# Trojan generic virus regenerates it self. How to remove it?



## TOTO2009 (May 1, 2009)

hello,

I need some help please.

I have the AVG anti-virus, and when I scan my computer a virus with detection name: Trojan horse Generic_r.B0 and Object name: C:\Windows\system32\ACF7EF\74BE16.EXE
is detected by the antivirus with other 10 viruses.

The problem is that the antivirus can not delete it. When i scan my computer again, the same viruses are detected.
What to do please??


----------



## Phantom010 (Mar 9, 2009)

Please click on the *Report* button and ask to be moved to the *Malware Removal* forum.


----------



## TOTO2009 (May 1, 2009)

hello.

do you know the solution for my problem please?


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download *HJTsetup.exe*.

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.	
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required. 

*Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.*


----------



## TOTO2009 (May 1, 2009)

Hello,

Thankx for your reply.
Here are the results.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:13:07 م, on 02/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Power Translator 11\LogoMedia TranslateDotNet Server.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ACF7EF\74BE16.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alrai.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hosting.conduit.com/Uninstall?toolbarid=&version=4.5.188.7&uid=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files\Power Translator 11\Applications\LEC IE Translation Extension.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [74BE16] C:\WINDOWS\system32\ACF7EF\74BE16.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 74BE16.lnk = C:\WINDOWS\system32\ACF7EF\74BE16.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator 11\LogoMedia TranslateDotNet Server.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 8715 bytes


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## TOTO2009 (May 1, 2009)

hello,

*Here are the results of the Combo-Fix:*

ComboFix 09-05-02.4 - Administrator 05/03/2009 20:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.962.1033.18.1015.471 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\cnvpe.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\dp1.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\eAPI.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\HtmlView.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\internet.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\krnln.fnr
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\shell.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\spec.fne
c:\restore\H-6-1-53-0976546321-090909032-8763-1337
c:\restore\H-6-1-53-0976546321-090909032-8763-1337\Desktop.ini
c:\windows\IE4 Error Log.txt
c:\windows\win.dll
.
((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.
2009-05-04 03:14 . 2009-05-04 03:14 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-03 01:10 . 2009-05-03 01:10 -------- d-----w c:\program files\Trend Micro
2009-04-24 17:12 . 2009-04-24 17:12 -------- d--h--w c:\windows\system32\0F6226
2009-04-24 17:12 . 2009-05-01 21:47 -------- d--h--w c:\windows\system32\5A8DCC
2009-04-24 17:12 . 2009-04-24 18:35 -------- d--h--w c:\windows\system32\76682F
2009-04-24 17:12 . 2009-04-24 18:35 -------- d--h--w c:\windows\system32\ACF7EF
2009-04-16 07:59 . 2009-04-16 07:59 -------- d-----w c:\program files\Kap.TOEFL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 03:44 . 2009-01-18 22:38 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-04 02:28 . 2009-03-30 21:46 438 ---ha-w c:\windows\Tasks\User_Feed_Synchronization-{58F809D4-6113-49EF-8631-D291D59F7AD5}.job
2009-05-01 23:33 . 2009-03-15 23:34 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-01 23:33 . 2009-03-15 23:34 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-01 23:33 . 2009-03-15 23:34 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-03 02:32 . 2009-04-03 00:27 -------- d-----w c:\program files\Phone2006
2009-03-30 21:41 . 2009-01-19 00:00 -------- d-----w c:\program files\Yahoo!
2009-03-29 05:51 . 2009-01-28 02:33 -------- d-----w c:\program files\Java
2009-03-21 23:15 . 2009-01-19 00:11 -------- d-----w c:\program files\Golden Al-Wafi Translator
2009-03-17 20:26 . 2009-03-17 20:26 -------- d-----w c:\program files\Common Files\Nokia
2009-03-17 20:26 . 2009-03-17 20:26 -------- d-----w c:\program files\Common Files\PCSuite
2009-03-17 20:25 . 2009-02-12 07:23 -------- d-----w c:\program files\Nokia
2009-03-14 18:17 . 2009-01-18 22:40 94632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-12 02:38 . 2009-03-12 02:38 -------- d-----w c:\program files\Common Files\Bcgsoft
2009-03-12 02:34 . 2009-03-12 02:34 -------- d-----w c:\program files\National Instruments
2009-03-12 02:33 . 2009-03-12 02:30 -------- d-----w c:\program files\Electronics Workbench
2009-03-12 02:30 . 2009-03-12 02:30 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-12 02:29 . 2009-03-12 02:29 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-11 18:01 . 2009-03-11 17:45 -------- d-----w c:\program files\MATLAB71
2009-03-09 12:19 . 2009-01-28 02:33 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 11:34 . 2004-08-03 16:56 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-03 16:56 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-08-03 16:56 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-03 16:56 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-08-03 16:56 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-03 16:56 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-08-03 16:56 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-08-03 16:56 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-08-03 16:56 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2001-08-23 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 04:09 . 2009-03-06 04:09 -------- d-----w c:\program files\Alwil Software
2005-10-12 23:04 . 2005-10-12 23:04 131072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
.
------- Sigcheck -------
[-] 2008-01-05 11:56 1580544 9F960FAC5166F8626B9CDE4DD9A0EB84 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-09 4363504]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-27 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-27 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-27 138008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-28 185872]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"74BE16"="c:\windows\system32\ACF7EF\74BE16.EXE" [2009-04-24 1462734]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-11-27 16384512]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-11-27 1826816]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
74BE16.lnk - c:\windows\system32\ACF7EF\74BE16.EXE [2009-4-24 1462734]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 23:33 11952 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MATLAB71\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-01 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-01 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-01 298776]
S2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-07-19 264576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96358aa7-00fd-11de-9d47-00164473df2b}]
\Shell\AutoRun\command - F:\InstallTranslate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder
2009-05-04 c:\windows\Tasks\User_Feed_Synchronization-{58F809D4-6113-49EF-8631-D291D59F7AD5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKLM-Run-Device Detector - DevDetect.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.alrai.com/
uInternet Connection Wizard,ShellNext = hxxp://hosting.conduit.com/Uninstall?toolbarid=&version=4.5.188.7&uid=
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 20:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1757981266-1275210071-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2b,ab,bc,f7,59,39,9c,41,81,a2,0f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2b,ab,bc,f7,59,39,9c,41,81,a2,0f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3444)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Power Translator 11\LogoMedia TranslateDotNet Server.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\ACD Systems\EN\DevDetect.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\progra~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-04 20:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 03:48
Pre-Run: 43,772,121,088 bytes free
Post-Run: 44,283,392,000 bytes free
188 --- E O F --- 2009-01-23 21:50

*here are the results of the Hijack this:*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:58:33 م, on 03/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Power Translator 11\LogoMedia TranslateDotNet Server.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ACF7EF\74BE16.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alrai.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hosting.conduit.com/Uninstall?toolbarid=&version=4.5.188.7&uid=
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files\Power Translator 11\Applications\LEC IE Translation Extension.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [74BE16] C:\WINDOWS\system32\ACF7EF\74BE16.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 74BE16.lnk = C:\WINDOWS\system32\ACF7EF\74BE16.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator 11\LogoMedia TranslateDotNet Server.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 8018 bytes

*please, do not forget to tell me how to change the Internet Explorer's settings*


----------



## Cookiegal (Aug 27, 2003)

Go to the following link and upload the following file(s) for analysis and let me know what the results are please:

http://virusscan.jotti.org/
*
c:\windows\system32\sfcfiles.dll*

Open Notepad and copy and paste the text in the code box below into it:


```
File::
c:\documents and settings\Administrator\Start Menu\Programs\Startup\74BE16.lnk

Folder::
c:\windows\system32\0F6226
c:\windows\system32\5A8DCC
c:\windows\system32\76682F
c:\windows\system32\ACF7EF

registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"74BE16"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
RegLock::
[HKEY_USERS\S-1-5-21-1757981266-1275210071-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## TOTO2009 (May 1, 2009)

*Here are the results of the virusscan.jotti.org:*

File: sfcfiles.dll
Status: OK
MD5: 9f960fac5166f8626b9cde4dd9a0eb84
Packers detected: -

Scanner results: Found nothing appeared in each of the categories.

*Here are the results of Combo-Fix.txt:*

ComboFix 09-05-02.4 - Administrator 05/05/2009 14:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.962.1033.18.1015.475 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:\documents and settings\Administrator\Start Menu\Programs\Startup\74BE16.lnk
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\cnvpe.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\dp1.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\eAPI.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\HtmlView.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\internet.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\krnln.fnr
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\shell.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\spec.fne
c:\documents and settings\Administrator\Start Menu\Programs\Startup\74BE16.lnk
c:\windows\system32\0F6226
c:\windows\system32\5A8DCC
c:\windows\system32\5A8DCC\cnvpe.fne
c:\windows\system32\5A8DCC\dp1.fne
c:\windows\system32\5A8DCC\eAPI.fne
c:\windows\system32\5A8DCC\HtmlView.fne
c:\windows\system32\5A8DCC\internet.fne
c:\windows\system32\5A8DCC\krnln.fnr
c:\windows\system32\5A8DCC\RegEx.fnr
c:\windows\system32\5A8DCC\shell.fne
c:\windows\system32\5A8DCC\spec.fne
c:\windows\system32\76682F
c:\windows\system32\76682F\670df5.txt
c:\windows\system32\ACF7EF
c:\windows\system32\ACF7EF\74BE16.EXE
.
((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.
2009-05-04 03:14 . 2009-05-04 03:14 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-03 01:10 . 2009-05-03 01:10 -------- d-----w c:\program files\Trend Micro
2009-04-16 07:59 . 2009-04-16 07:59 -------- d-----w c:\program files\Kap.TOEFL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 21:34 . 2009-01-18 22:38 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-05 20:20 . 2009-03-30 21:46 438 ---ha-w c:\windows\Tasks\User_Feed_Synchronization-{58F809D4-6113-49EF-8631-D291D59F7AD5}.job
2009-05-01 23:33 . 2009-03-15 23:34 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-01 23:33 . 2009-03-15 23:34 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-01 23:33 . 2009-03-15 23:34 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-03 02:32 . 2009-04-03 00:27 -------- d-----w c:\program files\Phone2006
2009-03-30 21:41 . 2009-01-19 00:00 -------- d-----w c:\program files\Yahoo!
2009-03-29 05:51 . 2009-01-28 02:33 -------- d-----w c:\program files\Java
2009-03-21 23:15 . 2009-01-19 00:11 -------- d-----w c:\program files\Golden Al-Wafi Translator
2009-03-17 20:26 . 2009-03-17 20:26 -------- d-----w c:\program files\Common Files\Nokia
2009-03-17 20:26 . 2009-03-17 20:26 -------- d-----w c:\program files\Common Files\PCSuite
2009-03-17 20:25 . 2009-02-12 07:23 -------- d-----w c:\program files\Nokia
2009-03-14 18:17 . 2009-01-18 22:40 94632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-12 02:38 . 2009-03-12 02:38 -------- d-----w c:\program files\Common Files\Bcgsoft
2009-03-12 02:34 . 2009-03-12 02:34 -------- d-----w c:\program files\National Instruments
2009-03-12 02:33 . 2009-03-12 02:30 -------- d-----w c:\program files\Electronics Workbench
2009-03-12 02:30 . 2009-03-12 02:30 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-12 02:29 . 2009-03-12 02:29 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-11 18:01 . 2009-03-11 17:45 -------- d-----w c:\program files\MATLAB71
2009-03-09 12:19 . 2009-01-28 02:33 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 11:34 . 2004-08-03 16:56 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-03 16:56 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-08-03 16:56 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-03 16:56 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-08-03 16:56 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-03 16:56 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-08-03 16:56 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-08-03 16:56 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-08-03 16:56 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2001-08-23 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2005-10-12 23:04 . 2005-10-12 23:04 131072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
.
------- Sigcheck -------
[-] 2008-01-05 11:56 1580544 9F960FAC5166F8626B9CDE4DD9A0EB84 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( [email protected]_03.44.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-05 20:17 . 2009-05-05 20:17 16384 c:\windows\Temp\Perflib_Perfdata_7ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-09 4363504]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-27 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-27 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-27 138008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-28 185872]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-11-27 16384512]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-11-27 1826816]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 23:33 11952 ----a-w c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MATLAB71\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-01 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-01 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-01 298776]
S2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-07-19 264576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96358aa7-00fd-11de-9d47-00164473df2b}]
\Shell\AutoRun\command - F:\InstallTranslate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder
2009-05-05 c:\windows\Tasks\User_Feed_Synchronization-{58F809D4-6113-49EF-8631-D291D59F7AD5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.alrai.com/
uInternet Connection Wizard,ShellNext = hxxp://hosting.conduit.com/Uninstall?toolbarid=&version=4.5.188.7&uid=
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 14:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-05-05 14:38
ComboFix-quarantined-files.txt 2009-05-05 21:38
ComboFix2.txt 2009-05-04 03:48
Pre-Run: 44,516,106,240 bytes free
Post-Run: 44,548,382,720 bytes free
154 --- E O F --- 2009-01-23 21:50

*Here are the results of the HijackThis: *

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:57:11 م, on 05/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Power Translator 11\LogoMedia TranslateDotNet Server.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alrai.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hosting.conduit.com/Uninstall?toolbarid=&version=4.5.188.7&uid=
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files\Power Translator 11\Applications\LEC IE Translation Extension.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator 11\LogoMedia TranslateDotNet Server.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 7738 bytes


----------



## Cookiegal (Aug 27, 2003)

Please download Malwarebytes' Anti-Malware from *Here*.

Double Click *mbam-setup.exe* to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.*


----------



## TOTO2009 (May 1, 2009)

Hello,

*The result is: No infections have been found.*

*Here are the content of the LOG:*

Malwarebytes' Anti-Malware 1.36
Database version: 2082
Windows 5.1.2600 Service Pack 2
06/05/2009 12:53:37 م
mbam-log-2009-05-06 (12-53-37).txt
Scan type: Quick Scan
Objects scanned: 74369
Time elapsed: 4 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## Cookiegal (Aug 27, 2003)

That's good. 

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version:

*JRE 6 Update 13*

Instructions for Kaspersky scan:


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.


----------



## TOTO2009 (May 1, 2009)

Hello,

*Here are the results:*

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 07, 2009 09:42:50
Records in database: 2141994
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 168047
Threat name: 2
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 02:05:57

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4\krnln.fnr.vir Infected: Trojan.Win32.FlyStudio.da 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\5A8DCC\krnln.fnr.vir Infected: Trojan.Win32.FlyStudio.da 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ACF7EF\74BE16.EXE.vir Infected: Trojan-Dropper.Win32.Flystud.ko 1
C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP93\A0026476.exe Infected: Trojan-Dropper.Win32.Flystud.ko 1
C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP93\A0026477.exe Infected: Trojan-Dropper.Win32.Flystud.ko 1
C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP93\A0026480.exe Infected: Trojan-Dropper.Win32.Flystud.ko 1
C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP93\A0026481.exe Infected: Trojan-Dropper.Win32.Flystud.ko 1
C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP95\A0027037.exe Infected: Trojan-Dropper.Win32.Flystud.ko 1
C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP95\A0027038.exe Infected: Trojan-Dropper.Win32.Flystud.ko 1
C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP95\A0027039.exe Infected: Trojan-Dropper.Win32.Flystud.ko 1
C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP95\A0027040.exe Infected: Trojan-Dropper.Win32.Flystud.ko 1
C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP95\A0027041.exe Infected: Trojan-Dropper.Win32.Flystud.ko 1
C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP98\A0027964.EXE Infected: Trojan-Dropper.Win32.Flystud.ko 1
The selected area was scanned.


----------



## Cookiegal (Aug 27, 2003)

OK, please post a new HijackThis log.


----------



## TOTO2009 (May 1, 2009)

Hello,

*Here are the results:*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:38:15 م, on 09/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Power Translator 11\LogoMedia TranslateDotNet Server.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alrai.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hosting.conduit.com/Uninstall?toolbarid=&version=4.5.188.7&uid=
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files\Power Translator 11\Applications\LEC IE Translation Extension.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator 11\LogoMedia TranslateDotNet Server.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 7744 bytes


----------



## Cookiegal (Aug 27, 2003)

How are things now?


----------



## TOTO2009 (May 1, 2009)

Hello,

I have updated my AVG anti-virus and scanned the whole computer. 10 viruses of type Worm have been detected. I deleted them and scanned the computer again, the result was: NO INFECTIONS FOUND. 

*Thank you very much for your help and for your time indeed.*


----------



## Cookiegal (Aug 27, 2003)

Would you please post that log so I can see where those infections were located?


----------



## TOTO2009 (May 1, 2009)

Dear Cookiegal,

Sure, but I don't know how to do that. Would you please tell me?


----------



## Cookiegal (Aug 27, 2003)

I don't really know as I'm not using it. Look around for an area that lists the logs. If you can't find it, can you post a screenshot of the interface?


----------



## TOTO2009 (May 1, 2009)

Hello,

I already knew how to do that

*Here are the results:*

"Scan ""Scan whole computer"" was finished." 
"Infections";"10";"10";"0" 
"Folders selected for scanning:";"Scan whole computer" 
"Scan started:";"10 أيار, 2009, 12:00:03 ص" 
"Scan finished:";"10 أيار, 2009, 12:43:14 ص (43 minute(s) 11 second(s))" 
"Total object scanned:";"426121" 
"User who launched the scan:";"Administrator" 
"Infections" 
"File";"Infection";"Result" 
"C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP93\A0026476.exe";"Virus identified Worm/Generic_c.ACL";"Moved to Virus Vault"
"C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP93\A0026477.exe";"Virus identified Worm/Generic_c.ACL";"Moved to Virus Vault"
"C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP93\A0026480.exe";"Virus identified Worm/Generic_c.ACL";"Moved to Virus Vault"
"C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP93\A0026481.exe";"Virus identified Worm/Generic_c.ACL";"Moved to Virus Vault"
"C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP95\A0027037.exe";"Virus identified Worm/Generic_c.ACL";"Moved to Virus Vault"
"C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP95\A0027038.exe";"Virus identified Worm/Generic_c.ACL";"Moved to Virus Vault"
"C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP95\A0027039.exe";"Virus identified Worm/Generic_c.ACL";"Moved to Virus Vault"
"C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP95\A0027040.exe";"Virus identified Worm/Generic_c.ACL";"Moved to Virus Vault"
"C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP95\A0027041.exe";"Virus identified Worm/Generic_c.ACL";"Moved to Virus Vault"
"C:\System Volume Information\_restore{6597291A-20CA-409E-8562-78F8FA44127B}\RP98\A0027964.EXE";"Virus identified Worm/Generic_c.ACL";"Moved to Virus Vault"
"Warnings" 
"File";"Infection";"Result" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt";"Found Tracking cook ie.Adrevolv er";"Moved to Virus Vault" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\adrevolver.com.9b9d6 70a";"Found Tracking cookie.Adrevolver ";" Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\adrevolver.com.f6cfc ad4";"Found Tracking cookie.Adrevolver ";" Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt";"Found Tracking cookie.A dtech";"Mov ed to Virus Vault" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\adtech.de.a9245469";"Fou nd Tracking cookie.Adtech";"Moved to V iru s Vaul t"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\adtech.de.f2a82575";"Fou nd Tracking cookie.Adtech";"Moved to V iru s Vaul t"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt";"Found Tracking cookie.At dmt";"Moved to Virus Vault" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\atdmt.com.7247c262";"Foun d Tracking cookie.Atdmt";"Moved to Vir us Vault" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\atdmt.com.b3e33b5f";"Foun d Tracking cookie.Atdmt";"Moved to Vir us Vault" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt";"Found Tracking cookie.Serv ing-sys";"Moved to Virus Va ult " 
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\bs.serving-sys.c om.5bf1f00f ";"Found Tracking cookie.Se rvi ng-sys ";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt";"Found Tracking coo kie.Doublec lick";"Moved to Virus Vault " 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\doubleclick.net.bf3 96750";"Fou nd Tracking cookie.Doublecl ick ";"Mov ed to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt";"Found Tracking coo kie.Webtren ds";"Moved to Virus Vault" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\m.webtrends.com.b4c a7df0";"Fou nd Tracking cookie.Webtrend s"; "Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt";"Found Trackin g cookie.Ad revolver";"Moved to Virus V aul t" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\media.adrevolv er.com.7fd8 9687";"Found Tracking cooki e.A drevol ver";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt";"Found Tracking cooki e.Mediaplex ";"Moved to Virus Vault" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\mediaplex.com.f652b12 3";"Found T racking cookie.Mediaplex";" Mov ed to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt";"Found Tracking cookie.Rea l";"Moved t o Virus Vault" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\real.com.13a6979d";"Found Tracking co okie.Real";"Moved to Virus Vau lt" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\real.com.3bcfb1ef";"Found Tracking co okie.Real";"Moved to Virus Vau lt" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\real.com.4862fb06";"Found Tracking co okie.Real";"Moved to Virus Vau lt" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\real.com.66561182";"Found Tracking co okie.Real";"Moved to Virus Vau lt" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\real.com.6baf87ba";"Found Tracking co okie.Real";"Moved to Virus Vau lt" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\real.com.8aafc627";"Found Tracking co okie.Real";"Moved to Virus Vau lt" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\real.com.99c35e71";"Found Tracking co okie.Real";"Moved to Virus Vau lt" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt";"Found Tracking cookie.R evsci";"Mov ed to Virus Vault" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\revsci.net.2df99d79";"Fo und Trackin g cookie.Revsci";"Moved to Vir us Vau lt"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\revsci.net.44927ec";"Fou nd Tracking cookie.Revsci";"Moved to V iru s Vaul t"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\revsci.net.55564293";"Fo und Trackin g cookie.Revsci";"Moved to Vir us Vau lt"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\revsci.net.e9dbeb91";"Fo und Trackin g cookie.Revsci";"Moved to Vir us Vau lt"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt";"Found Tracking coo kie.Serving -sys";"Moved to Virus Vault " 
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\serving-sys.com.255 d6f2f";"Fou nd Tracking cookie.Serving- sys ";"Mov ed to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\serving-sys.com.400 f83f";"Foun d Tracking cookie.Serving-s ys" ;"Move d to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\serving-sys.com.4b4 16ef8";"Fou nd Tracking cookie.Serving- sys ";"Mov ed to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\serving-sys.com.606 c3d3b";"Fou nd Tracking cookie.Serving- sys ";"Mov ed to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\serving-sys.com.6a1 cf9e8";"Fou nd Tracking cookie.Serving- sys ";"Mov ed to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\serving-sys.com.c90 34af6";"Fou nd Tracking cookie.Serving- sys ";"Mov ed to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt";"Found Tracking co okie.Traded oubler";"Moved to Virus Vau lt" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\tradedoubler.com.b a12c0e9";"F ound Tracking cookie.Traded oub ler";" Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\tradedoubler.com.e f90aa95";"F ound Tracking cookie.Traded oub ler";" Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt";"Found Tracking cookie .Weborama"; "Moved to Virus Vault" 
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\weborama.fr.30104bcb"; "Found Trac king cookie.Weborama";"Move d t o Viru s Vault"


----------



## Cookiegal (Aug 27, 2003)

OK well those were all in system restore so they were not a threat unless you actually did a restore and as part of my final instructions we flush the restore points which clears all of those out.

As for the cookies, you need to manage them better.

You need to clear out all of your cookies.

*Clean your Cache and Cookies in IE:* 
Close all instances of Outlook Express and Internet Explorer 
Go to Control Panel > Internet Options > General tab 
Click the "Delete Cookies" button 
Next to it, Click the "Delete Files" button 
When prompted, place a check in: "Delete all offline content", click OK

and then reset them as follows:

In IE click on Tools - Internet Options - privacy tab and select "advanced". Set First Party cookies to "prompt" and Third Party cookies to either "block" or "prompt" and check "always allow session cookies". Basically, you should refuse all cookies except those from sites you trust or need to log in to.

You can refuse a cookie each time it asks (if you're not sure and don't want to block it all the time) or you can select the option to "apply my decision to all cookies from this website" and then select "block or allow". If you block a cookie and later find it's needed, you can go back into Internet Options, under the privacy tab and click on "sites" and remove it from the list of blocked cookies there or change its designation to "always allow".

Here are some final instructions for you.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

***

You should trim down your start-ups (these show as the 04 entries in your HijackThis log) as there are too many running. You can research them at these sites and if they arent required at start-up then you can uncheck them in msconfig via Start - Run - type msconfig click OK and then click on the start-up tab.

http://www.systemlookup.com/lists.php?list=2
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php


----------



## TOTO2009 (May 1, 2009)

Dear Cookiegal,

Every thing is ok now.
Thank you very much for the help.


----------



## Cookiegal (Aug 27, 2003)

It's my pleasure.


----------

