Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

help to remove virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

help to remove virus

Unread postby lrod » June 1st, 2008, 6:03 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:56 AM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\QmFyYmFyYQ\command.exe
C:\WINDOWS\system32\spool\drivers\w32x86\hpzstatn.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hpha1mon.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [HPHA1MON] C:\WINDOWS\system32\hpha1mon.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{2A-A0-09-9D-DW}] C:\WINDOWS\system32\jnwnw64m.exe DWram
O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\larry\svchost.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [28b2a032] C:\WINDOWS\system32\xwxhntky.dll,b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jnwnw64m.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsup ... gctlsr.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www1.gotomeeting.com/default/ap ... 2mdlax.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmFyYmFyYQ\command.exe
O23 - Service: Printer Status Server (hpzstatn) - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\hpzstatn.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5710 bytes


Edit: For your own security and in order not to get a huge amount of Spam please do not post your E-mail address in the forums.
I have removed you E-mail address from this post.
Elrond
lrod
Active Member
 
Posts: 3
Joined: June 1st, 2008, 5:49 am
Advertisement
Register to Remove

Re: help to remove virus

Unread postby mjq424 » June 1st, 2008, 6:18 am

Hello, and welcome to Malware Removal Forums.
My name is Matt and I will be assisting you with your malware issues.
Please be patient as I need some time to review your HijackThis log and I will post back recommendations for repairs.
As I am still on training, everything that I post to you, must be checked by a Teacher. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any questions or you're stuck in there please reply it to me. I will try my best to help you! Not having symptoms of malware doesn't mean that you are clean!
  • Please do not carry out tasks on your own before I reply as this will only complicate things and may mean that my instructions are useless or dangerous!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: help to remove virus

Unread postby lrod » June 1st, 2008, 6:23 am

Limewire
lrod
Active Member
 
Posts: 3
Joined: June 1st, 2008, 5:49 am

Re: help to remove virus

Unread postby mjq424 » June 2nd, 2008, 2:17 pm

Hi

Temporarily disable Winpatrol
Winpatrol is very useful for checking what programs start with Windows, but it will interfere with the fix process. Please follow these steps to disable it until your computer is clean.
  1. Right click on the Scotty Dog near the clock and select Options.... A window will open.
  2. Select the Options tab.
  3. Uncheck (untick) this box: Automatically run Winpatrol when computer starts.
  4. Close the Winpatrol window.
  5. Right click on the Scotty Dog again and select Exit Program.
Please remember to re-enable Winpatrol when your computer is clean

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofi ... e-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


ComboFix disconnects your machine from the internet. The connection is automatically restored before ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine

  • Please go to C:\Program Files\Trend Micro\HijackThis and right click on HijackThis.exe. Select Rename.
  • Type in scanner and press Enter.
  • Double click on scanner to run it.
  • Select Do a system scan and save a logfile. Please post back this log in your next reply.
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: help to remove virus

Unread postby lrod » June 3rd, 2008, 12:32 pm

Here what you asked for Thanks
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:37 AM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\hpzstatn.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\rnamfler\naofsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hpha1mon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {71FE447B-8C39-416C-AB43-2FC70559847D} - C:\WINDOWS\system32\vtUnmkKA.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [HPHA1MON] C:\WINDOWS\system32\hpha1mon.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsup ... gctlsr.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www1.gotomeeting.com/default/ap ... 2mdlax.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Printer Status Server (hpzstatn) - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\hpzstatn.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5301 bytes
ComboFix 08-06-01.6 - larry 2008-06-03 9:02:15.2 - NTFSx86
Running from: C:\Documents and Settings\larry\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\barb\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\barb\Start Menu\Programs\Startup\DW_Start.lnk
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\taskkill.exe
.
---- Previous Run -------
.
C:\Documents and Settings\barb\Application Data\ShoppingReport
C:\Documents and Settings\barb\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\barb\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\barb\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\barb\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\barb\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\barb\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\barb\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\IEToolbar
C:\Program Files\IEToolbar\Toolbar 1.0\autofill_plugin.dll
C:\Program Files\IEToolbar\Toolbar 1.0\autosearch_plugin.dll
C:\Program Files\IEToolbar\Toolbar 1.0\panicButton_plugin.dll
C:\Program Files\IEToolbar\Toolbar 1.0\stations.dll
C:\Program Files\IEToolbar\Toolbar 1.0\tbhelper.dll
C:\Program Files\IEToolbar\Toolbar 1.0\tell_a_friend.dll
C:\Program Files\IEToolbar\Toolbar 1.0\toolbar1.0.dll
C:\Program Files\network monitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\BM2b8193ae.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\QmFyYmFyYQ\
C:\WINDOWS\QmFyYmFyYQ\\asappsrv.dll
C:\WINDOWS\QmFyYmFyYQ\\command.exe
C:\WINDOWS\QmFyYmFyYQ\command.exe
C:\WINDOWS\system32\aaieyvag.dll
C:\WINDOWS\system32\ajakvygt.dll
C:\WINDOWS\system32\AKkmnUtv.ini
C:\WINDOWS\system32\AKkmnUtv.ini2
C:\WINDOWS\system32\bdqcpgji.dll
C:\WINDOWS\system32\berxnrsr.ini
C:\WINDOWS\system32\berxnrsr.ini2
C:\WINDOWS\system32\bgqinicw.ini
C:\WINDOWS\system32\cjjfbdep.dll
C:\WINDOWS\system32\dJkkkUtv.ini
C:\WINDOWS\system32\dJkkkUtv.ini2
C:\WINDOWS\system32\feagfxmq.dll
C:\WINDOWS\system32\FfPoWGgh.ini
C:\WINDOWS\system32\FfPoWGgh.ini2
C:\WINDOWS\system32\ijgpcqdb.ini
C:\WINDOWS\system32\jqynpcmf.dll
C:\WINDOWS\system32\kefnbghv.dll
C:\WINDOWS\system32\ljqxytms.ini
C:\WINDOWS\system32\lxmadvgt.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\oegmxdcw.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qxoeiidx.dll
C:\WINDOWS\system32\rqRHxxuT.dll
C:\WINDOWS\system32\rsrnxreb.dll
C:\WINDOWS\system32\tgyvkaja.ini
C:\WINDOWS\system32\thdqsgkt.ini
C:\WINDOWS\system32\vlgplcfq.dll
C:\WINDOWS\system32\wciniqgb.dll
C:\WINDOWS\system32\wflriqwb.dll
C:\WINDOWS\system32\xdiieoxq.ini
C:\WINDOWS\system32\yktnhxwx.ini
C:\WINDOWS\system32\ynbqxlhv.dll
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_Network Monitor


((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-01 02:54 . 2008-06-01 02:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-01 01:45 . 2008-06-01 01:45 <DIR> d-------- C:\Program Files\BillP Studios
2008-06-01 01:45 . 2008-06-01 01:45 <DIR> d-------- C:\Documents and Settings\larry\Application Data\WinPatrol
2008-06-01 00:58 . 2008-06-01 00:58 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-01 00:50 . 2008-06-01 00:51 <DIR> d-------- C:\c152e88caaf5453e4a16
2008-05-31 23:41 . 2008-05-31 23:47 <DIR> d-------- C:\!KillBox
2008-05-30 23:43 . 2002-08-14 08:03 34,578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS
2008-05-30 23:30 . 2008-05-30 23:30 4,096 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-05-30 23:29 . 2003-11-21 07:07 82,984 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-30 23:29 . 2003-11-21 07:07 82,136 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-30 08:22 . 2008-05-30 09:41 <DIR> d-------- C:\Program Files\Registry Defender Platinum
2008-05-30 08:15 . 2008-05-30 08:16 275,456 --a------ C:\WINDOWS\system32\vtUkkkJd.dll
2008-05-28 23:25 . 2008-05-28 23:25 275,456 --a------ C:\WINDOWS\system32\hgGWoPfF.dll
2008-05-28 23:21 . 2008-05-28 23:21 9,662 --a------ C:\WINDOWS\system32\pinkip.ico
2008-05-28 19:49 . 2008-05-28 19:49 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-05-28 16:00 . 2008-05-28 16:18 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-05-28 14:57 . 2008-05-28 14:58 401,976 --a------ C:\WINDOWS\system32\g6.exe
2008-05-28 13:58 . 2008-05-28 13:58 275,456 --a------ C:\WINDOWS\system32\vtUnmkKA.dll
2008-05-28 13:54 . 2008-05-28 13:54 200,771 --a------ C:\WINDOWS\system32\ncntokdm.exe
2008-05-28 13:54 . 2008-05-28 13:54 860 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-28 13:53 . 2008-05-31 17:57 <DIR> d-------- C:\WINDOWS\system32\vntiho05
2008-05-28 13:53 . 2008-05-31 17:57 <DIR> d-------- C:\WINDOWS\system32\rev3
2008-05-28 13:53 . 2008-05-28 13:53 <DIR> d-------- C:\WINDOWS\system32\pb2
2008-05-28 13:53 . 2008-05-31 18:13 <DIR> d-------- C:\WINDOWS\system32\acom1
2008-05-28 13:53 . 2008-05-31 17:54 <DIR> d-------- C:\WINDOWS\system32\1026c
2008-05-28 13:53 . 2008-06-02 23:21 <DIR> d-------- C:\Temp
2008-05-28 13:53 . 2008-05-28 13:58 <DIR> d--hs---- C:\Documents and Settings\larry\!
2008-05-28 13:39 . 2008-05-30 22:49 <DIR> d-------- C:\Documents and Settings\larry\Application Data\LimeWire
2008-05-28 10:53 . 2008-05-28 10:53 <DIR> d-------- C:\Program Files\Java
2008-05-21 22:57 . 2008-05-21 22:57 <DIR> d-------- C:\Program Files\Snapshot Viewer
2008-05-09 17:06 . 2008-05-09 17:09 <DIR> dr-h----- C:\Program Files\rnamfler
2008-05-09 13:02 . 2008-05-09 13:02 <DIR> d-------- C:\Program Files\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 06:43 --------- d-----w C:\Program Files\Norton AntiVirus
2008-05-31 06:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-31 06:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-31 06:29 --------- d-----w C:\Program Files\Symantec
2008-05-04 22:49 --------- d-----w C:\Program Files\Real
2008-05-04 22:49 --------- d-----w C:\Program Files\Common Files\Real
2008-04-29 06:18 --------- d-----w C:\Program Files\Google
2008-04-22 02:43 --------- d-----w C:\Documents and Settings\barb\Application Data\SI Swimsuit Calendar
2008-04-09 07:03 --------- d-----w C:\Program Files\QuickTime
2008-04-05 06:56 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 06:57 49 ----a-w C:\xmp.bat
2004-08-04 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 12:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 12:00 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 12:00 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 12:00 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 12:00 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 12:00 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 12:00 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71FE447B-8C39-416C-AB43-2FC70559847D}]
2008-05-28 13:58 275456 --a------ C:\WINDOWS\system32\vtUnmkKA.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"hpfsched"="C:\WINDOWS\hpfsched.exe" [2000-08-04 08:58 46595]
"HPHA1MON"="C:\WINDOWS\system32\hpha1mon.exe" [2000-08-04 09:02 65536]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 14:47 847872]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-09 00:03 413696]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 06:30 70816]
"Advanced Tools Check"="C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" [2004-03-17 13:23 74880]

C:\Documents and Settings\barb\Start Menu\Programs\Startup\
Reminder-hpc40415.lnk - C:\Program Files\HP PhotoSmart\P1000\ereg\Remind32.exe [2000-08-04 09:03:02 74755]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

R2 hpzstatn;Printer Status Server;C:\WINDOWS\system32\spool\drivers\w32x86\hpzstatn.exe [2000-08-04 09:02]
S1 mnmddd;mnmddd;C:\WINDOWS\system32\drivers\mnmddd.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 06:46:12 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - larry.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-06-03 15:57:51 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 09:05:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-03 9:19:10
ComboFix-quarantined-files.txt 2008-06-03 16:19:05

Pre-Run: 8,017,911,808 bytes free
Post-Run: 8,011,583,488 bytes free

201 --- E O F --- 2008-05-14 12:01:00
lrod
Active Member
 
Posts: 3
Joined: June 1st, 2008, 5:49 am

Re: help to remove virus

Unread postby mjq424 » June 4th, 2008, 4:30 am

Hi
  1. Please go to C:\Program Files\Trend Micro\HijackThis and right click on HijackThis.exe. Select Rename.
  2. Type in scanner and press Enter.
  3. Double click on scanner to run it.
  4. Select Do a system scan and save a logfile. Please post back this log in your next reply.

LimeWire
You have LimeWire, a P2P/file sharing programs installed on your computer. P2p apps like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Install Windows Recovery Console

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System


Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.

    Image


  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Image

  • When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: help to remove virus

Unread postby mjq424 » June 7th, 2008, 11:46 am

Hi
Do you till need assistance? Are you having trouble with my previous instructions?
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: help to remove virus

Unread postby Shaba » June 11th, 2008, 1:03 am

Due to Lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 387 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware