# Your computer is infected!



## alalight (Oct 28, 2007)

Can anyone help please? I'm working on a pc (Celeron 2.80Ghz / 736MB RAM running XP Pro SP2) but it's got a bad virus. A message (Your computer is infected! etc...) keeps popping up. I've downloaded Hijackthis, SDFix and Combofix, but none of them will open or run in either normal or safe modes. I also uninstalled and installed latest versions of Adaware and SpybotS&D, but only the Adaware program would run, not SpybotS&D, and it only found cookies and MRU lists, which I removed. Other symptoms include: Disk Defragmenter will not run, and AVG Free 8.0 is not working properly. Is there any hope, or is it a case of re-installing Windows? Thanks in advance. Alalight.


----------



## eddie5659 (Mar 19, 2001)

Hiya

Are you still having this problem? If so, can you post the full warning message you get.

Regards

eddie


----------



## alalight (Oct 28, 2007)

Hello Eddie - thanks very much for replying - I was just about to update my original post. 
Yes, still having this problem. Also, since then, I've tried to open/run MalwareBytes (mbam-setup) and OTScanIt, but nothing happens in either normal or safe modes. (They do appear in Process List [Ctrl+Alt+Del], but that's all.)
The full message that keeps popping up is:
"Your computer is infected!
Windows has detected spyware infection!
It is recomended to use special antispyware tools to pervent data loss. Windows will now download and install the most up-to-date antispyware for you.
Click here to protect your computer from spyware!"
This message appears from a round red icon with a pale cross in the systray.
Can you suggest any other approaches to try? Cheers, Alan.


----------



## eddie5659 (Mar 19, 2001)

Okay, lets see if this works:

Please download *SmitfraudFix* (by *S!Ri*) to your Desktop.

Double-click *SmitfraudFix.exe*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move *SmitfraudFix.exe* directly to the root of the system drive (usually *C:*), and launch from there.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

eddie


----------



## alalight (Oct 28, 2007)

Thanks Eddie. I downloaded SmitFraudFix and tried to run it from Desktop and Root of c: drive, in both normal and safe modes, but every time I got the message "SmitfraudFix.exe has encountered a problem and needs to close. We are sorry for the inconvenience. ... Please tell Microsoft about this problem. ..." I chose not to send a report to MS.
It looks like whatever it is, it's a few steps ahead of us. Are there many options left? Alan.


----------



## eddie5659 (Mar 19, 2001)

Okay, lets see if renaming the programs will work.

For HijackThis and Combofix, as that's all we want at this time, do this:

Rightclick on the file, eg ComboFix.exe, and select Rename. Rename to something else, eg funstuff.exe

For HijackThis.exe, rename to something like Project.exe

Then, hopefully they will run. Do the ComboFix first as follows, then the HijackThis.

-----------

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*** Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the *C:\ComboFix.txt* in your next reply for further review.

---------------

HijackThis


Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. 

==========

So, hopefully in your next reply, post the ComboFix log and a HijackThis log 

eddie


----------



## alalight (Oct 28, 2007)

Hi again - making progress at last, thank the Lord (and Eddie).
I renamed files as directed - Combofix had expired, so got new copy and renamed, then success - it ran. At first it detected rootkit activity and rebooted - do you have any idea where that could have come from?
Anyway, here's the two log files. First Combofix.txt :

ComboFix 08-11-27.07 - Myself 2008-11-28 16:10:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.499 [GMT 0:00]

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\brastk.exe
c:\windows\karna.dat
c:\windows\system32\av.dat
c:\windows\system32\brastk.exe
c:\windows\system32\DelSelf.bat
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\karna.dat
c:\windows\system32\TDSSoeqh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-27 18:44 . 2008-11-27 18:33	1,581,780	--a------	C:\SmitfraudFix.exe
2008-11-20 12:01 . 2008-11-20 12:01 d--------	c:\program files\Lavasoft
2008-11-20 12:01 . 2008-11-20 12:01 d--------	c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-20 12:00 . 2008-11-20 12:00 d--------	c:\program files\Common Files\Wise Installation Wizard
2008-11-12 04:57 . 2008-11-12 04:57	118	--a------	c:\windows\system32\MRT.INI
2008-11-12 04:41 . 2008-11-12 04:41	73,728	--a------	c:\windows\system32\TDSScfub.dll
2008-11-12 04:41 . 2008-11-12 04:41	60,416	--a------	c:\windows\system32\drivers\TDSSpaxt.sys
2008-11-12 04:41 . 2008-11-12 04:41	31,232	--a------	c:\windows\system32\TDSSriqp.dll
2008-11-12 04:41 . 2008-11-12 04:41	29,696	--a------	c:\windows\system32\TDSSnrsr.dll
2008-11-12 04:41 . 2008-11-12 04:41	2,444	--a------	c:\windows\system32\TDSSfpmp.dll
2008-11-12 04:41 . 2008-11-12 04:41	527	--a------	c:\windows\system32\TDSSosvd.dat
2008-11-12 04:17 . 2008-10-24 11:10	453,632	-----c---	c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 23:28 . 2008-11-10 23:28	21,275	--a------	c:\windows\system32\drivers\AegisP.sys
2008-11-10 23:27 . 2006-06-08 10:49	344,064	--a------	c:\windows\system32\drivers\rt73.sys
2008-11-10 23:27 . 2005-12-15 10:38	315,392	--a------	c:\windows\system32\AegisI5.exe
2008-11-10 23:27 . 2006-06-17 12:29	295,018	--a------	c:\windows\system32\Install7x.dll
2008-11-10 23:27 . 2005-11-30 11:33	2,048	--a------	c:\windows\system32\drivers\rt73.bin
2008-11-10 23:27 . 2006-03-06 15:36	45	--a------	c:\windows\filespec7x
2008-11-07 07:18 . 2008-07-18 22:07	270,880	--a------	c:\windows\system32\mucltui.dll
2008-11-07 07:18 . 2008-07-18 22:07	210,976	--a------	c:\windows\system32\muweb.dll
2008-11-07 07:18 . 2008-07-18 22:07	29,728	--a------	c:\windows\system32\mucltui.dll.mui
2008-11-06 10:07 . 2008-11-06 10:07 d--------	c:\program files\Windows Live Toolbar
2008-11-06 10:06 . 2008-11-06 10:06 d--------	c:\program files\Windows Live Favorites
2008-11-06 09:59 . 2008-11-06 11:24 d--------	c:\documents and settings\Myself\Contacts
2008-11-06 09:58 . 2006-11-29 13:06	3,426,072	--a------	c:\windows\system32\d3dx9_32.dll
2008-11-06 09:57 . 2008-11-06 09:57 d--------	c:\program files\Microsoft SQL Server Compact Edition
2008-11-06 09:52 . 2008-11-06 10:06 d--------	c:\program files\Windows Live
2008-11-06 09:52 . 2008-11-06 09:53 d--hsc---	c:\program files\Common Files\WindowsLiveInstaller
2008-11-06 09:51 . 2008-11-06 09:51 d--------	c:\documents and settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 15:50	---------	d---a-w	c:\documents and settings\All Users\Application Data\TEMP
2008-11-20 12:46	---------	d-----w	c:\documents and settings\All Users\Application Data\avg8
2008-11-20 12:33	---------	d-----w	c:\program files\Spybot - Search & Destroy
2008-11-20 12:32	---------	d-----w	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-20 11:59	---------	d-----w	c:\documents and settings\Myself\Application Data\Lavasoft
2008-11-10 23:27	---------	d-----w	c:\program files\RALINK
2008-10-24 11:10	453,632	----a-w	c:\windows\system32\drivers\mrxsmb.sys
2008-10-05 21:20	---------	d-----w	c:\documents and settings\Myself\Application Data\vlc
2008-10-04 12:21	97,928	----a-w	c:\windows\system32\drivers\avgldx86.sys
2008-10-02 10:28	---------	d-----w	c:\documents and settings\Myself\Application Data\AdobeUM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-04 1234712]
"SiSPower"="SiSPower.dll" [2005-10-04 c:\windows\system32\SiSPower.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-11-12 618496]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-05 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-05 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-05 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-08-05 76040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74b28a10-c793-11dc-bfd9-000fea51b446}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eedcef0c-0ec8-11dd-bfeb-000fea51b446}]
\shell\verb1\command - desktop.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
MSConfigStartUp-okwywsm - c:\documents and settings\myself\local settings\application data\okwywsm.exe
MSConfigStartUp-brastk - brastk.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 16:16:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSpplt.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\WgaTray.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-28 16:18:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-28 16:18:33

Pre-Run: 52,007,600,128 bytes free
Post-Run: 51,962,978,304 bytes free

146	--- E O F ---	2008-11-12 04:59:14

Secondly hijackthis.log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:25:05, on 28/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Myself\Desktop\project.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 3876 bytes

Looking forward to your verdict. Thanks from Alan.


----------



## eddie5659 (Mar 19, 2001)

Hiya

Sorry, away at weekends, so its hard to reply quickly.

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System










Download the file & save it as it's originally named.

---------------------------------------------------------------------

*Transfer all files you just downloaded, to the desktop of the infected computer.*

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools











Drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.










At the next prompt, click 'No' to end

-------------

Then, do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the quotebox below into it:



> File::
> c:\windows\system32\TDSScfub.dll
> c:\windows\system32\drivers\TDSSpaxt.sys
> c:\windows\system32\TDSSriqp.dll
> ...


Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

Also, post a fresh HijackThis log.

eddie


----------



## alalight (Oct 28, 2007)

Hello again. I've done all that you said. Things seem much better now, no popups and those progs ran from desktop in normal mode without renaming them. 
First, here's the ComboFix log:

ComboFix 08-11-27.07 - Myself 2008-12-01 23:03:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.531 [GMT 0:00]
Running from: c:\documents and settings\Myself\Desktop\Combofix.exe
Command switches used :: c:\documents and settings\Myself\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\TDSSpaxt.sys
c:\windows\system32\drivers\TDSSpplt.sys
c:\windows\system32\drivers\tdssserv.sys
c:\windows\system32\TDSScfub.dll
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSriqp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\TDSSpaxt.sys
c:\windows\system32\TDSScfub.dll
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSriqp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-11-20 12:01 . 2008-11-20 12:01 d--------	c:\program files\Lavasoft
2008-11-20 12:01 . 2008-11-20 12:01 d--------	c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-20 12:00 . 2008-11-20 12:00 d--------	c:\program files\Common Files\Wise Installation Wizard
2008-11-12 04:57 . 2008-11-12 04:57	118	--a------	c:\windows\system32\MRT.INI
2008-11-12 04:17 . 2008-10-24 11:10	453,632	-----c---	c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 23:28 . 2008-11-10 23:28	21,275	--a------	c:\windows\system32\drivers\AegisP.sys
2008-11-10 23:27 . 2006-06-08 10:49	344,064	--a------	c:\windows\system32\drivers\rt73.sys
2008-11-10 23:27 . 2005-12-15 10:38	315,392	--a------	c:\windows\system32\AegisI5.exe
2008-11-10 23:27 . 2006-06-17 12:29	295,018	--a------	c:\windows\system32\Install7x.dll
2008-11-10 23:27 . 2005-11-30 11:33	2,048	--a------	c:\windows\system32\drivers\rt73.bin
2008-11-10 23:27 . 2006-03-06 15:36	45	--a------	c:\windows\filespec7x
2008-11-07 07:18 . 2008-07-18 22:07	270,880	--a------	c:\windows\system32\mucltui.dll
2008-11-07 07:18 . 2008-07-18 22:07	210,976	--a------	c:\windows\system32\muweb.dll
2008-11-07 07:18 . 2008-07-18 22:07	29,728	--a------	c:\windows\system32\mucltui.dll.mui
2008-11-06 10:07 . 2008-11-06 10:07 d--------	c:\program files\Windows Live Toolbar
2008-11-06 10:06 . 2008-11-06 10:06 d--------	c:\program files\Windows Live Favorites
2008-11-06 09:59 . 2008-11-06 11:24 d--------	c:\documents and settings\Myself\Contacts
2008-11-06 09:58 . 2006-11-29 13:06	3,426,072	--a------	c:\windows\system32\d3dx9_32.dll
2008-11-06 09:57 . 2008-11-06 09:57 d--------	c:\program files\Microsoft SQL Server Compact Edition
2008-11-06 09:52 . 2008-11-06 10:06 d--------	c:\program files\Windows Live
2008-11-06 09:52 . 2008-11-06 09:53 d--hsc---	c:\program files\Common Files\WindowsLiveInstaller
2008-11-06 09:51 . 2008-11-06 09:51 d--------	c:\documents and settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 22:58	---------	d---a-w	c:\documents and settings\All Users\Application Data\TEMP
2008-11-20 12:46	---------	d-----w	c:\documents and settings\All Users\Application Data\avg8
2008-11-20 12:33	---------	d-----w	c:\program files\Spybot - Search & Destroy
2008-11-20 12:32	---------	d-----w	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-20 11:59	---------	d-----w	c:\documents and settings\Myself\Application Data\Lavasoft
2008-11-10 23:27	---------	d-----w	c:\program files\RALINK
2008-10-24 11:10	453,632	----a-w	c:\windows\system32\drivers\mrxsmb.sys
2008-10-05 21:20	---------	d-----w	c:\documents and settings\Myself\Application Data\vlc
2008-10-04 12:21	97,928	----a-w	c:\windows\system32\drivers\avgldx86.sys
2008-10-02 10:28	---------	d-----w	c:\documents and settings\Myself\Application Data\AdobeUM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-04 1234712]
"SiSPower"="SiSPower.dll" [2005-10-04 c:\windows\system32\SiSPower.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-11-12 618496]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-05 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-05 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-05 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-08-05 76040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74b28a10-c793-11dc-bfd9-000fea51b446}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eedcef0c-0ec8-11dd-bfeb-000fea51b446}]
\shell\verb1\command - desktop.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 23:09:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2008-12-01 23:11:20 - machine was rebooted [Myself]
ComboFix-quarantined-files.txt 2008-12-01 23:11:05
ComboFix2.txt 2008-11-28 16:18:41

Pre-Run: 51,915,759,616 bytes free
Post-Run: 51,906,531,328 bytes free

142	--- E O F ---	2008-11-12 04:59:14

And here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:13:37, on 01/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Myself\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 3912 bytes

Happy reading, I hope!? Alan.


----------



## eddie5659 (Mar 19, 2001)

Hmm, some are still there....

Lets see if this one helps, if not we'll do it another way.

Please download Malwarebytes' Anti-Malware from *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*

Also, post a fresh HijackThis as well as the MBAM log 

eddie


----------



## alalight (Oct 28, 2007)

Eddie - persistent blighters, aren't they?!
Looks like mbam found just one logfile - here's the mbam log:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2

02/12/2008 20:48:21
mbam-log-2008-12-02 (20-48-21).txt

Scan type: Quick Scan
Objects scanned: 42599
Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.

** And here's a fresh HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:50:00, on 02/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Myself\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 3963 bytes

Looking forward to your response. Alan.


----------



## eddie5659 (Mar 19, 2001)

Just to let you know, I'm not at home at the moment. The snow is really bad in the UK, and I'm in Yorkshire which has a lot of snow. I'm actually sleeping at a mates, as I can't get home tonight.

I'll look at this fully tomorrow, when the roads are clearer, as I don't have my bookmarks here.

Just keeping you informed 

eddie


----------



## eddie5659 (Mar 19, 2001)

Back now 

Okay, its still not being shifted. Lets see if this works now.

You'll already have the download of SmitfraudFix on your pc, but you had problems with it before. Try re-downloading it again, then do the following 

Please download *SmitfraudFix* (by *S!Ri*) to your Desktop.

Double-click *SmitfraudFix.exe*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move *SmitfraudFix.exe* directly to the root of the system drive (usually *C:*), and launch from there.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

eddie


----------



## alalight (Oct 28, 2007)

Welcome back Eddie
New version of SmitfraudFix worked OK - report follows:

SmitFraudFix v2.381

Scan done at 14:44:50.51, 06/12/2008
Run from C:\Documents and Settings\Myself\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Myself\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Myself

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Myself\LOCALS~1\Temp

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Myself\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Myself\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CCB84CF0-4F1A-40FC-9C51-EDDBF0D67668}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CCB84CF0-4F1A-40FC-9C51-EDDBF0D67668}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CCB84CF0-4F1A-40FC-9C51-EDDBF0D67668}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Are you allowed to say which entries in previous reports indicate that there is still a problem? - because the machine appears to be behaving itself now.
Cheers, Alan.


----------



## eddie5659 (Mar 19, 2001)

Yep, it was in the last ComboFix log you posted:



> ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
> .
> 
> -------\Service_TDSSserv.sys


Apart from that, all signs of the infection are gone.

But upon further investigation, it looks okay. I was just trying to fully confirm it 

If its all okay, we'll do some cleanup. I just want an online scan if thats okay, then we're good to go 

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under *Upgrading Java*, to download and install the latest vesion.


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.
*Upgrading Java*:

Download the latest version of *Java Runtime Environment (JRE) 6 Update 7*.
Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 6 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right cklick on the *jre-6u7-windows-i586-p.exe* and select "Run as an Administrator.")

eddie


----------



## alalight (Oct 28, 2007)

Hi Eddie - Thanks, I've done all that - installed Java and ran Kaspersky online scan. Btw, your link and info re java are a bit out-of-date - they're now upto update 11 and page layout is different. The kavwebscan report follows; I presume the next step is to delete the files it found, mostly in qoobox folder, which I've learnt is created by Combofix. Bye for now, Alan. 
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, December 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 08, 2008 23:14:01
Records in database: 1444848
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 25017
Threat name: 10
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 01:12:08


File name / Threat name / Threats count
C:\Documents and Settings\Myself\My Documents\install_SetupSopCast3.0.32008430.exe	Infected: Backdoor.Win32.Small.gll	1
C:\Qoobox\Quarantine\C\WINDOWS\brastk.exe.vir	Infected: Trojan-Downloader.Win32.Small.agdo	1
C:\Qoobox\Quarantine\C\WINDOWS\karna.dat.vir	Infected: Backdoor.Win32.Small.gjm	1
C:\Qoobox\Quarantine\C\WINDOWS\system32\av.dat.vir	Infected: Hoax.Win32.Renos.vavf	1
C:\Qoobox\Quarantine\C\WINDOWS\system32\brastk.exe.vir	Infected: Trojan-Downloader.Win32.Small.agdo	1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\beep.sys.vir	Infected: Backdoor.Win32.UltimateDefender.a	1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir	Infected: Backdoor.Win32.UltimateDefender.a	1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpaxt.sys.vir	Infected: Backdoor.Win32.TDSS.bkw	1
C:\Qoobox\Quarantine\C\WINDOWS\system32\karna.dat.vir	Infected: Backdoor.Win32.Small.gjm	1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfub.dll.vir	Infected: Rootkit.Win32.Clbd.lb	1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir	Infected: Backdoor.Win32.TDSS.asz	1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoeqh.dll.vir	Infected: Backdoor.Win32.TDSS.blh	1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir	Infected: Backdoor.Win32.TDSS.atb	1

The selected area was scanned.


----------



## eddie5659 (Mar 19, 2001)

You don't need to worry about the ComboFix files, they'll be removed at the end 

Please *download* the *OTMoveIt3 by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt3.exe* to run it. (Vista users, please right click on *OTMoveit2.exe* and select "Run as an *Administrator*")
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
:files
C:\Documents and Settings\Myself\My Documents\install_SetupSopCast3.0.32008430

:commands
[emptytemp]
```

 Return to OTMoveIt3, right click in the *"Paste List of Files/Folders to be Moved"* window (under the light yellow bar) and choose *Paste*.
Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply

Close *OTMoveIt3*
*Note*: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes*. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter **.log* and press the Enter key, navigate to the *C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

--------------

After that, do this:

Please download *Runscanner* to your desktop and run it.

When the first page comes up select *Beginner Mode*
On the next page select *Save a binary .Run file (Recommended)* then click *Start full scan* at the top.
At this time Runscanner.exe may request *access to the Internet* through your firewall please allow it to do so, it will then run for two or three minutes.
On completion it will ask for a location to save the file and a name. It will do this for both the *.run file* and the *log file*
Call the .run file *"Select a name"* and save it to your desktop. You will see the *.run file* on your desktop. Rightclick and rename to a *.txt* file and upload that file here.

eddie


----------



## alalight (Oct 28, 2007)

Eddie. Thanks for being so thorough and sticking with us on this. I've done as requested; OTMoveIt3 did need to reboot, and here's the log:

========== FILES ==========
File/Folder C:\Documents and Settings\Myself\My Documents\install_SetupSopCast3.0.32008430 not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_568.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12092008_215852

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_568.dat not found!

Now, I'm not sure if I understand you properly re Runscanner instructions. I renamed the .run file to a .txt one, but the contents of it are just 'machine-code' (gobbledy-****). Do you want that copied and pasted? In the meantime, I'm including contents of runscanner.log (although you didn't ask for this ...) Next, in a new message, I'll try to send runscanner.run as an attachment for you. Anyway, here's the log:

Runscanner logfile http://www.runscanner.net

* = signed file
- = file not found

General info
------------
Computer name : PC3
Creation time : 09/12/2008 22:17:17
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 7.0.5730.13
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.7.0.0
User Language : English (United Kingdom)
User rights : Administrator
Windows folder : C:\WINDOWS

Running processes
-----------------
* C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)
* C:\WINDOWS\System32\alg.exe (Microsoft Corporation)
* C:\PROGRA~1\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
* C:\PROGRA~1\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
* C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
* C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\Program Files\internet explorer\iexplore.exe (Microsoft Corporation)
* C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
* C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)
C:\Program Files\RALINK\Common\RaUI.exe (Ralink Technology, Corp.)
* C:\Documents and Settings\Myself\Desktop\RunScanner.exe (Runscanner.net)
* C:\WINDOWS\system32\services.exe (Microsoft Corporation)
* C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)
* C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
* C:\WINDOWS\system32\WgaTray.exe (Microsoft Corporation)
* C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)
* c:\windows\System32\smss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
* C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)

Unrated items
-------------
002 C:\WINDOWS\system32\SiSPower.dll (Silicon Integrated Systems Corporation)
005 C:\Program Files\RALINK\Common\RaUI.exe (Ralink Technology, Corp.)
011 C:\WINDOWS\system32\DRIVERS\AegisP.sys (AEGIS Protocol (IEEE 802.1x) v3.4.10.0)
030 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
030 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
030 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
035 C:\WINDOWS\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}
052 C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) {DBC80044-A445-435b-BC74-9C25C1C588A9}
052 C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
061 C:\WINDOWS\system32\dfshim.dll (Microsoft Corporation) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}
061 C:\WINDOWS\system32\dfshim.dll (Microsoft Corporation) {e82a2d71-5b2f-43a0-97b8-81be15854de8}
062 C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}
100 SearchUrl HKCU : http://home.microsoft.com/access/autosearch.asp?p=%s
104 * C:\WINDOWS\Downloaded Program Files\PhotoUploader5.ocx (The Facebook) {0CCA191D-13A6-4E29-B746-314DEE697D83}
105 &Windows Live Search : res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
105 Add to Windows &Live Favorites : http://favorites.live.com/quickadd.aspx
105 E&xport to Microsoft Excel : res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
170 {74b28a10-c793-11dc-bfd9-000fea51b446} : E:\setupSNK.exe
170 D : D:\Autorun.exe
173 GUID / CLSID not found
221 GUID / CLSID not found
227 GUID / CLSID not found
231 C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.) PDF Column Info

Missing files
-------------
011 C:\WINDOWS\system32\drivers\Abiosdsk.sys
011 C:\WINDOWS\system32\drivers\abp480n5.sys
011 C:\WINDOWS\system32\drivers\adpu160m.sys
011 C:\WINDOWS\system32\drivers\Aha154x.sys
011 C:\WINDOWS\system32\drivers\aic78u2.sys
011 C:\WINDOWS\system32\drivers\aic78xx.sys
011 C:\WINDOWS\system32\drivers\AliIde.sys
011 C:\WINDOWS\system32\drivers\amsint.sys
011 C:\WINDOWS\system32\drivers\asc.sys
011 C:\WINDOWS\system32\drivers\asc3350p.sys
011 C:\WINDOWS\system32\drivers\asc3550.sys
011 C:\WINDOWS\system32\drivers\Atdisk.sys
011 C:\WINDOWS\system32\drivers\Beep.sys
011 C:\Combofix\catchme.sys
011 C:\WINDOWS\system32\drivers\cd20xrnt.sys
011 C:\WINDOWS\system32\drivers\Changer.sys
011 C:\WINDOWS\system32\drivers\CmdIde.sys
011 C:\WINDOWS\system32\drivers\Cpqarray.sys
011 C:\WINDOWS\system32\drivers\dac2w2k.sys
011 C:\WINDOWS\system32\drivers\dac960nt.sys
011 C:\WINDOWS\system32\drivers\dpti2o.sys
011 C:\WINDOWS\system32\drivers\hpn.sys
011 C:\WINDOWS\system32\drivers\i2omgmt.sys
011 C:\WINDOWS\system32\drivers\i2omp.sys
011 C:\WINDOWS\system32\drivers\ini910u.sys
011 C:\WINDOWS\system32\drivers\IntelIde.sys
011 C:\WINDOWS\system32\drivers\lbrtfdc.sys
011 C:\WINDOWS\system32\drivers\mraid35x.sys
011 C:\WINDOWS\system32\drivers\PCIDump.sys
011 C:\WINDOWS\system32\drivers\PDCOMP.sys
011 C:\WINDOWS\system32\drivers\PDFRAME.sys
011 C:\WINDOWS\system32\drivers\PDRELI.sys
011 C:\WINDOWS\system32\drivers\PDRFRAME.sys
011 C:\WINDOWS\system32\drivers\perc2.sys
011 C:\WINDOWS\system32\drivers\perc2hib.sys
011 C:\WINDOWS\system32\drivers\ql1080.sys
011 C:\WINDOWS\system32\drivers\Ql10wnt.sys
011 C:\WINDOWS\system32\drivers\ql12160.sys
011 C:\WINDOWS\system32\drivers\ql1240.sys
011 C:\WINDOWS\system32\drivers\ql1280.sys
011 C:\WINDOWS\system32\drivers\Simbad.sys
011 C:\WINDOWS\system32\drivers\Sparrow.sys
011 C:\WINDOWS\system32\drivers\sym_hi.sys
011 C:\WINDOWS\system32\drivers\sym_u3.sys
011 C:\WINDOWS\system32\drivers\symc810.sys
011 C:\WINDOWS\system32\drivers\symc8xx.sys
011 C:\WINDOWS\system32\drivers\TosIde.sys
011 C:\WINDOWS\system32\drivers\ultra.sys
011 C:\WINDOWS\system32\drivers\ViaIde.sys
011 C:\WINDOWS\system32\drivers\WDICA.sys
061 deskpan.dll

Thanks again, from Alan.


----------



## alalight (Oct 28, 2007)

Hi again Eddie
Now I'm in advanced reply mode, I see attachments can only have certain extensions, so I'm attaching the .run file as a .txt one (as you requested).
Hope I've got it right. Alan.


----------



## eddie5659 (Mar 19, 2001)

Yep, you did 

Download the attachment at the end of this post (this will be your runscanner file fixed by me)


Save it to your desktop, then right-click on it and select Rename. Rename to runscanner.run, overwriting the one you already have on the Desktop. Then double click the *runscanner icon* this will run the program.
You will notice several entries in *red* and in *blue*.
Click the button at the top called *Fix selected items*
Accept the warning(s) and repeat until they are all gone.
Reboot your PC


----------



## alalight (Oct 28, 2007)

Eddie - done that - no probs. You've not asked for any more logs ... are we sorted now? I see there are still Qoobox and OTMoveIt folders on the c: drive - should I just delete them? Also, is there anything that you would recommend to prevent similar infestations in the future? Looking forward to your reply. Alan.


----------



## eddie5659 (Mar 19, 2001)

Ah, you're right. Can you post a fresh HijackThis log just to check.

After that, I think we're done. Just some cleaning up to do of the tools we've used, and then I'll recommend some tools for you 

eddie


----------



## alalight (Oct 28, 2007)

Eddie - ok. Here's the hijackthis log, hopefully the final one:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:36:55, on 10/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Myself\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4613 bytes

Awaiting your verdict. Alan.


----------



## eddie5659 (Mar 19, 2001)

Yep, nice and clean 

How's the computer running now? We have a couple of last steps to perform and then you're all set.

*Follow these steps to uninstall Combofix and tools used in the removal of malware*


Click *START* then *RUN*
Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there










--------------

*OTCleanIt *
Download the following program:

http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Then, click the *CleanUp!* button. It will go thorugh the list and remove all of the tools it finds and then delete itself. Reboot.

-------------

Please download *ATF Cleaner* by Atribune.

*Caution: This program is for Windows 2000, XP and Vista only*


Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
If you use Firefox browser
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
If you use Opera browser
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
Click *Exit* on the Main menu to close the program.
For *Technical Support*, double-click the e-mail address located at the bottom of each menu.

---------------

Let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
* Click *Start*.
* Open *My Computer*.
* Select the *Tools menu* and click *Folder Options*.
* Select the *View* tab.
* Under the *Hidden files and folders* heading *UNSELECT Show hidden files and folders*.
* *CHECK* the *Hide protected operating system files (recommended)* option.
* Click *Yes* to confirm.
* Click *OK*.
Next, let's clean your restore points and set a new one:

*Reset and Re-enable your System Restore* to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
*1. Turn off System Restore.*
On the Desktop, right-click *My Computer*.
Click *Properties*.
Click the *System Restore* tab.
Check *Turn off System Restore*.
Click *Apply*, and then click *OK*.
*2. Restart your computer.*

*3. Turn ON System Restore.*
On the Desktop, right-click *My Computer*.
Click *Properties*.
Click the *System Restore* tab.
UN-Check *Turn off System Restore*.
Click *Apply*, and then click *OK*.

*System Restore will now be active again.*

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: 
*SpywareBlaster* to help prevent spyware from installing in the first place.
*SpywareGuard* to catch and block spyware before it can execute.
*ZonedOut* to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 2 free ones available for personal use:
*Kerio Personal Firewall*
*ZoneAlarm*
and a good antivirus (these are also free for personal use):
*AVG Anti-Virus*
*Avast Home Edition*
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit 
*Microsoft Windows Update*
monthly. And to keep your system clean run these free malware scanners 

*Malwarebytes' Anti-Malware*

*Spybot Search & Destroy*
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this about Security online: *General Security Information, How to tighten Security Settings and Warnings *

Have a safe and happy computing day!

eddie


----------



## alalight (Oct 28, 2007)

Well done Eddie, we're very appreciative; if there's anything we can do in return, please let's know. 
Completed your instructions - just one small point - there's a folder now on c: drive with a 13 digit name containing 106 items, 30 of which are applications, looking like it's a Combofix leftover ... Is it ok to delete that?
Once again, many thanks from Alan & friend.


----------



## eddie5659 (Mar 19, 2001)

Glad to hear it, and will let you know if I need anything 

As for the folder, what applications are inside it? In fact, do this for me:

Please download *DirLook* by *jpshortstuff* from from one of the following mirrors:
*Link 1*
*Link 2*
*Link 3*

Double-click *DirLook.exe* to run it.
Ensure that *Show Hidden Files/Folders* and *BBCode Ouput* are both checked.
Copy the content of the following codebox into the main textfield:

Location of folder, eg


```
C:/Desktop/Folder Name
```

Click the *DirLook* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (*Note:* The log can also be found at C:\*dl_log.txt*)
*Note:* Scanning may take longer for large folders.


----------



## alalight (Oct 28, 2007)

Eddie - just when I thought it was all over ... 
Here's the dirlook log:

DirLook.exe v2.0 by jpshortstuff
Log created at 14:24 on 12/12/2008
==================================*
Contents of "C:\32788R22FWJFW"
*
*---FOLDERS---*

(none found)

*---FILES---*

*023.dat* (35920 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*023v.dat* (2126 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*appinit.bad* (7797 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*Assoc.cmd* (3241 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*badclsid* (1946044 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*Boot.bat* (7834 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*BootSect* (7680 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*C.bat* (631577 bytes - created on 11/12/2008 at 20:12, modified on 28/11/2008 at 17:35) --a---
*catchme.cfexe* (145920 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*clsid.dat* (470360 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*Combo-Fix.sys* (1024 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*Combobatch.bat* (6911 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*ComboFix-Download.exe* (61440 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*Creg.dat* (580630 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*CregC.cmd* (3186 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*CregC.dat* (553 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*dd.cfexe* (101376 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*ddsDo.sed* (7929 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*DelClsid.bat* (1766 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*DPF.sed* (298 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*DPF.str* (746 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*dumphive.cfexe* (51200 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*embedded.sed* (303 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*ERDNT.e_e* (163328 bytes - created on 11/12/2008 at 20:12, modified on 20/10/2005 at 20:02) --a---
*ERDNTDOS.LOC* (2815 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*ERDNTWIN.LOC* (3275 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*ERUNT.cfexe* (157696 bytes - created on 11/12/2008 at 20:12, modified on 20/10/2005 at 20:00) --a---
*ERUNT.LOC* (4090 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*Exe.reg* (7213 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*executables.dat* (117 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*extract.cfexe* (52736 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*fdsv.cfexe* (89504 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*fi.cfexe* (110592 bytes - created on 11/12/2008 at 20:12, modified on 12/11/2002 at 05:38) --a---
*Fin.dat* (804 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*FIND3M.bat* (103217 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*FIXLSP.bat* (3855 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*FProps.vbs* (15388 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*grep.cfexe* (80412 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*gsar.cfexe* (15360 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*handle.cfexe* (181776 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*hidec.exe* (1536 bytes - created on 11/12/2008 at 20:12, modified on 16/08/2005 at 01:54) --a---
*history.bat* (2117 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*image001.gif* (1057 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*katch.cmd* (684 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*Lang.bat* (148508 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*List-C.bat* (251311 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*lnkread.vbs* (1528 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*LocalService.dat* (225 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*LocalServiceNetworkRestricted.dat* (91 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*LocalSystemNetworkRestricted.dat* (198 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*md5deep.cfexe* (40448 bytes - created on 11/12/2008 at 20:12, modified on 02/04/2006 at 21:18) --a---
*moveex.cfexe* (38400 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*MoveIt.bat* (3204 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*mtee.cfexe* (11264 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*mynul* (0 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*ndis_combofix.dat* (287 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*ND_.bat* (3751 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*netsvc.bad.dat* (423 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*netsvc.dat* (159 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*netsvc.vista.dat* (481 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*netsvc.xp.dat* (525 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*NetworkService.dat* (88 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*NirCmd.cfexe* (28672 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*nircmd.com* (28672 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*NirCmd.inf* (2161 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*NirCmdC.cfexe* (27648 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*OSid.vbs* (924 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*Policies.dat* (2042 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*Prep.cmd* (7323 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*psexec.cfexe* (131072 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*Purity.dat* (404 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*pv.cfexe* (73728 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*RCLink* (7008 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*RegDo.sed* (9203 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*region.dat* (1277 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*RestoreO4.bat* (1758 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*restore_pt.vbs* (232 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*rogues.dat* (820 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*run2.sed* (287 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*safeboot.dat* (329 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*safeboot.def.dat* (1660 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*safeboot.def.vista.dat* (463 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*SafeBootRepair.bat* (15317 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*sed.cfexe* (98816 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*setcsum.cfexe* (19968 bytes - created on 11/12/2008 at 20:12, modified on 04/12/2006 at 03:17) --a---
*SetEnvmt.bat* (12743 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*setpath.cfexe* (29984 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*SF.cfexe* (49152 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*srizbi.md5* (5740 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*SvcDrv.vbs* (2008 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*svchost.dat* (555 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*svchost.vista.dat* (668 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*svc_wht.dat* (12059 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*swreg.exe* (161792 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*swsc.cfexe* (136704 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*swxcacls.cfexe* (212480 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*system_ini.dat* (276 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*toolbar.sed* (413 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*unzip.cfexe* (102400 bytes - created on 11/12/2008 at 20:12, modified on 13/04/2003 at 08:00) --a---
*vfind.cfexe* (49152 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*whitedirB.dat* (401 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*WhiteLegacy.dat* (2687 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*WRP.cfexe* (26112 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*zDomain.dat* (23773 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*zhsvc.dat* (31158 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---
*zip.cfexe* (68096 bytes - created on 11/12/2008 at 20:12, modified on 31/08/2000 at 08:00) --a---

==================================
*=EOF=*

Hopefully it's just a case of deleting it? Alan.


----------



## eddie5659 (Mar 19, 2001)

Okay, had a good look around, and it appears it is ComboFix related. Did you uninstall via the Combofix /u ?

I have a feeling you did, but not sure what its doing there instead. Ah, maybe it was when you tried to run it the first time, as you had to rename it. It may have created another folder, to run from, that isn't called ComboFix, so that it couldn't be deleted by the virus 

Either way, just delete it to the Recycle Bin, and see how the system appears for a few days, doing the normal stuff you do. Any problems, let me know.

eddie


----------



## alalight (Oct 28, 2007)

Hi, message received. I did uninstall via the Combofix /u, and the date & time the files were created is from then. Anyway I'll delete and hopefully/presumably everything will run ok. Re your recommendations for safer surfing, I already know/use most of them, but Zonedout is new to me - will have a look. 
Once again, we do appreciate your reliable assistance, muchas gracias. Peace and Love. 
alalight.


----------



## eddie5659 (Mar 19, 2001)

Oki doki, will mark this one Solved 

eddie


----------



## alalight (Oct 28, 2007)

Eddie - I agree - Solved. Thank you very, very much. Alan.


----------



## eddie5659 (Mar 19, 2001)

Sorry to bring this one back up, but can you do this for me:

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the *Rootkit* tab.
Make sure all the boxes on the right of the screen are checked, *EXCEPT* for Show All.
Click on *Scan*.
When the scan has run click *Copy* and paste the results (if any) into this thread.

Just want to triple check something.

eddie


----------



## alalight (Oct 28, 2007)

Hello again, Eddie. I hope you're just being paranoid ... Anyway, here's the triple-check gmer result file: 

Oops - the forum server complained the pasted text was too long (over 3000 words), so I'm going advanced and will attach it instead.

Hoping to hear from you again soon, with good tidings ... Alan.


----------



## eddie5659 (Mar 19, 2001)

Yep, its okay. I was just reading something, and it prompted me to look at a GMER log.


Its all clear :up:

Have a merry Christmas and a Happy New Year 

eddie


----------



## alalight (Oct 28, 2007)

Eddie - phew, that's a relief. Thanks once more, and Merry Christmas and a Happy New Year to you. 
Alan.


----------



## eddie5659 (Mar 19, 2001)

I have the uninstall method for GMER, as it shouldn't be left on the pc 


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *gmer_uninstall.bat * 
Change the *Save as Type* to *All Files * 
and *Save* it in the folder*GMER* was saved 
 Once saved, double click on the *gmer_uninstall.bat* file. the MSDOS window will be displayed. That is normal.



> @echo off
> sc stop gmer
> sc delete gmer
> if exist %SystemRoot%\System32\drivers\gmer.sys del /f /q %SystemRoot%\System32\drivers\gmer.sys
> ...


eddie


----------



## alalight (Oct 28, 2007)

Hello again, Eddie. 
I'd assumed we were finished last time, so I had already manually deleted the gmer zip file and subsequent folder from the desktop, then defragged. So I couldn't save your uninstall file in the gmer folder - just on the desktop. Ran it, saw dos window pop up, but closed again too quick to read anything, then the uninstall batch file itself disappeared from desktop. Checked the windows folder (SystemRoot) and system32\drivers folder - there's nothing in them with gmer in the name. Can I assume it has gone and it's ok to continue as normal now?
Cheers, Alan.


----------



## eddie5659 (Mar 19, 2001)

yep, it should be okay now 

Just wanted to post it, in case you hadn't done anything with.

Happy New Year


----------

