Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Antivirus virus, help.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Antivirus virus, help.

Unread postby Chaues » January 15th, 2009, 3:00 am

The coooombo,


ComboFix 09-01-13.04 - Robert 2009-01-15 0:47:07.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1648 [GMT -6:00]
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robert\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090114-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Robert\My Documents\LimeWire
c:\documents and settings\Robert\My Documents\LimeWire\Incomplete\AlbumArt_{8DE7B6AA-DE60-4A4F-B560-BBF560097645}_Large.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Incomplete\AlbumArt_{8DE7B6AA-DE60-4A4F-B560-BBF560097645}_Small.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Incomplete\AlbumArt_{C404D89D-E301-4CDB-ADF7-2302A005EDAE}_Large.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Incomplete\AlbumArt_{C404D89D-E301-4CDB-ADF7-2302A005EDAE}_Small.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Incomplete\AlbumArtSmall.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Incomplete\desktop.ini
c:\documents and settings\Robert\My Documents\LimeWire\Incomplete\Folder.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Incomplete\T-11657581-Seether- No Jesus Christ.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Incomplete\T-2923103-Rehab - Bust It.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Incomplete\T-5447139-Rehab - Magic.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Incomplete\UCET6XQRUF7OAH6Y6G7KGSDJY4QEGO2Q\.datNeil.Gaiman.&Terry.Pratchett.-.Good.Omens.rar
c:\documents and settings\Robert\My Documents\LimeWire\Incomplete\UCET6XQRUF7OAH6Y6G7KGSDJY4QEGO2Q\Neil.Gaiman.&Terry.Pratchett.-.Good.Omens.rar
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{32DC7747-09A2-4F46-AC1B-CCFB67E4BD62}_Large.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{32DC7747-09A2-4F46-AC1B-CCFB67E4BD62}_Small.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{497BCB49-4616-4F3D-A2A7-434E043940C9}_Large.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{497BCB49-4616-4F3D-A2A7-434E043940C9}_Small.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{4B55432A-BED3-4F73-8EB1-7551087A1789}_Large.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{4B55432A-BED3-4F73-8EB1-7551087A1789}_Small.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{A37C4921-0BBD-425E-B1C0-4E3B28CA5755}_Large.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{A37C4921-0BBD-425E-B1C0-4E3B28CA5755}_Small.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{C404D89D-E301-4CDB-ADF7-2302A005EDAE}_Large.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{C404D89D-E301-4CDB-ADF7-2302A005EDAE}_Small.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{CE98889C-6B02-4433-8975-CA31492973E7}_Large.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{CE98889C-6B02-4433-8975-CA31492973E7}_Small.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{CF951114-10B3-4CEF-96BF-48139539772F}_Large.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{CF951114-10B3-4CEF-96BF-48139539772F}_Small.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{D52DE975-0EF9-4C2A-A13E-64300F256566}_Large.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArt_{D52DE975-0EF9-4C2A-A13E-64300F256566}_Small.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\AlbumArtSmall.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\American Gods\AlbumArt_{ED2122D3-BE2C-424F-BD55-D23831A696D6}_Large.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\American Gods\AlbumArt_{ED2122D3-BE2C-424F-BD55-D23831A696D6}_Small.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\American Gods\AlbumArtSmall.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\American Gods\desktop.ini
c:\documents and settings\Robert\My Documents\LimeWire\Saved\American Gods\Folder.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Apocalyptica - I Don't Care.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Apocalyptica Feat. Corey Taylor - I'm Not Jesus.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Audioslave - Doesn't Remind Me.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Avenged Sevenfold - Afterlife.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Avenged Sevenfold - Critical Acclaim.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Avenged Sevenfold - Crossroads.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Avenged Sevenfold - Scream.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Black Stone Cherry - Blind Man .mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Black Stone Cherry - Violator Girl.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Buckcherry Too Drunk.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\desktop.ini
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Folder.jpg
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Marilyn Manson - If I Was Your Vampire.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Marilyn Manson - Mutilation is the Most Sincere Form of Flattery.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Seether- Fallen.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Seether - No Jesus Christ.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\seether fallen.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Shinedown - Sound of Madness.mp3
c:\documents and settings\Robert\My Documents\LimeWire\Saved\Theory of a Deadman - Bad Girlfriend.mp3

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PAVPRSRV
-------\Service_PavPrSrv


((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-11 13:22 . 2009-01-11 13:22 <DIR> d-------- c:\program files\Alwil Software
2009-01-11 13:22 . 2003-03-18 15:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-11 13:04 . 2009-01-11 13:05 250 --a------ c:\windows\gmer.ini
2009-01-10 20:00 . 2009-01-10 20:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-10 20:00 . 2009-01-10 20:00 <DIR> d-------- c:\documents and settings\Robert\Application Data\Malwarebytes
2009-01-10 20:00 . 2009-01-10 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-10 20:00 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-10 20:00 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-07 16:53 . 2009-01-07 16:53 <DIR> d-------- c:\program files\Trend Micro
2008-12-28 10:57 . 2009-01-11 12:58 <DIR> d-------- c:\program files\ThreatFire
2008-12-28 10:57 . 2009-01-11 12:58 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 10:53 . 2008-12-28 10:53 <DIR> d-------- c:\documents and settings\Robert\Application Data\AdobeUM
2008-12-28 10:46 . 2008-12-28 10:46 <DIR> d-------- c:\program files\BillP Studios
2008-12-28 10:46 . 2008-12-28 10:46 <DIR> d-------- c:\documents and settings\Robert\Application Data\WinPatrol
2008-12-27 22:47 . 2008-12-28 10:30 <DIR> d-------- c:\windows\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 19:54 --------- d-----w c:\program files\World of Warcraft
2008-12-28 16:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-28 05:29 --------- d-----w c:\program files\ASUS
2008-12-28 04:47 --------- d-----w c:\program files\The Chronicles of Spellborn
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( snapshot@2009-01-11_13.00.36.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-11 19:04:54 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 03:13:02 811,008 ----a-r c:\windows\gmer.exe
- 2000-08-31 14:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 14:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w c:\windows\system32\AvastSS.scr
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-11-26 17:15:35 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2008-11-26 17:17:25 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:25 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:29 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
+ 2009-01-11 19:04:54 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-12-02 21:26:30 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-09 23:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-15 06:49:15 16,384 ----atw c:\windows\temp\Perflib_Perfdata_5a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-08 8523776]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-08 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"nwiz"="nwiz.exe" [2008-01-08 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-11 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-11 20560]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
S4 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a356b1f1-88f9-11dd-a02f-001fc6ab2ffd}]
\Shell\AutoRun\command - LinksysConnectPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\ubao93oa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 00:49:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-15 0:52:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-15 06:51:55
ComboFix2.txt 2009-01-12 16:10:48
ComboFix3.txt 2009-01-11 19:01:29

Pre-Run: 133,267,329,024 bytes free
Post-Run: 133,316,669,440 bytes free

192 --- E O F --- 2009-01-14 09:01:22



And the Hijack,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:28 AM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1942519578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1945223593
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4653 bytes
Chaues
Active Member
 
Posts: 11
Joined: January 7th, 2009, 6:56 pm
Advertisement
Register to Remove

Re: Antivirus virus, help.

Unread postby Odd dude » January 15th, 2009, 4:23 pm

Disable all your protection software as ComboFix needs to run again.

Copy and paste this to notepad:
Code: Select all
@TITLE .
@Nircmd win hide title .
start ComboFix /u
pushd %windir%
for /f "tokens=*" %%i in (gmer_uninstall.cmd) do (
if not "%%i"=="pause" do %%i
)
popd
del %0

Save it to your desktop as "clean.bat"
Now make sure your protection software is disabled and then double click clean.bat. A window will flash, ComboFix will be started - all part of the job.

Please delete LSP-Fix and ATF Cleaner from your desktop.

If you want to, you can uninstall Malwarebytes', however I personally recommend you to keep it and run a quick scan once a week. It's a great program and cleans up malware very effectively.

I don't see a firewall installed - let's take care of that next.

Install a firewall
There is no firewall installed on your computer!
Either that, or you're using Windows Firewall, which is not a good idea.

Firewalls are programs that monitor incoming and outcoming connections to your computer. Did you know that, just by connecting to the internet, you are being exposed to hundreds of treats immediately? The way to solve this, is to use a firewall, and up-to-date antivirus software.

Windows Firewall only monitors incoming connections. This means that, once you are infected, the malware is free to ask for new instructions, send private data to its creator, or invite its malware buddies to come over. In other words: it's almost as good as no firewall at all.

Download a free for personal use firewall NOW from one of these sources:
COMODO Personal Firewall
Online Armor Free

If you choose COMODO, some things need to be changed during installation:
  • Uncheck Install Comodo Antivirus (Recommended)
  • Choose Firewall Only when asked
  • Uncheck Install COMODO SafeSurf and uncheck the two checkboxes below as well

Update your Adobe Reader
Your version of Adobe Reader is old and may contain security leaks. Please first uninstall the older version (Adobe Reader 7.0), then download and install the newest version from here.

Post a new hijackthis log and a description of any remaining issues.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Antivirus virus, help.

Unread postby Chaues » January 16th, 2009, 1:25 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:07 PM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1942519578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1945223593
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 5294 bytes
Chaues
Active Member
 
Posts: 11
Joined: January 7th, 2009, 6:56 pm

Re: Antivirus virus, help.

Unread postby Odd dude » January 16th, 2009, 10:10 am

If you don't have any other issues, then I think all the malware is gone!
If you still have any issues, let me know so we can dig deeper. Otherwise....


Congratulations!
Image Image Image Image Image Image

As far as I can tell, you are CLEAN!


Image


Have a big cup of Image, sit back & relax, and now please follow a few of the following tips; they will dramatically reduce your chance of getting infected again.


  • Turn on Automatic Updates if you have not done so. It is MANDATORY to keep your Windows updated, otherwise you are vulnerable to exploits! To turn on Automatic Updates: click Start > Control Panel > Security Centre > Automatic Updates.

Below are optional items. It's highly recommended to read them through, but decide for yourself how many of these recommendations (if any) you follow.

  • Install WinPatrol from here. Instructions for use are here.

  • Install SpywareBlaster to protect you from bad sites. Download - How to use it

  • Install a custom hosts file. Let's say I have a directory of 640kb's worth of bad sites. Let's say I can make sure you will never be able to access those sites, so you will never get any infection from those sites. It's like blocking a site - without site blocking tools. How would you like to never be able to visit (a lot, but not all of the) malware-infected sites again? Well, now you can!
    First, we must disable a service, as Windows cannot work with a very large hosts file while that service is active. This will not affect anything else.
    The disabling routine:
    1. Click Start, then Run
    2. Copy and paste the following:
      Code: Select all
      sc config dnscache start= disabled
    3. Click OK.
    Next, you can download the custom hosts file from here. Installation instructions can be found there as well.

  • Install Sandboxie. Sandboxie isolates programs into a sandbox. When you get infected, and the program that caused this (i.e. Internet Explorer) is inside the sandbox, the infection will remain trapped inside the sandbox. Then it only takes a few clicks to empty the sandbox and thus kill the virus. Sandboxie is completely free! Download it here.
Note that using Sandboxie does not guarantee that you will never get infected. Some malware can bypass Sandboxie, so don't let your guard down!

Please reply to this thread once more so we know it can be archived


Happy surfing!! :)
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Antivirus virus, help.

Unread postby Chaues » January 16th, 2009, 3:59 pm

Thanks :)
Chaues
Active Member
 
Posts: 11
Joined: January 7th, 2009, 6:56 pm

Re: Antivirus virus, help.

Unread postby Odd dude » January 16th, 2009, 4:44 pm

Any time :)
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Antivirus virus, help.

Unread postby Vino Rosso » January 17th, 2009, 5:20 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link: >Donations For Malware Removal<

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 295 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware