Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
Am really stumped - please help!
-
02-01-2009 3:10pm#1Hi,
My fiance was using the computer a couple of days ago and a message popped up saying "your computer is infected - click here to clean it" or something like that so good man that he is
he clicked on it and installed this "Internet Antivirus" programme of some sort.
I tried to remove it using Add/Remove Programmes.
I then tried to install Kaspersky's antivirus programme but it stalled halfway during installation.
I then rebooted the machine but now it will not start the normal way - when the screen says "Windows is loading" the progress bar goes 3/4 of the way through then stops.
I can start it in Safe Mode. I ran Spybot and it found 2 things that it cleaned, I ran a registry cleaner (UniBlue). I cannot uninstall Kaspersky in safe mode.
Am not really sure what to do now. I ran Combi Fix and also have the latest Hijackthis log: can anyone help?
Many thanks,
wild(sad)saffy
CombiFix
ComboFix 09-01-01.02 - Administrator 02/01/2009 14:39:01.1 - NTFSx86 NETWORK
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.246.76 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe
c:\winnt\IE4 Error Log.txt
c:\winnt\Web\default.htt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_LOGON_TERMINAL_MANAGER
((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.
2009-01-02 12:49 . 09-01-02 12:49 <DIR> d
c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-02 12:49 . 09-01-02 12:49 <DIR> d
c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-02 12:49 . 09-01-02 12:49 <DIR> d
c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-02 12:49 . 09-01-02 12:49 <DIR> d
c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-31 16:42 . 08-12-31 16:42 96,559 --a
c:\winnt\system32\drivers\klin.dat
2008-12-31 16:42 . 08-12-31 16:42 87,855 --a
c:\winnt\system32\drivers\klick.dat
2008-12-31 16:32 . 08-12-31 16:32 <DIR> d
c:\program files\Kaspersky Lab
2008-12-31 14:16 . 08-12-31 15:16 <DIR> d
c:\documents and settings\Administrator\Application Data\Internet Antivirus Pro
2008-12-31 10:49 . 08-12-31 14:16 2,087,005 --a
c:\program files\Common Files\InternetAntivirusPro.exe
2008-12-31 10:36 . 08-12-31 14:16 34,816 --a
c:\program files\Common Files\file.exe
2008-12-28 06:34 . 08-12-28 06:34 54,156 --ah
c:\winnt\QTFont.qfn
2008-12-28 06:34 . 08-12-28 06:34 1,409 --a
c:\winnt\QTFont.for
2008-12-22 20:44 . 08-12-22 20:44 <DIR> d
c:\documents and settings\Administrator\Application Data\LegalSounds
2008-12-02 19:12 . 08-07-18 22:09 25,800 --a
c:\winnt\system32\wuapi.dll.mui
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 14:11
d
w c:\program files\Panda Security
2009-01-02 14:10
d
w c:\program files\Uniblue
2009-01-02 13:03
d---a-w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-02 12:54
d
w c:\program files\Spybot - Search & Destroy
2009-01-01 16:43
d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-01 16:23
d
w c:\program files\XoftSpySE
2009-01-01 16:16
d
w c:\program files\Actinic Ecommerce v6
2008-12-31 16:32
d
w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-24 18:08
d
w c:\documents and settings\Administrator\Application Data\LimeWire
2008-12-05 20:38
d
w c:\documents and settings\Administrator\Application Data\ZoomBrowser EX
2008-12-05 20:37
d---a-w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-11-16 02:06 58,000 ----a-w c:\winnt\system32\drivers\cdr4_2K.sys
2008-11-16 02:06 57,344 ----a-w c:\winnt\uneng.exe
2008-11-16 02:06 23,420 ----a-w c:\winnt\system32\drivers\cdralw2k.sys
2008-11-16 02:06
d
w c:\program files\Common Files\Adaptec Shared
2008-11-11 11:10
d
w c:\documents and settings\Administrator\Application Data\uTorrent
2008-01-13 20:44 13 -c-h--w c:\documents and settings\All Users\Application Data\ÙÝÃÄ3113›.sys
2007-12-09 22:15 13 -c-h--w c:\documents and settings\All Users\Application Data\ÝÙÃÄ3113›.sys
2007-10-28 17:26 13 -c-h--w c:\documents and settings\All Users\Application Data\ØÒÝÃÄ3113›.sys
2006-09-27 21:54 271 ---h--w c:\program files\desktop.ini
2006-09-27 21:54 21,952 ---h--w c:\program files\folder.htt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows logon process"="c:\documents and settings\Administrator\Application Data\Microsoft\Windows\winlogon.exe" [08-12-31 14:16 34816]
"ctfmon.exe"="ctfmon.exe" [01-02-20 12:09 8192 c:\winnt\system32\CTFMON.EXE]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\winnt\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [08-03-25 03:21 218496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-07-14 12:00 111376 c:\winnt\system32\mobsync.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-07-14 12:00 186640]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.mpegacm "= c:\progra~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\winnt\system32\DRIVERS\klfltdev.sys [2008-03-13 23312]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\DRIVERS\usbhub20.sys [2006-10-18 49776]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [2008-01-29 32784]
S2 Blink2PnP;Blink2PnP;c:\winnt\twain_32\SiPix\SCBlink2\Srvany.exe [2006-11-25 13312]
S2 olMntrService;olMntrService;"c:\program files\Olivetti\ANY_WAY\olMntrService.exe" [2006-07-24 86016]
S3 DCamUSBBVI;SiPix StyleCam Rave/Snap Dual Mode Camera;c:\winnt\system32\Drivers\biomini.sys [2006-11-25 397440]
S3 Winacpci;Winacpci;c:\winnt\system32\DRIVERS\winacpci.sys [2006-11-11 602128]
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
2008-12-29 c:\winnt\Tasks\Uniblue SpyEraser Nag.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []
2008-06-20 c:\winnt\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []
2009-01-01 c:\winnt\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [08-10-15 14:21 ]
2009-01-01 c:\winnt\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [08-10-15 14:21 ]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
MSConfigStartUp-CTFMON - (no file)
.
Supplementary Scan
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\system32\blank.htm
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\msafd.dll
c:\winnt\Downloaded Program Files\QOLCheck.ocx - O16 -: {483EB14D-AF1C-4951-81B0-4E2B41829FF6}
hxxps://www.select2perform.com/cabs/QOLCheck.ocx
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xfui7815.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - The_Pirate_Bay Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 14:47:27
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
\WINNT\explorer.exe [548] 0x8147E900
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{29C7572E-368C-9746-3DB4E03B0C8852AE}\{D5583F53-2F82-8141-B7E22169E34927D8}\{884189AF-2B25-871B-C10F8549E6A3D936}*NULL*]
"S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,\
9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(176)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
c:\winnt\system32\l3codeca.acm
c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
c:\progra~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm
.
Completion time: 2009-01-02 14:50:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-02 14:50:24
Pre-Run: 11,631,017,984 bytes free
Post-Run: 11,587,047,424 bytes free
158 --- E O F --- 2008-07-29 07:27:19
HiJack This
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03:29, on 02/01/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\keeping computer clean\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\ctfmon.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Microsoft Windows logon process] C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\winlogon.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213905170328
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://ncgesrv02.ncge.ie/Remote/msrdp.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe (file missing)
O23 - Service: Blink2PnP - Unknown owner - C:\WINNT\twain_32\SiPix\SCBlink2\Srvany.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: olMntrService - Olivetti - C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - slserv.exe (file missing)
--
End of file - 5183 bytes0
Comments
Advertisement