . 2008-03-27 19:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-25 20:07 . 2008-03-27 19:49 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-22 22:41 . 2008-03-22 22:41 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-22 22:41 . 2008-03-22 22:41 <DIR> d-------- C:\Program Files\180search assistant
2008-03-22 22:41 . 2008-03-22 22:41 32,768 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-03-22 22:41 . 2008-03-22 22:41 29,184 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-03-22 22:41 . 2008-03-22 22:41 25,600 --a------ C:\WINDOWS\123messenger.per
2008-03-22 22:41 . 2008-03-22 22:41 19,200 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-03-22 22:41 . 2008-03-22 22:41 11,776 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-03-22 22:41 . 2008-03-22 22:41 8,960 --a------ C:\WINDOWS\didduid.ini
2008-03-21 19:42 . 2008-03-21 19:42 8,300 --a------ C:\WINDOWS\desctemp.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 15:10 --------- d-----w C:\Program Files\Nortel Networks
2008-03-24 15:08 --------- d-----w C:\Program Files\DivX
2008-02-01 16:35 --------- d-----w C:\Program Files\CCleaner
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" [2007-04-04 15:19 131072]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 08:00 98304]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-23 23:14 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Nortel Networks\\Extranet.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"G:\\BWSHARE\\PumpKIN.exe"=

R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2004-03-26 18:16]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2004-03-26 18:15]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2004-03-26 18:15]
S2 WinAcPci;WinAcPci;C:\WINDOWS\system32\DRIVERS\WinAcPci.sys [1998-10-27 22:07]

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 16:35:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 22:55:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
.
**************************************************************************
.
Completion time: 2008-04-01 23:03:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-01 17:33:44
ComboFix2.txt 2008-03-31 16:14:56
Pre-Run: 6,159,499,264 bytes free
Post-Run: 6,143,373,312 bytes free
.
2008-03-27 17:32:50 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:44 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Dialer\Dialer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = equant.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = equant.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = equant.com
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

--
End of file - 3815 bytes
bwick
Active Member
 
Posts: 14
Joined: March 25th, 2008, 6:02 am
Top

Re: FakeAlert-T, Unable to remove

Unread postby bwick » April 1st, 2008, 1:59 pm

Thank you for enlightning us on the p2p programs and providing us a list of safe and unsafe etc. Believe all should be used at your own risk.

Cheers Bwick
bwick
Active Member
 
Posts: 14
Joined: March 25th, 2008, 6:02 am
Top

Re: FakeAlert-T, Unable to remove

Unread postby chryssi2001 » April 1st, 2008, 3:40 pm

Hello bwick,

I am very sorry about your dialer :( I am glad you was able to reinstall it.
They should change the name though ;)

Thank you for enlightning us on the p2p programs and providing us a list of safe and unsafe etc. Believe all should be used at your own risk.

You are welcome :) We see too many people infected when using these programs, and as i said, your pc was too much infected, so i consider it proper to explain to you about P2P programs. As you said, you choose if you are going to use them or not.
----------------------------------------------
We need another fix with Combofix as there is some more infection showing now.
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\123messenger.per
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\MSNSA32.dll
C:\WINDOWS\didduid.ini

Folder::
C:\WINDOWS\FLEOK
C:\Program Files\180search assistant
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Is the pc running better now?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Top

Re: FakeAlert-T, Unable to remove

Unread postby bwick » April 2nd, 2008, 2:54 am

Hi,

I shall get back to you with new logs in due course. Meantime PC is running ok but still 'updates are ready to install' icon is there. Although automatic updates are enable in this particular pc, it did not have enough time to load them as we hardly log in to internet from this desktop (my home desktop). So I am still not sure if this is yet anther virus or malware. Is there a way to determine ? meantime new ms patches were not updated on this pc as we rearely use internet access (v90 dialup connection). Is there anyway we can take updates from a pc which is frequently updated and copy those files there rather than use internet alone to download them ? (like take updated kbxxxx patches from my office pc in a pendrive and install in home pc ?
Thanks bwick
bwick
Active Member
 
Posts: 14
Joined: March 25th, 2008, 6:02 am
Top
Advertisement
Register to Remove
Next
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 531 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index