Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

1 Virus Inected Files

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

1 Virus Inected Files

Unread postby Swanny » November 12th, 2007, 2:46 pm

ve eenhaving probs lately my desktop and my sons Laptop.
Ive done a scanwith Kasper and it found a virus and some infected files ..Here is the log .any help appreciated..


Logfile of HijackThis v1.99.1
Scan saved at 18:45:06, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.co.uk/spbasic.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4564609212
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4603863453
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

Thanks in Advance..
Swanny
Regular Member
 
Posts: 77
Joined: November 12th, 2007, 2:35 pm
Advertisement
Register to Remove

Re: 1 Virus Inected Files

Unread postby Katana » November 15th, 2007, 5:44 am

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy
and sometimes a post manages to slip by us.
Unfortunately there are far more people needing help than there are helpers.

If you still require help please post a fresh Hijack This log to this thread.
I will be notified and I will get back to you ASAP.

There doesn't appear to be much wrong with your log
Do you know what the infected file was ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: 1 Virus Inected Files

Unread postby Swanny » November 15th, 2007, 7:47 am

thanks for the Reply .it was on Msn some worm,also did a avg scan an found Worm/delf.ftu.
Swanny
Regular Member
 
Posts: 77
Joined: November 12th, 2007, 2:35 pm

Re: 1 Virus Inected Files

Unread postby Katana » November 15th, 2007, 8:54 am

Download and Run ComboFix
  • Download Combofix from the link below and save it to your desktop
    Link >>>ComboFix Download <<< Link
  • Then double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix SHOULD NOT be used without supervision
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: 1 Virus Inected Files

Unread postby Swanny » November 16th, 2007, 8:19 am

Thankyou Katana
Heres the log.
ComboFix 07-11-08.3 - keith horobin 2007-11-16 11:45:05.1 - NTFSx86
Running from: C:\Documents and Settings\\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-16 11:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 12:01 <DIR> d-------- C:\Documents and Settings\\Application Data\AdwareAlert
2007-11-12 16:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-12 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-12 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-12 14:18 <DIR> d-------- C:\Program Files\Security Task Manager
2007-11-12 11:13 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-11 19:56 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2007-11-11 19:56 <DIR> d-------- C:\Documents and Settings\\Application Data\TuneUp Software
2007-11-11 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-11-11 19:56 29,704 --a------ C:\WINDOWS\system32\uxtuneup.dll
2007-11-11 19:40 <DIR> d-------- C:\CLNSYS
2007-11-11 19:40 27,632 -ra------ C:\WINDOWS\system\CTL3DV2.DLL
2007-11-11 19:21 <DIR> d-------- C:\Program Files\uTorrent
2007-11-11 19:21 <DIR> d-------- C:\Documents and Settings\keith \Application Data\uTorrent
2007-11-09 19:42 <DIR> d-------- C:\Program Files\WinASO
2007-11-06 13:00 <DIR> d-------- C:\Documents and Settings\keith \Application Data\Uniblue
2007-11-05 22:17 <DIR> d-------- C:\Documents and Settings\keith \Application Data\AVG7
2007-11-05 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-05 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-05 21:48 <DIR> d-------- C:\Downloads
2007-11-05 21:41 <DIR> d-------- C:\Program Files\Free Download Manager
2007-11-05 14:42 <DIR> d-------- C:\Program Files\SonicWallES
2007-11-03 14:13 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-10-29 15:53 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-29 12:34 <DIR> d-------- C:\Program Files\CA
2007-10-29 12:25 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-10-29 12:25 <DIR> d-------- C:\Documents and Settings\keith \Application Data\Virgin Broadband
2007-10-29 12:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2007-10-25 10:46 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-10-25 10:45 <DIR> d-------- C:\Program Files\BroadJump
2007-10-25 10:45 663,552 --a------ C:\WINDOWS\system32\libeay32_1-1-0_DDR.dll
2007-10-25 10:45 532,594 --a------ C:\WINDOWS\system32\xerces-c_1_40_0_DDR.dll
2007-10-25 10:45 524,377 --a------ C:\WINDOWS\system32\stlport_4_0_0_DDR.dll
2007-10-25 10:45 307,329 --a------ C:\WINDOWS\system32\BJBase_2-2-2_DDR.dll
2007-10-25 10:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-25 10:45 159,744 --a------ C:\WINDOWS\system32\ssleay32_1-1-0_DDR.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 11:00 --------- d-----w C:\Documents and Settings\keith \Application Data\Spyware Terminator
2007-11-16 09:57 32,256 ----a-w C:\WINDOWS\system32\NTSpool.exe
2007-11-15 12:17 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-11-15 10:52 --------- d-----w C:\Program Files\Spyware Terminator
2007-11-13 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 14:01 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-11 19:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 19:29 --------- d-----w C:\Program Files\a-squared Anti-Malware
2007-11-11 13:10 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-11-06 12:46 --------- d-----w C:\Program Files\Picasa2
2007-11-05 19:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-05 11:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-11-03 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-03 15:17 --------- d-----w C:\Program Files\InstallShield Installation Information
2007-11-03 00:17 --------- d-----w C:\Documents and Settings\keith horobin\Application Data\MSN6
2007-10-29 12:54 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-08 01:20 138,624 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-09-23 21:00 --------- d-----w C:\Program Files\WinClamAVShield
2007-09-12 14:47 230,432 ----a-w C:\StiImg.dat
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-12-20 03:02]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-10-08 01:19]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 18:49]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-12-20 03:02]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-05 22:15]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2007-08-31 20:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
crypt32.dll 2004-08-04 07:56 597504 C:\WINDOWS\system32\crypt32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
S3 PAC207;SoC PC-Camer@;C:\WINDOWS\system32\DRIVERS\pfc027.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-11 19:56:46 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-11-15 12:01:27 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 12:04:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-16 12:06:56
.
--- E O F ---
Swanny
Regular Member
 
Posts: 77
Joined: November 12th, 2007, 2:35 pm

Re: 1 Virus Inected Files

Unread postby Katana » November 16th, 2007, 10:48 am

Your logs are looking good so far, your AV may have stopped the infection before it got hold.
I see you have A squared installed :)
Please run a scan with that and post the log here.

Kaspersky Online Scanner .

Go Here http://www.kaspersky.com/virusscanner

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Please post the report in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: 1 Virus Inected Files

Unread postby Swanny » November 16th, 2007, 5:02 pm

Cheers......Put the kettle on ...Lol imade a sunday Roast . hehe..

Heres the Kasper log. m8..


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 16, 2007 8:52:20 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/11/2007
Kaspersky Anti-Virus database records: 460532
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 48487
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 03:35:04

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\keith \Cookies\index.dat Object is locked skipped
C:\Documents and Settings\keith \Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\keith \Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\keith \Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\keith horobin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\keith \NTUSER.DAT Object is locked skipped
C:\Documents and Settings\keith \ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\EA SPORTS\Tiger Woods PGA TOUR 2005\Support\European Help Files\pt-br\whdata\whglo.js Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A91A7D0A-3B15-4FB2-8DE4-4EC0F652BD09}\RP178\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{192B7741-E414-457A-AA06-C60D9DB71873}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\a2cache_7849B75D.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
Swanny
Regular Member
 
Posts: 77
Joined: November 12th, 2007, 2:35 pm

Re: 1 Virus Inected Files

Unread postby Katana » November 16th, 2007, 5:13 pm

Congratulations your logs look clean :D

Let's see if I can help you keep it that way

First lets tidy up :D

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Image
You can also delete any logs we have produced, and empty your Recycle bin.


Firewall
You do not appear to have a firewall.
You may be using Windows firewall, however this only stops incoming traffic.
A third party firewall is much safer, as it stops malware that does get on your PC from contacting "home"
Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
There are many free ones to choose from if cost is a problem. Visit here to choose one.


Also PLEASE read this article

So How Did I Get Infected In The First Place

If you can see a program in the must have section that you have never seen or used then get it!

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: 1 Virus Inected Files

Unread postby Swanny » November 16th, 2007, 6:31 pm

cheers
But when itype ComboFix /u it cannot be found.
Swanny
Regular Member
 
Posts: 77
Joined: November 12th, 2007, 2:35 pm

Re: 1 Virus Inected Files

Unread postby Katana » November 16th, 2007, 7:18 pm

Have you deleted Combofix.exe ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: 1 Virus Inected Files

Unread postby Swanny » November 16th, 2007, 7:22 pm

No Kat i went too intall,then it went off. an then wheni typed in Run again,coudnt find it,]
Ive got the ComodoFirewall,shud i disable the Windows Firewall now?
thanks again.
Swanny
Regular Member
 
Posts: 77
Joined: November 12th, 2007, 2:35 pm

Re: 1 Virus Inected Files

Unread postby Katana » November 16th, 2007, 7:50 pm

If you typed ComboFix /u and then enter that will have uninstalled comboFix.
If you type it again, it will not do anything as the program is already gone :)

If you have installed Comodo then you should turn Off Windows firewall.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: 1 Virus Inected Files

Unread postby Swanny » November 17th, 2007, 6:34 am

Thanks Katana
Ive closed the other Fi.rewall
But as for that Combofix it still cant locate it.how do i get it back on now? too tidy up,as you say.
thanks
swanny. ;)
Swanny
Regular Member
 
Posts: 77
Joined: November 12th, 2007, 2:35 pm

Re: 1 Virus Inected Files

Unread postby Katana » November 17th, 2007, 10:40 am

If it can't find it, then it is already gone :)
Is there a folder on your C: drive called Qoobox ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: 1 Virus Inected Files

Unread postby Swanny » November 18th, 2007, 7:11 am

Hi kATANA

There was a Tx Doc in there .Combofix hers the Log


ComboFix 07-11-08.3 - keith2007-11-16 11:45:05.1 - NTFSx86
Running from: C:\Documents and Settings\keith \Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-16 11:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 12:01 <DIR> d-------- C:\Documents and Settings\keith \Application Data\AdwareAlert
2007-11-12 16:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-12 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-12 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-12 14:18 <DIR> d-------- C:\Program Files\Security Task Manager
2007-11-12 11:13 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-11 19:56 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2007-11-11 19:56 <DIR> d-------- C:\Documents and Settings\keith \Application Data\TuneUp Software
2007-11-11 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-11-11 19:56 29,704 --a------ C:\WINDOWS\system32\uxtuneup.dll
2007-11-11 19:40 <DIR> d-------- C:\CLNSYS
2007-11-11 19:40 27,632 -ra------ C:\WINDOWS\system\CTL3DV2.DLL
2007-11-11 19:21 <DIR> d-------- C:\Program Files\uTorrent
2007-11-11 19:21 <DIR> d-------- C:\Documents and Settings\keith \Application Data\uTorrent
2007-11-09 19:42 <DIR> d-------- C:\Program Files\WinASO
2007-11-06 13:00 <DIR> d-------- C:\Documents and Settings\keith pplication Data\Uniblue
2007-11-05 22:17 <DIR> d-------- C:\Documents and Settings\keith\Application Data\AVG7
2007-11-05 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-05 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-05 21:48 <DIR> d-------- C:\Downloads
2007-11-05 21:41 <DIR> d-------- C:\Program Files\Free Download Manager
2007-11-05 14:42 <DIR> d-------- C:\Program Files\SonicWallES
2007-11-03 14:13 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-10-29 15:53 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-29 12:34 <DIR> d-------- C:\Program Files\CA
2007-10-29 12:25 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-10-29 12:25 <DIR> d-------- C:\Documents and Settings\keith h\Application Data\Virgin Broadband
2007-10-29 12:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2007-10-25 10:46 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-10-25 10:45 <DIR> d-------- C:\Program Files\BroadJump
2007-10-25 10:45 663,552 --a------ C:\WINDOWS\system32\libeay32_1-1-0_DDR.dll
2007-10-25 10:45 532,594 --a------ C:\WINDOWS\system32\xerces-c_1_40_0_DDR.dll
2007-10-25 10:45 524,377 --a------ C:\WINDOWS\system32\stlport_4_0_0_DDR.dll
2007-10-25 10:45 307,329 --a------ C:\WINDOWS\system32\BJBase_2-2-2_DDR.dll
2007-10-25 10:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-25 10:45 159,744 --a------ C:\WINDOWS\system32\ssleay32_1-1-0_DDR.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 11:00 --------- d-----w C:\Documents and Settings\keith \Application Data\Spyware Terminator
2007-11-16 09:57 32,256 ----a-w C:\WINDOWS\system32\NTSpool.exe
2007-11-15 12:17 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-11-15 10:52 --------- d-----w C:\Program Files\Spyware Terminator
2007-11-13 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 14:01 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-11 19:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 19:29 --------- d-----w C:\Program Files\a-squared Anti-Malware
2007-11-11 13:10 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-11-06 12:46 --------- d-----w C:\Program Files\Picasa2
2007-11-05 19:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-05 11:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-11-03 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-03 15:17 --------- d-----w C:\Program Files\InstallShield Installation Information
2007-11-03 00:17 --------- d-----w C:\Documents and Settings\keith \Application Data\MSN6
2007-10-29 12:54 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-08 01:20 138,624 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-09-23 21:00 --------- d-----w C:\Program Files\WinClamAVShield
2007-09-12 14:47 230,432 ----a-w C:\StiImg.dat
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-12-20 03:02]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-10-08 01:19]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 18:49]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-12-20 03:02]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-05 22:15]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2007-08-31 20:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
crypt32.dll 2004-08-04 07:56 597504 C:\WINDOWS\system32\crypt32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
S3 PAC207;SoC PC-Camer@;C:\WINDOWS\system32\DRIVERS\pfc027.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-11 19:56:46 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-11-15 12:01:27 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 12:04:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-16 12:06:56
.
--- E O F ---
Swanny
Regular Member
 
Posts: 77
Joined: November 12th, 2007, 2:35 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 295 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware