Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Virus w32myzorfk@f

  • 10-05-2007 08:13PM
    #1
    cichlid child
    Registered Users, Registered Users 2 Posts: 650 ✭✭✭


    any body heard of this virus can,t seem to get rid of it. tried macafee,windows defender,avg anti root.any ideas


Comments

  • #2
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Do this and we get rid of it tonight if ya want

    Please download the self-extracting version of HijackThis from here:

    HijackThis_sfx download

    Save HijackThis_sfx to your desktop.

    Double-click the file then click the Unzip button. Then close the Self-Extractor window.

    Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

    Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

    Open HijackThis and click Do a system scan and save a log file. Copy the entire contents of that log and post it here


  • #3
    cichlid child
    Registered Users, Registered Users 2 Posts: 650 ✭✭✭cichlid child


    sorry about the delay
    Logfile of HijackThis v1.99.1
    Scan saved at 23:45:37, on 10/05/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16441)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
    C:\WINDOWS\system32\UAService7.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\pierce\Desktop\New Folder\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {D34F5D71-99E4-4D96-91CA-F4104F69B8AE} - C:\Program Files\Video AX Object\bpvol.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Protection Bar - {F0993251-2512-4710-AF6E-0A13EA199D02} - C:\Program Files\Video AX Object\splug.dll (file missing)
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [funk] funk.exe
    O4 - HKLM\..\Run: [ppmate] C:\Program Files\PPMate\PPMate\ppmate.exe -autoplay
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra button: Paddy Power Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\PADDYP~1\client.exe
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Kevin.COMPUTER\Start Menu\Programs\Accessories\IMVU\Run IMVU.lnk (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {AC120B1D-9411-4111-AF52-118052D85D45} (GameDesire Darts Games) - http://67.15.101.3/g_bin/eng/darts_2_0_0_35.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
    O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7BE0F488-3845-4369-B34F-252E33A87A5B}: NameServer = 85.255.115.90,85.255.112.225
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C12C94F4-ADDC-4ED8-88D0-4FA3480461BF}: NameServer = 85.255.115.90,85.255.112.225
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe


  • #4
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    no problem, do this while I analyse your log

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • #5
    cichlid child
    Registered Users, Registered Users 2 Posts: 650 ✭✭✭cichlid child


    "pierce" - 2007-05-11 0:13:28 Service Pack 2
    ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\pierce\Desktop\combo\"


    ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-11 ))))))))))))))))))))))))))))))))))


    2007-05-08 16:21 1,060,864 --a
    C:\WINDOWS\SYSTEM32\MFC71.dll
    2007-05-08 16:21 1,047,552 --a
    C:\WINDOWS\SYSTEM32\MFC71u.dll
    2007-05-08 16:21 <DIR> d
    C:\Saves
    2007-05-08 16:21 <DIR> d
    C:\Program Files\Datel
    2007-05-08 16:21 <DIR> d
    C:\DOCUME~1\pierce\WINDOWS
    2007-05-04 17:59 <DIR> d
    C:\Program Files\Windows Defender
    2007-05-03 21:38 <DIR> d
    C:\Program Files\MSXML 4.0
    2007-05-03 08:23 3,968 --a
    C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
    2007-05-02 23:00 <DIR> d
    C:\Program Files\McAfee
    2007-05-02 23:00 <DIR> d
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
    2007-05-02 22:59 90,112 --a
    C:\WINDOWS\SYSTEM32\mcrtl32.dll
    2007-05-02 22:59 80,640 --a
    C:\WINDOWS\SYSTEM32\DRIVERS\MpFirewall.sys
    2007-05-02 22:59 32,768 --a
    C:\WINDOWS\SYSTEM32\instlsp.exe
    2007-05-02 22:59 131,072 --a
    C:\WINDOWS\SYSTEM32\mclsp.dll
    2007-05-02 22:59 11,264
    C:\WINDOWS\SYSTEM32\sporder.dll
    2007-05-02 22:59 <DIR> d
    C:\WINDOWS\SYSTEM32\mclsphlr
    2007-05-02 22:58 9,216 --a
    C:\WINDOWS\SYSTEM32\MpfApi.dll
    2007-05-02 22:56 114,464 --a
    C:\WINDOWS\SYSTEM32\DRIVERS\naiavf5x.sys
    2007-05-02 01:41 <DIR> d
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
    2007-05-02 01:40 <DIR> d
    C:\Program Files\SpyLocked 3.6
    2007-05-02 01:39 <DIR> d
    C:\Program Files\Video AX Object
    2007-04-27 21:25 <DIR> d
    C:\DOCUME~1\pierce\APPLIC~1\fretsonfire
    2007-04-23 16:48 <DIR> d
    C:\Program Files\Agatha Christie - Death on the Nile
    2007-04-21 18:11 <DIR> d
    C:\Program Files\Project64 1.6
    2007-04-19 00:31 <DIR> d
    C:\Program Files\FLVPlayer


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-03-17 13:43:02 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
    2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
    2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
    2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
    2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
    2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx"
    "{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}"="c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll"
    "{3EC8255F-E043-4cae-8B3B-B191550C2A22}"="c:\program files\mcafee.com\mps\popupkiller.dll"
    "{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}"="c:\program files\mcafee\spamkiller\mcapfbho.dll"
    "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll"
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"="C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"
    "{AA58ED58-01DD-4d91-8333-CF10577473F7}"="c:\program files\google\googletoolbar1.dll"
    "{D34F5D71-99E4-4D96-91CA-F4104F69B8AE}"="C:\Program Files\Video AX Object\bpvol.dll"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "SystemTray"="SysTray.Exe"
    "CARPService"="carpserv.exe"
    "EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0F2.EXE /P30 \"EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
    "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
    "MCUpdateExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\McUpdate.exe"
    "funk"="funk.exe"
    "ppmate"="C:\\Program Files\\PPMate\\PPMate\\ppmate.exe -autoplay"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
    "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
    "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
    "VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
    "OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
    "MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
    "MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
    "MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
    "MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
    "McRegWiz"="C:\\PROGRA~1\\McAfee.com\\Agent\\mcregwiz.exe /autorun"
    "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
    "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
    "DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{716002db-288c-4bf0-80cd-a467e78d8b55}"="C:\WINDOWS\system32\dxovx.dll"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "system"="kdpwt.exe"

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages msv1_0\0\0
    Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages scecli\0\0




    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter HTTPFilter\0\0
    LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService DnsCache\0\0
    DcomLaunch DcomLaunch\0TermService\0\0
    rpcss RpcSs\0\0
    imgsvc StiSvc\0\0
    termsvcs TermService\0\0
    WudfServiceGroup WUDFSvc\0\0

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77ac1fc2-ac6e-11da-92e3-806d6172696f}]
    Shell\AutoRun\command D:\AutoRun\Demo32.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f568700-9c05-11db-8440-806d6172696f}]
    Shell\AutoRun\command D:\setup.exe


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\Tune-up Application Start.job
    C:\WINDOWS\tasks\MP Scheduled Quick Scan.job
    C:\WINDOWS\tasks\MP Scheduled Scan.job

    ********************************************************************

    catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-05-11 00:16:46
    Windows 5.1.2600 Service Pack 2 FAT

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    ********************************************************************

    Completion time: 2007-05-11 0:16:56
    C:\ComboFix-quarantined-files.txt ... 2007-05-11 00:16


  • #6
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    You have a few nasty infections. Nothing we cant fix though.

    You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

    Open Windows Defender.
    Click on Tools, General Settings.
    Scroll down and uncheck Turn on real-time protection (recommended).
    After you uncheck this, click on the Save button and close Windows Defender.

    Go to Start > Control Panel > Add or Remove Programs > Remove Video AX Object

    Run HijackThis, click "Do a system scan only" and check these entries :

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {D34F5D71-99E4-4D96-91CA-F4104F69B8AE} - C:\Program Files\Video AX Object\bpvol.dll
    O4 - HKLM\..\Run: [funk] funk.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7BE0F488-3845-4369-B34F-252E33A87A5B}: NameServer = 85.255.115.90,85.255.112.225
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C12C94F4-ADDC-4ED8-88D0-4FA3480461BF}: NameServer = 85.255.115.90,85.255.112.225
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225

    Close all windows except for HijackThis and click "Fix checked".

    Delete this file and folder in bold :

    C:\WINDOWS\system32\funk.exe
    C:\Program Files\Video AX Object

    I need you to search for a file for me, so do the following :
    Click Start > Search > click All files and folders > click More advanced options > Click Search hidden files and folders > Search for SysTray.Exe

    Once you find it, right-click on SysTray.exe and check if the "Properties" reveals it to be a Microsoft file.

    Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
    http://www.adobe.com/products/acrobat/readstep2.html

    You now need to update your Java and remove your older versions.
    Please follow these steps to remove older version Java components.

    * Click Start > Control Panel.
    * Click Add/Remove Programs.
    * Check any item with Java Runtime Environment (JRE) in the name.
    * Click the Remove or Change/Remove button.

    Download the latest version of Java Runtime Environment (JRE), and install it to your computer.
    http://java.sun.com/javase/downloads/index.jsp
    Go to Java Runtime Environment (JRE) to get it

    Open Windows Defender.
    Click on Tools, General Settings.
    Scroll down and check Turn on real-time protection (recommended).
    After you check this, click on the Save button and close Windows Defender.

    Once you done ALL this, post the log from the FixWareOut (report.txt) and a new Hijackthis log, and the ComboFix log if you haven't already posted that.


  • Advertisement
  • #7
    cichlid child
    Registered Users, Registered Users 2 Posts: 650 ✭✭✭cichlid child


    Fixwareout Last edited 4/5/2007
    Post this report in the forums please
    ...
    »»»»»Prerun check
    HKLM\SOFTWARE\~\Winlogon\ "System"="kdpwt.exe"

    »»»»» System restarted

    »»»»» Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "system"=""
    ....
    ....
    »»»»» Misc files.
    ....
    »»»»» Checking for older varients.
    ....

    Search five digit cs, dm, kd, jb, other, files.
    The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



    Click browse, find the file then click submit.
    http://www.virustotal.com/flash/index_en.html
    Or http://virusscan.jotti.org/

    »»»»» Other



    »»»»» Current runs
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SystemTray"="SysTray.Exe"
    "CARPService"="carpserv.exe"
    "EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0F2.EXE /P30 \"EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
    "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
    "MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
    "funk"="funk.exe"
    "ppmate"="C:\\Program Files\\PPMate\\PPMate\\ppmate.exe -autoplay"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
    "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
    "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
    "VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
    "OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
    "MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
    "MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
    "MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
    "MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
    "McRegWiz"="C:\\PROGRA~1\\McAfee.com\\Agent\\mcregwiz.exe /autorun"
    "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
    "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
    ....
    Hosts file was reset, If you use a custom hosts file please replace it
    »»»»» End report »»»»»
    Logfile of HijackThis v1.99.1
    Scan saved at 02:29:52, on 11/05/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16441)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\carpserv.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Documents and Settings\pierce\Desktop\New Folder\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Protection Bar - {F0993251-2512-4710-AF6E-0A13EA199D02} - C:\Program Files\Video AX Object\splug.dll (file missing)
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [ppmate] C:\Program Files\PPMate\PPMate\ppmate.exe -autoplay
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra button: Paddy Power Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\PADDYP~1\client.exe
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Kevin.COMPUTER\Start Menu\Programs\Accessories\IMVU\Run IMVU.lnk (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u1-windows-i586-jc.cab
    O16 - DPF: {AC120B1D-9411-4111-AF52-118052D85D45} (GameDesire Darts Games) - http://67.15.101.3/g_bin/eng/darts_2_0_0_35.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
    O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
    systray.exe is a pf file not microsoft


  • #8
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Please download SmitfraudFix (by S!Ri) to your Desktop.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, double-click on SmitfraudFix.exe
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning : running option #2 on a non infected computer will remove your Desktop background.


    Please run the F-Secure Online Scanner

    Note: This Scanner is for Internet Explorer Only!
    • Follow the Instruction Here for installation.
    • Accept the License Agreement.
    • Once the ActiveX installs,Click Full System Scan
    • Once the download completes,the scan will begin automatically.
    • The scan will take some time to finish,so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • Click the Show Report button and Copy&Paste the entire report in your next reply.

    Then please run the Panda scan here:
    http://www.pandasoftware.com/products/ActiveScan.htm
    Choose to "Disinfect automatically," and follow the prompts. Delete any viruses found, and restart your computer.

    Finally we need to run Combofix again(no need to download it again if you still have it on your pc)

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Once you done all these steps, you need to post the following :
    - C:\rapport.txt from the SmitFraudFix
    - The F-Secure online scan report
    - A new ComboFix log

    edit : you said systray.exe is a pf file, what is a pf file? are you absolutely 100% sure its not from microsoft?


  • #9
    cichlid child
    Registered Users, Registered Users 2 Posts: 650 ✭✭✭cichlid child


    SmitFraudFix v2.179

    Scan done at 17:06:55.11, 11/05/2007
    Run from C:\Documents and Settings\pierce\Desktop\smithfraudfix.exe\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is FAT32
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{716002db-288c-4bf0-80cd-a467e78d8b55}"="depreciable"

    [HKEY_CLASSES_ROOT\CLSID\{716002db-288c-4bf0-80cd-a467e78d8b55}\InProcServer32]
    @=&quot;C:\WINDOWS\system32\dxovx.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{716002db-288c-4bf0-80cd-a467e78d8b55}\InProcServer32]
    @=&quot;C:\WINDOWS\system32\dxovx.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri

    C:\WINDOWS\system32\dxovx.dll -> Hoax.Win32.Renos.gen.m
    C:\WINDOWS\system32\dxovx.dll -> Deleted


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\migicons.exe Deleted
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
    C:\DOCUME~1\pierce\FAVORI~1\Online Security Test.url Deleted
    C:\Program Files\SpyLocked 3.6\ Deleted
    C:\Program Files\Video AX Object\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: ZyXEL USB ADSL Modem - Packet Scheduler Miniport
    DNS Server Search Order: 192.168.1.1

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{7BE0F488-3845-4369-B34F-252E33A87A5B}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{E3F584DD-EA0E-4358-ABFE-47F309C6B7A2}: DhcpNameServer=85.255.115.90,85.255.112.225
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{7BE0F488-3845-4369-B34F-252E33A87A5B}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{E3F584DD-EA0E-4358-ABFE-47F309C6B7A2}: DhcpNameServer=85.255.115.90,85.255.112.225
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{7BE0F488-3845-4369-B34F-252E33A87A5B}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{E3F584DD-EA0E-4358-ABFE-47F309C6B7A2}: DhcpNameServer=85.255.115.90,85.255.112.225
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "system"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
    Result: 61 malware found
    Tracking Cookie (spyware)
    · System (Disinfected)
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    · System
    Trojan-Downloader.Win32.Agent.bkd (virus)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP401\A0093209.DLL (Renamed & Submitted)
    Trojan-Downloader.Win32.Zlob.ane (virus)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP385\A0091988.EXE (Renamed & Submitted)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP384\A0091860.EXE (Renamed & Submitted)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP383\A0091528.EXE (Renamed & Submitted)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP383\A0091670.EXE (Renamed & Submitted)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP382\A0090310.EXE (Renamed & Submitted)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP382\A0090319.EXE (Renamed & Submitted)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP382\A0090334.EXE (Renamed & Submitted)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP382\A0090342.EXE (Renamed & Submitted)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP382\A0091344.EXE (Renamed & Submitted)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP381\A0089980.EXE (Renamed & Submitted)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP381\A0090000.EXE (Renamed & Submitted)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP381\A0090059.EXE (Renamed & Submitted)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP381\A0090245.EXE (Renamed & Submitted)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP401\A0093214.EXE (Renamed & Submitted)
    Trojan-Downloader.Win32.Zlob.aue (virus)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP388\A0092094.EXE (Renamed & Submitted)
    Trojan-Downloader.Win32.Zlob.bov (virus)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP388\A0092093.EXE (Renamed & Submitted)
    Trojan-Downloader.Win32.Zlob.bqo (virus)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP395\A0092731.EXE (Renamed & Submitted)
    Trojan.Win32.DNSChanger.hj (virus)
    · C:\SYSTEM VOLUME INFORMATION\_RESTORE{78909761-F358-4FD0-86B3-85FF618FED19}\RP382\A0090327.EXE (Renamed & Submitted)
    Win32.Trojandownloader.Zlob (spyware)
    · System (Disinfected)

    Statistics
    Scanned:
    · Files: 27627
    · System: 4150
    · Not scanned: 6
    Actions:
    · Disinfected: 2
    · Renamed: 19
    · Deleted: 0
    · None: 40
    · Submitted: 19
    Files not scanned:
    · C:\HIBERFIL.SYS
    · C:\PAGEFILE.SYS
    · C:\DOCUMENTS AND SETTINGS\PIERCE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{4DBB5B64-E4BC-4F6B-B957-298952B19F52}
    · C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSYS.DLL
    · C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
    · C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

    Options
    Scanning engines:
    · F-Secure AVP: 7.0.171, 2007-05-11
    · F-Secure Blacklight: 1.0.53
    · F-Secure Draco: 1.0.35, 0260-23-12
    · F-Secure Libra: 2.4.2, 2007-05-11
    · F-Secure Orion: 1.2.37, 2007-05-11
    · F-Secure Pegasus: 1.19.0, 2007-04-02
    Scanning options:
    · Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
    · Use Advanced heuristics

    Copyright © 1998-2006 Product support |Send virus sample to F-Secure
    F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you ha
    "pierce" - 2007-05-11 21:38:19 Service Pack 2
    ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\pierce\Desktop\combo fix\"


    ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-11 ))))))))))))))))))))))))))))))))))


    2007-05-11 20:12 <DIR> d
    C:\WINDOWS\SYSTEM32\ActiveScan
    2007-05-11 17:07 3,898 --a
    C:\WINDOWS\SYSTEM32\tmp.reg
    2007-05-11 17:06 51,200 --a
    C:\WINDOWS\SYSTEM32\dumphive.exe
    2007-05-11 17:06 288,417 --a
    C:\WINDOWS\SYSTEM32\SrchSTS.exe
    2007-05-11 00:16 49,152 --a
    C:\WINDOWS\nircmd.exe
    2007-05-08 16:21 1,060,864 --a
    C:\WINDOWS\SYSTEM32\MFC71.dll
    2007-05-08 16:21 1,047,552 --a
    C:\WINDOWS\SYSTEM32\MFC71u.dll
    2007-05-08 16:21 <DIR> d
    C:\Saves
    2007-05-08 16:21 <DIR> d
    C:\Program Files\Datel
    2007-05-08 16:21 <DIR> d
    C:\DOCUME~1\pierce\WINDOWS
    2007-05-04 17:59 <DIR> d
    C:\Program Files\Windows Defender
    2007-05-03 21:38 <DIR> d
    C:\Program Files\MSXML 4.0
    2007-05-03 08:23 3,968 --a
    C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
    2007-05-02 23:00 <DIR> d
    C:\Program Files\McAfee
    2007-05-02 23:00 <DIR> d
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
    2007-05-02 22:59 90,112 --a
    C:\WINDOWS\SYSTEM32\mcrtl32.dll
    2007-05-02 22:59 80,640 --a
    C:\WINDOWS\SYSTEM32\DRIVERS\MpFirewall.sys
    2007-05-02 22:59 32,768 --a
    C:\WINDOWS\SYSTEM32\instlsp.exe
    2007-05-02 22:59 131,072 --a
    C:\WINDOWS\SYSTEM32\mclsp.dll
    2007-05-02 22:59 11,264
    C:\WINDOWS\SYSTEM32\sporder.dll
    2007-05-02 22:59 <DIR> d
    C:\WINDOWS\SYSTEM32\mclsphlr
    2007-05-02 22:58 9,216 --a
    C:\WINDOWS\SYSTEM32\MpfApi.dll
    2007-05-02 22:56 114,464 --a
    C:\WINDOWS\SYSTEM32\DRIVERS\naiavf5x.sys
    2007-05-02 01:41 <DIR> d
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
    2007-04-27 21:25 <DIR> d
    C:\DOCUME~1\pierce\APPLIC~1\fretsonfire
    2007-04-23 16:48 <DIR> d
    C:\Program Files\Agatha Christie - Death on the Nile
    2007-04-21 18:11 <DIR> d
    C:\Program Files\Project64 1.6
    2007-04-19 00:31 <DIR> d
    C:\Program Files\FLVPlayer


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-03-17 13:43:02 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
    2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
    2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
    2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
    2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
    2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    "{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}"="c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll"
    "{3EC8255F-E043-4cae-8B3B-B191550C2A22}"="c:\program files\mcafee.com\mps\popupkiller.dll"
    "{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}"="c:\program files\mcafee\spamkiller\mcapfbho.dll"
    "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"="C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"
    "{AA58ED58-01DD-4d91-8333-CF10577473F7}"="c:\program files\google\googletoolbar1.dll"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "SystemTray"="SysTray.Exe"
    "CARPService"="carpserv.exe"
    "EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0F2.EXE /P30 \"EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
    "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
    "MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
    "ppmate"="C:\\Program Files\\PPMate\\PPMate\\ppmate.exe -autoplay"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
    "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
    "VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
    "OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
    "MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
    "MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
    "MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
    "MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
    "McRegWiz"="C:\\PROGRA~1\\McAfee.com\\Agent\\mcregwiz.exe /autorun"
    "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
    "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
    "DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"


    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages msv1_0\0\0
    Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages scecli\0\0




    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter HTTPFilter\0\0
    LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService DnsCache\0\0
    DcomLaunch DcomLaunch\0TermService\0\0
    rpcss RpcSs\0\0
    imgsvc StiSvc\0\0
    termsvcs TermService\0\0
    WudfServiceGroup WUDFSvc\0\0

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77ac1fc2-ac6e-11da-92e3-806d6172696f}]
    Shell\AutoRun\command D:\AutoRun\Demo32.exe


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\Tune-up Application Start.job
    C:\WINDOWS\tasks\MP Scheduled Quick Scan.job
    C:\WINDOWS\tasks\MP Scheduled Scan.job

    ********************************************************************

    catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-05-11 21:42:32
    Windows 5.1.2600 Service Pack 2 FAT

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    ********************************************************************

    Completion time: 2007-05-11 21:42:50
    C:\ComboFix2.txt ... 2007-05-11 00:16
    C:\ComboFix-quarantined-files.txt ... 2007-05-11 21:42
    ok i looked for the systray.exe file again it found 2 files
    1)systray=is a microsoft application
    2)systray.EXE-345DCC1C.pf=a pf file
    the computer seems to be grand now no warnings or virus or pop ups it,s great.


  • #10
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Yeah looks like we sorted out everything. Just a small thing left to do

    I need you to send me a new HijackThis log.

    We also need to set a new clean System Restore Point, this is how

    Click Start Menu > Run > type (or copy and paste)

    %SystemRoot%\System32\restore\rstrui.exe

    Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

    Next goto Start Menu > Run > type

    cleanmgr

    Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

    To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

    Please do an online scan with Kaspersky WebScanner to see if there's anything we missed.

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        Extended (if available otherwise Standard)
      • Scan Options:
        Scan Archives
        Scan Mail Bases

        [*]Click OK
        [*]Now under select a target to scan:
          Select
        My Computer

        [*]This will program will start and scan your system.
        [*]The scan will take a while so be patient and let it run.
        [*]Once the scan is complete it will display if your system has been infected.
        • Now click on the Save as Text button:
        [*]Save the file to your desktop.
        [*]Copy and paste that information in your next post.


        We cleaned a lot of nasty infections, your pc should be clean, but the Kaspersky Webscanner will verify it.


      • #11
        cichlid child
        Registered Users, Registered Users 2 Posts: 650 ✭✭✭cichlid child


        [
        Click on Kaspersky Online Scanner

        You will be promted to install an ActiveX component from Kaspersky, Click Yes.
        • The program will launch and then begin downloading the latest definition files:
        • Once the files have been downloaded click on NEXT
        • Now click on Scan Settings
        • In the scan settings make that the following are selected:
          • Scan using the following Anti-Virus database:
            Extended (if available otherwise Standard)
          • Scan Options:
            Scan Archives
            Scan Mail Bases

            [*]Click OK
            [*]Now under select a target to scan:
              Select
            My Computer

            [*]This will program will start and scan your system.
            [*]The scan will take a while so be patient and let it run.
            [*]Once the scan is complete it will display if your system has been infected.
            • Now click on the Save as Text button:
            [*]Save the file to your desktop.
            [*]Copy and paste that information in your next post.


            We cleaned a lot of nasty infections, your pc should be clean, but the Kaspersky Webscanner will verify it.[/QUOTE]
            ok scaned 4 times when the scan is finished it say,s 1 virus found 4 files invected but at the bottom of the page it says there is an error on the page.There is no save report option. I don,t want to bother you any more i will try to remove it with avg etc, and then do the scan again


          • Advertisement
          • #12
            ActorSeeksJob
            Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


            I wudn't worry about the infection too much.
            Just some recommendations and we all done here

            You should get rid of McAfee,its a big resource hog, not a very good program, and isn't free.
            The same goes for Windows Defender.


            * Keep Windows updated by regularly checking their website at :
            http://windowsupdate.microsoft.com/
            This will ensure your computer has always the latest security updates available installed on your computer.

            * To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
            SpywareBlaster protects against bad ActiveX
            IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all

            * SpywareGuard offers realtime protection from spyware installation attempts.

            * I recommend the following anti-spyware programs to protect yourself against spyware, make sure you only use one real-time anti-spyware protection program though :
            AVG anti-spyware <-- this is the best by far
            Spybot - Search and Destroy
            Ad-Aware SE Personal

            * Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
            secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
            blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
            Here

            * Some good free firewalls are ZoneAlarm, Comodo, or
            Outpost
            Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.

            * You should also consider changing your anti-virus protection considering how badly infected your pc was. Here are some good programs, make sure you only use one though :
            AVG makes an excellent free antivirus client, as do AntiVir or avast!.

            * Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
            Here

            PM me if you have any questions, other than that we all done :)
            Thanks for doing all the steps


          • #13
            monkeyfudge
            Registered Users, Registered Users 2 Posts: 23,216 ✭✭✭✭monkeyfudge


            That's an excellent list of resources there.

            Fair play on helping the guy out too.


          • #14
            ActorSeeksJob
            Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


            Thank you, I've done a lot of training in PC Security, and help out on a lot of sites as a volunteer. I'm trying to find an Irish PC Security site to help on but cant find any :(

            Also you should always run anti-virus/anti-spyware scans in safe mode as they will detect and remove a lot more. Some malware just cant be removed in normal mode.

            I helped the admin irlrobins with a HijackThis description for fighting malware here. Love doing this stuff :)


          • #15
            cichlid child
            Registered Users, Registered Users 2 Posts: 650 ✭✭✭cichlid child


            thank,s again and has i said if there anything i can do to help let me know.If any body else see,s this thread just to let you know this bloke is amazing and even if you don,t have a virus i would recomend doing all the stuff in the last post i,m off to get rid of macfee and more downloading thanks


          • #16
            pauld
            Registered Users, Registered Users 2 Posts: 220 ✭✭pauld


            the most amazing post i have ever read, this post should be a sticky given the number of extremely useful links and explaantions provided by actorseeksjob, simply brilliant well done to you sir


          • #17
            scojones
            Closed Accounts Posts: 7,230 ✭✭✭scojones


            Top stuff ActorSeeksJob. This sort of resolution would not be lost in the Computer Health forum, providing it gets created! This sort of thread is the reason it should be created. You can show your support here: http://boards.ie/vbulletin/showthread.php?t=2055089446


          • #18
            ActorSeeksJob
            Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


            Have posted there :)
            I think it's a wonderful idea, and would love to help if possible.


          • #19
            aidan_walsh
            Closed Accounts Posts: 17,208 ✭✭✭✭aidan_walsh


            scojones wrote:
            Top stuff ActorSeeksJob. This sort of resolution would not be lost in the Computer Health forum, providing it gets created! This sort of thread is the reason it should be created. You can show your support here: http://boards.ie/vbulletin/showthread.php?t=2055089446
            /passes scojones the promised twenty bob note :)


          Advertisement