Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Exploit rogue scanner?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Exploit rogue scanner?

Unread postby alvaro0114 » October 14th, 2010, 8:02 pm

i tried uninstalling adobe reader but i get a message like this. it also happenes when i tried installing the new version of adobe

Error 1401. Could not open key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
Verify that you have sufficient access to that key, or contatct your support personnel
alvaro0114
Regular Member
 
Posts: 15
Joined: October 8th, 2010, 10:30 pm
Advertisement
Register to Remove

Re: Exploit rogue scanner?

Unread postby km2357 » October 15th, 2010, 3:36 pm

I need to ask my fellow malware fighters to see if they have any suggestions.

Be back ASAP. :)
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3202
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Exploit rogue scanner?

Unread postby alvaro0114 » October 15th, 2010, 4:27 pm

thank you i myself tried searching the web and people have same problems as well, but hanvet found a solution either

should i skip to step 2?
alvaro0114
Regular Member
 
Posts: 15
Joined: October 8th, 2010, 10:30 pm

Re: Exploit rogue scanner?

Unread postby km2357 » October 16th, 2010, 1:19 pm

Thanks to the Cypher for the suggestion. :)

Please download Add Remove Program Cleaner to your desktop.

  • Double-click on addremovecleaner.
  • Locate Adobe Reader 8.1.1 in the menu and click once on it to highlight.
  • Now click on Remove from add/remove programs list.
  • At the prompt click on Yes then Exit.
  • Now delete addremovecleaner from the desktop, empty the Recycle Bin and reboot the computer.

Once the computer has booted back up, see if you can install Adobe Reader 9.4.0. Let me know if you can or not.


Also, go ahead and run the Kaspersky scan and post back the Kaspersky Log and a fresh DDS Log. Also let me know how your computer is doing as well.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3202
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Exploit rogue scanner?

Unread postby alvaro0114 » October 16th, 2010, 3:28 pm

i donwloaded the program but these are the options of the programs to remove, i am not sure which one it is

Adobe AIR
Adobe Flash Player 10ActiveX
Adobe Shockwave player
alvaro0114
Regular Member
 
Posts: 15
Joined: October 8th, 2010, 10:30 pm

Re: Exploit rogue scanner?

Unread postby km2357 » October 16th, 2010, 11:25 pm

Adobe Reader 8.1.1 is not in the list (along with Adobe AIR, Adobe Flash Player 10 ActiveX and Adobe Shockwave player) when you ran addremovecleaner?

Is Adobe Reader 8.1.1 listed in Add/Remove Programs?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3202
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Exploit rogue scanner?

Unread postby alvaro0114 » October 17th, 2010, 12:08 am

in the add/remove programs list is there
alvaro0114
Regular Member
 
Posts: 15
Joined: October 8th, 2010, 10:30 pm

Re: Exploit rogue scanner?

Unread postby km2357 » October 17th, 2010, 1:20 pm

Thanks to gringo_pr for this suggestion. :)

Go ahead and delete addremovecleaner, we are gonna try something else instead.


Delete CFScript.txt from your Desktop, you will be creating and running a new one.


Step # 1: Run CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    KILLALL::
    
    RegLock::
    
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




    Image


    Note: This CFScript is for use on alvaro0114's computer only! Do not use it on your computer.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.

Once ComboFix is finished, see if you can uninstall Adobe Reader 8.1.1 and install Adobe Reader 9.4.0
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3202
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Exploit rogue scanner?

Unread postby alvaro0114 » October 17th, 2010, 3:18 pm

thank you for the time, and now i was able to remove the old version of adobe and install the new one:). The pc is running normal without problems im going to post the combofix and kaspersky logs

here is the combofix log

ComboFix 10-10-16.04 - Alvaro Rodriguez 10/17/2010 15:00:27.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.532 [GMT -4:00]
Running from: c:\documents and settings\Alvaro Rodriguez\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alvaro Rodriguez\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-09-17 to 2010-10-17 )))))))))))))))))))))))))))))))
.

2010-10-15 22:44 . 2010-10-15 22:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-10-15 22:44 . 2010-10-15 22:44 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-10-15 22:44 . 2010-10-15 22:44 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-10-15 22:44 . 2010-10-15 22:44 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-10-15 22:44 . 2010-10-17 18:10 -------- d-----w- c:\windows\system32\drivers\Avg
2010-10-14 19:29 . 2010-10-14 19:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-14 19:29 . 2010-10-14 19:29 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-14 19:29 . 2010-10-14 19:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-14 01:28 . 2010-10-14 01:28 -------- d-----w- c:\documents and settings\Alvaro Rodriguez\Application Data\AVG10
2010-10-14 01:27 . 2010-10-14 01:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-14 01:24 . 2010-10-15 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-10-14 01:00 . 2010-10-14 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-13 22:45 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-10-13 22:45 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2010-10-13 21:42 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-13 21:42 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 21:42 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 21:41 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-13 01:42 . 2010-10-13 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-10-09 02:51 . 2010-10-09 02:51 388096 ----a-r- c:\documents and settings\Alvaro Rodriguez\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-09 00:15 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-09 00:15 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 19:51 . 2010-09-19 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\myitlab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 04:58 . 2007-02-12 22:24 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2010-02-05 04:58 . 2007-02-12 22:24 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2010-02-05 04:58 . 2007-02-12 22:24 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2010-02-05 04:58 . 2007-02-12 22:24 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2010-02-05 04:58 . 2007-02-12 22:24 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"F.lux"="c:\documents and settings\Alvaro Rodriguez\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-01-28 885760]
"Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 86100]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-16 2067808]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-24 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-10-15 22:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2005-10-08 05:26 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Alvaro Rodriguez^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Alvaro Rodriguez\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-04-10 13:53 50520 ----a-w- c:\documents and settings\Alvaro Rodriguez\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2005-08-31 17:06 106496 ----a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 22:05 81920 ----a-w- c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-06 23:03 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoSysTray]
2009-10-01 14:53 20480 ----a-w- c:\program files\Plaxo\3.23.0.11\plaxosystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-01-05 12:56 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Documents and Settings\\Alvaro Rodriguez\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59127:TCP"= 59127:TCP:Pando Media Booster
"59127:UDP"= 59127:UDP:Pando Media Booster

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 25680]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/13/2009 7:35 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/15/2010 6:44 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/15/2010 6:44 PM 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 8:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/15/2010 6:44 PM 308136]
S2 gupdate1c9c156cfba95c;Google Update Service (gupdate1c9c156cfba95c);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2009 9:19 PM 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 7408]
S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [11/4/2008 1:46 PM 155136]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [11/4/2008 1:46 PM 5248]
.
Contents of the 'Scheduled Tasks' folder

2010-10-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 01:19]

2010-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 01:19]

2010-10-17 c:\windows\Tasks\User_Feed_Synchronization-{D1457349-43D9-4B64-AE15-7CD73FB4A2FF}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
FF - ProfilePath - c:\documents and settings\Alvaro Rodriguez\Application Data\Mozilla\Firefox\Profiles\8xnlxn9h.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox? ... S:official
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1417996333-493728206-3967999953-1006\Software\SecuROM\License information*]
"datasecu"=hex:90,79,97,d3,de,fc,3c,38,08,8c,61,e8,62,e5,3e,b8,15,b4,2d,a5,a0,
87,7f,2e,12,cf,95,d1,eb,84,39,f8,13,a1,95,de,77,1b,c3,d8,75,0b,30,01,21,cb,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2828)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\Lexmark X5100 Series\lxbabmon.exe
c:\windows\system32\dllhost.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-10-17 15:16:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-17 19:16
ComboFix2.txt 2010-10-14 02:31
ComboFix3.txt 2008-12-18 23:41

Pre-Run: 119,581,925,376 bytes free
Post-Run: 120,019,648,512 bytes free

- - End Of File - - 6636273E7322D422D8973C55B41D386C

Here is the kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, October 17, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, October 17, 2010 08:51:57
Records in database: 4181029
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan statistics:
Objects scanned: 83205
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:38:20


File name / Threat / Threats count
C:\Documents and Settings\Alvaro Rodriguez\Shared\lole senador.wma Infected: Trojan-Downloader.WMA.Wimad.y 1

Selected area has been scanned.
alvaro0114
Regular Member
 
Posts: 15
Joined: October 8th, 2010, 10:30 pm

Re: Exploit rogue scanner?

Unread postby km2357 » October 17th, 2010, 11:13 pm

Note: I won't be near my computer tomorrow (Monday Oct 18th), so go ahead and follow the instructions below and I'll get back to you on Tuesday. :)

Delete the following file, if found:

C:\Documents and Settings\Alvaro Rodriguez\Shared\lole senador.wma
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3202
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Exploit rogue scanner?

Unread postby alvaro0114 » October 18th, 2010, 7:33 pm

ok i deleted dthat file and the pc is working normal i guess
alvaro0114
Regular Member
 
Posts: 15
Joined: October 8th, 2010, 10:30 pm

Re: Exploit rogue scanner?

Unread postby km2357 » October 19th, 2010, 2:34 pm

If there are no more problems, then you're good to go. :)

You can delete the following off of your computer:

DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
RKUnhookerLE.exe
The RKUnhooker Log


To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /Uninstall & click OK

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Empty your Recycle Bin.


Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  • This will remove all restore points except the new one you just created.
.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Make your Internet Explorer more secure This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub frames across different domains to Prompt
  5. When all these settings have been made, click on the OK button.
  6. If it asks you if you want to save the settings, press the Yes button.
  7. Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please checkHide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK
  • Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line Anti Malware
  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button on the task bar at the bottom of your screen
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then doubleclick it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok..
  • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • Please read Simple and easy ways to keep your computer safe and secure on the Internet
  • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
    Opera.
    If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
  • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miek ... ntion.html

If your computer is running slow, click here for instructions on how to help speed up your computer.

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3202
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Exploit rogue scanner?

Unread postby alvaro0114 » October 20th, 2010, 5:39 pm

thank you for everything km2357 the pc looks good to me

can i still check this post or will it get deleted?
alvaro0114
Regular Member
 
Posts: 15
Joined: October 8th, 2010, 10:30 pm

Re: Exploit rogue scanner?

Unread postby km2357 » October 20th, 2010, 7:52 pm

You're welcome. I'm glad I was able to help you out. :)

Good luck and safe surfing!

can i still check this post or will it get deleted?


This thread will be moved to the Archived Hijackthis Posts section of the forum where you'll be able to read it at anytime, but not post/reply in the thread.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3202
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Exploit rogue scanner?

Unread postby Wingman » October 20th, 2010, 8:03 pm

As your problems appear to have been resolved, this topic is now closed.
We are pleased we could help you resolve your computer's malware issues.

If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Donations For Malware Removal
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 142 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware