Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Antivirus says clean but...

  • 09-08-2009 8:45am
    #1
    Closed Accounts Posts: 584 ✭✭✭


    Hey Guys, I've recently had a nice long enjoyable session of homicidal rage at trying to remove some malware from my computer.
    I am unable to access Microsoft.com and other sites such as symatec (all other site are fine). Also I am constently redirected to Ask.com and to make matters slighty worse I've been a fair few bluescreens and when I tried to install Mcafee it encounter a unspecified error and tried to close over 50 times! it instlaled but now is unable to run virus scans, heres my hijackthis and rooter analysis (Spybot AND Window malicous software removal tool have stopped finding anything.)

    Rooter.exe (v1.0.2) by Eric_71
    .
    SeDebugPrivilege granted successfully ...
    .
    Windows XP . (5.1.2600) Service Pack 3
    [32_bits] - x86 Family 6 Model 15 Stepping 11, GenuineIntel
    .
    [wscsvc] (Security Center) RUNNING (state:4)
    [SharedAccess] RUNNING (state:4)
    Windows Firewall -> Disabled !
    .
    Internet Explorer 6.0.2900.5512
    Mozilla Firefox 3.5.2 (en-GB)
    .
    C:\ [Fixed-NTFS] .. ( Total:372 Go - Free:198 Go )
    D:\ [CD_Rom]
    .
    Scan : 09:39.37
    Path : c:\documents and settings\administrator\my documents\downloads\rooter.exe
    User : Administrator ( Administrator -> YES )
    .
    \\ Processes
    .
    Locked [System Process] (0)
    ______ System (4)
    ______ \SystemRoot\System32\smss.exe (944)
    ______ \??\C:\WINDOWS\system32\csrss.exe (1008)
    ______ \??\C:\WINDOWS\system32\winlogon.exe (1032)
    ______ C:\WINDOWS\system32\services.exe (1076)
    ______ C:\WINDOWS\system32\lsass.exe (1092)
    ______ C:\WINDOWS\system32\nvsvc32.exe (1272)
    ______ C:\WINDOWS\system32\svchost.exe (1360)
    ______ C:\WINDOWS\system32\svchost.exe (1424)
    ______ C:\WINDOWS\System32\svchost.exe (1544)
    ______ C:\Program Files\Ahead\InCD\InCDsrv.exe (1564)
    ______ C:\WINDOWS\system32\svchost.exe (1764)
    ______ C:\WINDOWS\system32\svchost.exe (1884)
    ______ C:\WINDOWS\system32\spoolsv.exe (2028)
    ______ C:\WINDOWS\Explorer.EXE (284)
    ______ c:\program files\intel\amt\atchk.exe (560)
    ______ c:\program files\cyberlink dvd solution\powerdvd\pdvdserv.exe (568)
    ______ c:\program files\ahead\incd\incd.exe (596)
    ______ c:\program files\java\jre6\bin\jusched.exe (680)
    ______ c:\windows\system32\rundll32.exe (812)
    ______ c:\windows\rthdcpl.exe (820)
    ______ c:\program files\mcafee.com\agent\mcagent.exe (884)
    ______ c:\program files\siteadvisor\6172\siteadv.exe (896)
    ______ C:\WINDOWS\system32\svchost.exe (1612)
    ______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1784)
    ______ C:\Program Files\Intel\AMT\atchksrv.exe (1792)
    ______ c:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\mscorsvw.exe (1808)
    ______ C:\Program Files\Java\jre6\bin\jqs.exe (156)
    ______ C:\WINDOWS\System32\svchost.exe (264)
    ______ C:\Program Files\Intel\AMT\LMS.exe (688)
    ______ C:\WINDOWS\System32\svchost.exe (672)
    ______ C:\WINDOWS\System32\svchost.exe (1492)
    ______ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (876)
    ______ c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (2280)
    ______ C:\WINDOWS\System32\svchost.exe (2576)
    ______ C:\WINDOWS\System32\svchost.exe (2620)
    ______ C:\Program Files\McAfee\MPF\MPFSrv.exe (2712)
    ______ C:\Program Files\McAfee\MSK\MskSrver.exe (2764)
    ______ C:\Program Files\SiteAdvisor\6172\SAService.exe (2864)
    ______ C:\WINDOWS\system32\svchost.exe (2968)
    ______ C:\Program Files\Intel\AMT\UNS.exe (3032)
    ______ C:\WINDOWS\system32\svchost.exe (3636)
    ______ C:\WINDOWS\System32\alg.exe (3132)
    ______ C:\WINDOWS\System32\svchost.exe (2940)
    ______ C:\WINDOWS\system32\23.tmp (4740)
    ______ c:\program files\mozilla firefox\firefox.exe (5408)
    ______ C:\WINDOWS\system32\wuauclt.exe (4372)
    ______ c:\PROGRA~1\mcafee\msc\mcuimgr.exe (5292)
    ______ c:\windows\system32\cmd.exe (5660)
    ______ c:\program files\java\jre6\bin\jucheck.exe (5816)
    ______ C:\WINDOWS\system32\lodupgd.jpg (340)
    ______ c:\PROGRA~1\mcafee\msc\mcupdmgr.exe (5232)
    ______ c:\documents and settings\administrator\my documents\downloads\rooter.exe (4220)
    .
    \\ Device\Harddisk0\
    .
    \Device\Harddisk0 [Sectors : 63 x 512 Bytes]
    .
    \Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:400077586944)
    .
    \\ Scheduled Tasks
    .
    C:\WINDOWS\Tasks\desktop.ini
    C:\WINDOWS\Tasks\McDefragTask.job
    C:\WINDOWS\Tasks\McQcTask.job
    C:\WINDOWS\Tasks\SA.DAT
    .
    \\ Registry
    .
    .
    \\ Files & Folders
    .
    \\ Scan completed at 09:39.47
    .
    C:\Rooter$\Rooter_1.txt - (09/08/2009 | 09:39.47)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 09:44:52, on 09/08/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    c:\program files\intel\amt\atchk.exe
    c:\program files\cyberlink dvd solution\powerdvd\pdvdserv.exe
    c:\program files\ahead\incd\incd.exe
    c:\program files\java\jre6\bin\jusched.exe
    c:\windows\system32\rundll32.exe
    c:\windows\rthdcpl.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    c:\program files\siteadvisor\6172\siteadv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Intel\AMT\atchksrv.exe
    c:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\mscorsvw.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\AMT\LMS.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\Program Files\SiteAdvisor\6172\SAService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\AMT\UNS.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\23.tmp
    c:\program files\mozilla firefox\firefox.exe
    c:\PROGRA~1\mcafee\msc\mcuimgr.exe
    c:\program files\java\jre6\bin\jucheck.exe
    C:\WINDOWS\system32\lodupgd.jpg
    c:\program files\trend micro\hijackthis\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=13170&l=dis
    R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
    O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {B42BF63C-5354-4c5c-A789-66EFEEC5E1B0} - C:\WINDOWS\system32\AcroIEHelpe.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
    O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.line6.net
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215439667390
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215439659031
    O17 - HKLM\System\CCS\Services\Tcpip\..\{294C4EE8-FD03-436B-A7B3-31540784C933}: NameServer = 62.231.32.10,62.231.32.11
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
    O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe

    --
    End of file - 8117 bytes


Comments

  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    hi

    Download RootRepeal.zip or from here and unzip it to your Desktop.
    • Double click RootRepeal.exe to start the program
    • Click on the Report tab at the bottom of the program window
    • Click the Scan button
    • In the Select Scan dialog, check:

      • Drivers
      • Files
      • Processes
      • SSDT
      • Stealth Objects
      • Hidden Services
      [*]Click the OK button
      [*]In the next dialog, select all drives showing
      [*]Click OK to start the scan
      Note: The scan can take some time. DO NOT run any other programs while the scan is running
      [*]When the scan is complete, the Save Report button will become available
      [*]Click this and save the report to your Desktop as RootRepeal.txt
      If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

      To attach a file, do the following:
      • Click Add Reply
      • Under the reply panel is the Attachments Panel
      • Browse for the attachment file you want to upload, then click the green Upload button
      • Once it has uploaded, click the Manage Current Attachments drop down box
      • Click on attach_add.png to insert the attachment into your post


    • Closed Accounts Posts: 584 ✭✭✭dizzywizlw


      Hi,
      I tried to run it and got this error
      attempted to read from adress 0x00bd9000


    • Closed Accounts Posts: 584 ✭✭✭dizzywizlw


      Here we go

      ROOTREPEAL (c) AD, 2007-2009
      ==================================================
      Scan Start Time: 2009/08/09 10:40
      Program Version: Version 1.3.3.0
      Windows Version: Windows XP SP3
      ==================================================

      Drivers
      Name: dump_atapi.sys
      Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
      Address: 0xB40F5000 Size: 98304 File Visible: No Signed: -
      Status: -

      Name: dump_WMILIB.SYS
      Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
      Address: 0xB85FE000 Size: 8192 File Visible: No Signed: -
      Status: -

      Name: giveio.sys
      Image Path: giveio.sys
      Address: 0xB8671000 Size: 1664 File Visible: No Signed: -
      Status: -

      Name: rootrepeal.sys
      Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
      Address: 0xB334F000 Size: 49152 File Visible: No Signed: -
      Status: -

      Name: speedfan.sys
      Image Path: speedfan.sys
      Address: 0xB85AE000 Size: 5248 File Visible: No Signed: -
      Status: -

      Hidden/Locked Files
      Path: c:\windows\system32\drivers\ndis.sys
      Status: Size mismatch (API: 182656, Raw: 212224)

      Path: C:\Documents and Settings\Administrator\Local Settings\Temp\WER0c5a.dir00
      Status: Visible to the Windows API, but not on disk.

      Path: C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{DFE1522A-21D2-4725-8A1E-7F8E590177C9}.log-journal
      Status: Invisible to the Windows API!

      Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\B995N3BY\video.google.com\s
      Status: Size mismatch (API: 182656, Raw: 0)

      Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\B995N3BY\void.snocap.com\s
      Status: Size mismatch (API: 182656, Raw: 0)

      Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
      Status: Size mismatch (API: 182656, Raw: 0)

      Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
      Status: Size mismatch (API: 182656, Raw: 0)

      Stealth Objects
      Object: Hidden Module [Name: svchost.exe]
      Process: svchost.exe (PID: 1092) Address: 0x01000000 Size: 40960

      Object: Hidden Module [Name: svchost.exe]
      Process: svchost.exe (PID: 1228) Address: 0x01000000 Size: 40960

      Object: Hidden Module [Name: svchost.exe]
      Process: svchost.exe (PID: 1780) Address: 0x01000000 Size: 40960

      Object: Hidden Module [Name: svchost.exe]
      Process: svchost.exe (PID: 2344) Address: 0x01000000 Size: 40960

      Object: Hidden Module [Name: svchost.exe]
      Process: svchost.exe (PID: 2356) Address: 0x01000000 Size: 40960

      ==EOF==


    • Closed Accounts Posts: 584 ✭✭✭dizzywizlw


      Also, the virus keeps turning off my computer and has dsiabled mcafee virus scan etc.


    • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


      hi

      Please download DDS and save it to your desktop.
      • Disable any script blocking protection
      • Double click dds.pif to run the tool.
      • When done, two DDS.txts will open.
      • Save both reports to your desktop.


      Please include the contents of the following in your next reply:

      DDS.txt
      Attach.txt.


    • Advertisement
    • Closed Accounts Posts: 41 Matt22


      What you should do is download Malwarebytes and Superantispyware. Update both definitions and do full scans with both. If they don't solve your problem I'll be very surprised.

      http://www.malwarebytes.org/

      http://www.superantispyware.com/


    • Closed Accounts Posts: 584 ✭✭✭dizzywizlw


      Unable to access DDS website, Malwarebytes 19 things

      can't access http://www.superantispyware.com/

      heres my malwarbytes
      Malwarebytes' Anti-Malware 1.40
      Database version: 2551
      Windows 5.1.2600 Service Pack 3

      10/08/2009 13:23:14
      mbam-log-2009-08-10 (13-23-14).txt

      Scan type: Full Scan (C:\|)
      Objects scanned: 212048
      Time elapsed: 29 minute(s), 52 second(s)

      Memory Processes Infected: 2
      Memory Modules Infected: 0
      Registry Keys Infected: 1
      Registry Values Infected: 0
      Registry Data Items Infected: 3
      Folders Infected: 0
      Files Infected: 13

      Memory Processes Infected:
      C:\WINDOWS\system32\lodupgd.jpg (Trojan.Downloader) -> Unloaded process successfully.
      C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Unloaded process successfully.

      Memory Modules Infected:
      (No malicious items detected)

      Registry Keys Infected:
      HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

      Registry Values Infected:
      (No malicious items detected)

      Registry Data Items Infected:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

      Folders Infected:
      (No malicious items detected)

      Files Infected:
      C:\WINDOWS\system32\lodupgd.jpg (Trojan.Downloader) -> Quarantined and deleted successfully.
      C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\WINDOWS\system32\AcroIEHelpe.dll (Spyware.Banker) -> Quarantined and deleted successfully.


    • Closed Accounts Posts: 41 Matt22


      OK. If Malwarebytes didn't solve your problem completely, try downloading superantispyware from here

      http://filehippo.com/download_superantispyware/


    • Closed Accounts Posts: 584 ✭✭✭dizzywizlw


      Right, Superantispyware AND Sbybot and Malwarebyte found nothing yet i still can't access Microsoft.com etc.?


    • Closed Accounts Posts: 41 Matt22


      Try running ccleaner now

      http://www.ccleaner.com/

      And failing that, try rebooting (restarting Windows for the non tech savvy)


    • Advertisement
    • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


      thats not going to help


      Please download ComboFix from Here or Here to your Desktop.

      **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
      1. If you are using Firefox, make sure that your download settings are as follows:
        • Tools->Options->Main tab
        • Set to "Always ask me where to Save the files".
      2. During the download, rename Combofix to Combo-Fix as follows:

        CF_download_FF.gif

        CF_download_rename.gif

      3. It is important you rename Combofix during the download, but not after.
      4. Please do not rename Combofix to other names, but only to the one indicated.
      5. Close any open browsers.
      6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

        • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
        • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

        • Close any open browsers.
        • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
        • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
        • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

      7. Double click on combo-Fix.exe & follow the prompts.
      8. When finished, it will produce a report for you.
      9. Please post the "C:\Combo-Fix.txt" for further review.
      **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


    • Closed Accounts Posts: 41 Matt22


      It might help as it cleans out the internet cache, so whatever was stopping them from going to those sites should be gone after a clear out from ccleaner.


    • Closed Accounts Posts: 584 ✭✭✭dizzywizlw


      It say that Combofix has been compromised


    • Registered Users, Registered Users 2 Posts: 2,089 ✭✭✭henryporter


      Try downloading http://www.simplysup.com/tremover/download.html Trojan Remover - its has a thirty day free use. Worked on mine last week - had a backdoor.bot that every other malware remover couldn't shift. May need to have two or three goes to fix it. Also need to download the updates separately for some reason.

      Also download ATF Cleaner at http://download.cnet.com/ATF-Cleaner/3000-18512_4-89432.html to clear caches, temporary files etc.


    • Closed Accounts Posts: 584 ✭✭✭dizzywizlw


      I've tried AVG malwarbytes Spybot and Superantispyware and It's starting to get frustrating.

      I may just have to format and reinstall


    • Closed Accounts Posts: 41 Matt22


      Did you try ccleaner?

      Also, try Prevx and see if that works.

      Don't give up just yet.


    • Closed Accounts Posts: 584 ✭✭✭dizzywizlw


      just tried CCcleaner and nothing. do you have a non direct link for a free version of prevx?


    • Closed Accounts Posts: 41 Matt22


      When you say you tried ccleaner and you say nothing, do you mean you still can't get onto certain websites?

      also heres the link for prevx

      http://info.prevx.com/downloadcsi.asp

      Unfortunately theres no free version though, but it does have superb detection.


    • Closed Accounts Posts: 584 ✭✭✭dizzywizlw


      I already payed for mcafee yesterday I'm certainly not shelling out anymore money.

      Yes i am unable to connect to certain websites incluuding the link you just gave me.


    • Closed Accounts Posts: 41 Matt22


      Its only 25 euro for a license so its worth getting imo. And if it doesn't find anything then you can always uninstall it.

      Anyway, Mcafee is useless so you'll need to use something else for proper virus protection.

      Also, before you reinstall Windows, try uninstalling mcafee, use ccleaner once more and then reboot the computer. If that doesn't work then just backup your files and reinstall Windows if you want to give up.


    • Advertisement
    • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


      don't waste your money on products that wont help


      Download the GMER Rootkit Scanner. Unzip it to your Desktop.

      Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

      Double-click gmer.exe. The program will begin to run.

      **Caution**
      These types of scans can produce false positives. Do NOT take any action on any
      "<--- ROOKIT" entries unless advised by a trained Security Analyst

      If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
      • Click NO
      • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
      • Now click the Scan button.
        Once the scan is complete, you may receive another notice about rootkit activity.
      • Click OK.
      • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
      • Save it where you can easily find it, such as your desktop.
      Post the contents of GMER.txt in your next reply.


    • Closed Accounts Posts: 584 ✭✭✭dizzywizlw


      I Can't run that program, it bring up the 'error must close' message should i try and save the error report?


    • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


      got a nasty new rootkit here

      Please download this tool by sUBs, and save it to your desktop.
      • Close any applications that you have open, as your computer will be rebooted
      • Double click +++.exe to run the tool
      • When it has run it will reboot your computer, you may then delete the tool


    • Closed Accounts Posts: 584 ✭✭✭dizzywizlw


      that crashes my Firefox.

      On a better note, the genius that 'helped' my family by building us a new PC didn't give me any driver disc or the copy of XP or install the i386 folder so no formatting


    • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


      can you try transfer it over via a usb key or try a different browser


    Advertisement