Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vundo, Outerinfo, problem nearly fixed..[RESOLVED]


  • This topic is locked This topic is locked

#1
Kaito

Kaito

    Member

  • Member
  • PipPip
  • 37 posts
Hello,
I have been using instructions from reading other posts on removing the problems i had. However I am unable to comple the last stage,. I have used highjackthis, Vundofix, combofix, Eusing Registry Cleaner, Spybot - Search & Destroy, avast.
i do not know how to use "highjackthis" so ive saved the report, of after i "think" ive cleaned it of every virus i have,

I include my highjackthis report and hope someone can understand it to tell me if its clean or not quite,
note: i have removed some of the error's in hijackthis as in other forums they said to others to remove them, so i did it on mine, but i still have a problem(s) with the computer,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:52:00, on 15/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {25F3A725-860C-4C2B-835D-FFB2C2184197} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7F83D029-AC8A-425B-A867-4A816FD226C7} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [b032a2d4] rundll32.exe "C:\WINDOWS\system32\tgfgtlso.dll",b
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201786215859
O16 - DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} (Npz Control) - https://secure.cabal...ect2007/npz.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

--
End of file - 4637 bytes


im assuming that,
O2 - BHO: (no name) - {7F83D029-AC8A-425B-A867-4A816FD226C7} - (no file)
O2 - BHO: (no name) - {25F3A725-860C-4C2B-835D-FFB2C2184197} - (no file)

are bad things, but im uncertain.

i also note, that i have something i cant find anyware,
after i ran vundofix and removed "all" of the things in the list after about 8 scans, my C drive has a "red cross" as its icon, instead of a normal HDD icon like my D drive, it is annoying, but i dont know how to fix this either, i think it came with a vundo virus. my system is still a bit sluggy on the load up, but atlest i dont get the error's while just trying to get into windows or a error saying c++ problem any longer after removing what i found in my scans,

any help would be usfull, its always good to learn how to fix the problems myself, but im unable to..at the moment heh..
thanks for reading, sorry for wasting your time,
~kin

P.s i have also uploaded my 2 other logs from the other scans. incase they can help anyone,

Attached Files


  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Kaito

welcome to geekstogo :)

ok, using hijackthis yourself to remove bad entries was a risk, but hopefully you have not removed any good entries. i should let you know however that if you have removed a good entry and if we are unable to restore it then, once we have cleared your machine of malware, i will have to direct you to another part of the forum for help. going forwards, i would not advise doing that again. that said, lets see what we can do.

Looking through your combofix and hijackthis report it looks like we have more to do. though, yes, you were correct, you did/do have a vundo infection amongst others. and yes those hijackthis entries you highlighted were once bad entries which we will clear later.


====STEP 1====
i know you have run it and attached the logs, but i want to re-run combofix and for you to post the log in your next reply, along with a new hijackthis log.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

andrewuk
  • 0

#3
Kaito

Kaito

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hello Andrew(uk),
First let me say thank you for the help, and welcome, was faster reply then i expected ^^,
i have uninstalled my advest (yesterday) after the scan i did to prevent it from interfering with any scan in the future,
although i think i used the new combofix seeing as i downloaded it 2 days ago, i did re-download it to my desktop as instructed, i also checked if there was any updates for HijackThis, its fully updated.

this would be my new combofix log, from the new combo fixed from link1 of the 2 links

ComboFix 08-02-14.2 - Admin 2008-02-15 18:33:26.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703 [GMT 0:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-15 15:49 . 2008-02-15 18:33 53,248 --a------ C:\WINDOWS\PSEXESVC.EXE
2008-02-14 22:40 . 2008-02-14 22:41 <DIR> d-------- C:\Program Files\UltraISO
2008-02-14 22:32 . 2008-02-14 22:32 <DIR> d-------- C:\WINDOWS\system32\zx8
2008-02-14 22:32 . 2008-02-14 22:32 <DIR> d-------- C:\WINDOWS\system32\pu1
2008-02-14 22:32 . 2008-02-14 22:32 <DIR> d-------- C:\WINDOWS\system32\ez2
2008-02-14 22:32 . 2008-02-14 22:32 36,864 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-02-13 22:11 . 2008-02-13 22:11 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-13 18:07 . 2008-02-13 18:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-13 18:07 . 2008-02-13 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-13 18:07 . 2008-02-13 18:07 267,480 --a------ C:\WINDOWS\system32\fsutil.dll
2008-02-13 17:58 . 2008-02-13 17:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 17:45 . 2008-02-13 17:49 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-02-13 16:39 . 2008-02-13 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-13 16:35 . 2008-02-15 12:54 <DIR> d-------- C:\Temp
2008-02-13 16:30 . 2008-02-13 16:30 <DIR> d-------- C:\WINDOWS\Sun
2008-02-13 15:05 . 2008-02-13 15:05 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-13 15:05 . 2008-02-13 15:05 <DIR> d-------- C:\Program Files\Veoh Networks
2008-02-12 19:21 . 2008-02-12 19:22 <DIR> d-------- C:\Program Files\Maxis
2008-02-12 16:21 . 2008-02-12 20:19 1,731 --a------ C:\WINDOWS\eReg.dat
2008-02-01 21:59 . 2008-02-15 14:48 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Skype
2008-02-01 21:57 . 2008-02-01 21:58 <DIR> d-------- C:\Program Files\Skype
2008-02-01 21:57 . 2008-02-01 21:57 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-02-01 21:57 . 2008-02-01 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-01-31 13:40 . 2008-02-05 20:19 <DIR> d-------- C:\Documents and Settings\Admin\Contacts
2008-01-31 13:39 . 2008-01-31 13:39 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-31 13:36 . 2008-01-31 13:39 <DIR> d-------- C:\Program Files\Windows Live
2008-01-31 13:36 . 2008-01-31 13:38 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-31 13:36 . 2008-01-31 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-31 13:34 . 2008-01-31 13:34 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-31 13:34 . 2005-02-25 03:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-31 13:30 . 2008-01-31 13:30 <DIR> d---s---- C:\Documents and Settings\Admin\UserData
2008-01-31 13:30 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-01-31 13:30 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-31 13:30 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-31 13:30 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-31 13:30 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-30 23:27 . 2008-01-30 23:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Media Player Classic
2008-01-29 22:06 . 2008-01-29 22:06 <DIR> d-------- C:\Program Files\Wanadoo Edition
2008-01-28 11:30 . 2008-01-28 11:30 <DIR> d-------- C:\Program Files\Ubisoft
2008-01-28 11:30 . 2008-01-28 11:30 1 --a------ C:\WINDOWS\system32\SI.bin
2008-01-27 12:11 . 2008-01-27 12:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-01-27 12:11 . 2008-02-15 10:38 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Azureus
2008-01-27 12:10 . 2008-01-27 12:10 <DIR> d-------- C:\Program Files\Azureus
2008-01-26 17:57 . 2004-08-04 06:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-26 16:05 . 2008-01-26 16:08 <DIR> d-------- C:\Heroes3
2008-01-26 15:30 . 1999-01-11 10:40 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-01-26 15:19 . 2008-01-26 15:19 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-01-26 13:16 . 2008-01-26 13:16 206 --a------ C:\WINDOWS\system32\npzupdate.conf
2008-01-26 13:16 . 2008-01-26 13:16 70 --a------ C:\WINDOWS\system32\npconf.md5
2008-01-25 21:20 . 2003-07-21 03:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-01-25 21:20 . 2005-01-04 18:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-01-25 21:16 . 2008-02-15 17:12 <DIR> d-------- C:\Program Files\Java
2008-01-25 21:16 . 2008-01-26 15:19 <DIR> d-------- C:\Program Files\Google
2008-01-25 21:16 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 21:15 . 2008-01-25 21:15 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-25 20:42 . 2008-01-25 20:42 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-01-25 20:35 . 2008-01-25 20:36 <DIR> d-------- C:\Program Files\ATI Technologies
2008-01-25 20:35 . 2007-09-28 21:05 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2008-01-25 20:30 . 2008-01-25 20:30 <DIR> d-------- C:\Program Files\C-Media 3D Audio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 15:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-12 17:37 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-01-25 20:35 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-25 19:42 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-01-25 19:42 --------- d-----w C:\Program Files\Common Files\NVIDIA Shared
2008-01-25 19:37 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-01-25 19:29 --------- d-----w C:\Program Files\microsoft frontpage
2001-11-23 12:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25F3A725-860C-4C2B-835D-FFB2C2184197}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F83D029-AC8A-425B-A867-4A816FD226C7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-02-07 12:53 3497984]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:32 455168]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-06-11 11:15 83968]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 04:32 208952]
"Cmaudio"="cmicnfg.cpl" []
"b032a2d4"="C:\WINDOWS\system32\tgfgtlso.dll" [ ]

S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 18:33:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-15 18:34:35
ComboFix-quarantined-files.txt 2008-02-15 18:34:13
ComboFix2.txt 2008-02-15 15:50:53
ComboFix3.txt 2008-02-15 13:00:55
ComboFix4.txt 2008-02-13 21:19:36


this would be the new ""HighjackThis" log also,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:35:10, on 15/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {25F3A725-860C-4C2B-835D-FFB2C2184197} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7F83D029-AC8A-425B-A867-4A816FD226C7} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [b032a2d4] rundll32.exe "C:\WINDOWS\system32\tgfgtlso.dll",b
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201786215859
O16 - DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} (Npz Control) - https://secure.cabal...ect2007/npz.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

--
End of file - 4637 bytes


i've scanned through the log and again the only 2 things i can see out of place, are as follows.

O2 - BHO: (no name) - {25F3A725-860C-4C2B-835D-FFB2C2184197} - (no file)
O2 - BHO: (no name) - {7F83D029-AC8A-425B-A867-4A816FD226C7} - (no file)

everything else looks "in place" but im not a expert,
although im not sure what

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

but it might be for my Nvidia drivers,

i have a Gut feeling something is wrong, as i said in my last post. my C Drive has a big red X as the icon, which ive not seen before, but the logs look "fine" from what i can see (im a novice but ive been checking this forum for a while to try to learn about problems so i can help others if they get some)

my system seems clean, from what i can see, but im not sure ^^ sorry for rambeling, i just want to make sure you have all the details so you could help if there is a problem within the logs.
~kin
P.S if you would like me to post future logs, and "quote" is inconveniant, i can post them as "attatment" if you wish, whatever makes it easier for yourself.
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

i also checked if there was any updates for HijackThis

hijackthis is a scanning and fix tool, it does not itself specifially identify any malware. hence, it tends not to be updated too often.

i've scanned through the log and again the only 2 things i can see out of place,

there are also 2 more things which we will try and clear in this post, if not, then certainly in the next post:
O4 - HKLM\..\Run: [b032a2d4] rundll32.exe "C:\WINDOWS\system32\tgfgtlso.dll",b
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)


O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

is related to microsoft and is ok

i have a Gut feeling something is wrong

your gut feeling is correct. in this post we will clear out what i can see in the combofix and hijackthis logs.

P.S if you would like me to post future logs, and "quote" is inconveniant, i can post them as "attatment" if you wish, whatever makes it easier for yourself.

you can just copy and paste the logs into the reply - though occassionally if nothing happens then put them in quotes. no need to attach the logs unless i ask for that.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\tgfgtlso.dll

Folder::
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\zx8
C:\WINDOWS\system32\pu1
C:\WINDOWS\system32\ez2

Driver::
MSControlService
Microsoft cache control
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25F3A725-860C-4C2B-835D-FFB2C2184197}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F83D029-AC8A-425B-A867-4A816FD226C7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b032a2d4"=-



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

andrewuk
  • 0

#5
Kaito

Kaito

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hello, and again, thank you for the reply.

ive just did what you asked for,

and these are the new logs.

ComboFix Log is as follows.

ComboFix 08-02-14.2 - Admin 2008-02-15 20:48:44.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.721 [GMT 0:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\tgfgtlso.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ez2
C:\WINDOWS\system32\ez2\tliamdll2.exe
C:\WINDOWS\system32\pu1
C:\WINDOWS\system32\pu1\hiba3133.exe
C:\WINDOWS\system32\zx8
C:\WINDOWS\system32\zx8\liopud89104.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSCONTROLSERVICE
-------\MSControlService


((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-14 22:40 . 2008-02-14 22:41 <DIR> d-------- C:\Program Files\UltraISO
2008-02-14 22:32 . 2008-02-14 22:32 36,864 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-02-13 22:11 . 2008-02-13 22:11 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-13 18:07 . 2008-02-13 18:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-13 18:07 . 2008-02-13 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-13 18:07 . 2008-02-13 18:07 267,480 --a------ C:\WINDOWS\system32\fsutil.dll
2008-02-13 17:58 . 2008-02-13 17:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 17:45 . 2008-02-13 17:49 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-02-13 16:39 . 2008-02-13 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-13 16:35 . 2008-02-15 12:54 <DIR> d-------- C:\Temp
2008-02-13 16:30 . 2008-02-13 16:30 <DIR> d-------- C:\WINDOWS\Sun
2008-02-13 15:05 . 2008-02-13 15:05 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-13 15:05 . 2008-02-13 15:05 <DIR> d-------- C:\Program Files\Veoh Networks
2008-02-12 19:21 . 2008-02-12 19:22 <DIR> d-------- C:\Program Files\Maxis
2008-02-12 16:21 . 2008-02-12 20:19 1,731 --a------ C:\WINDOWS\eReg.dat
2008-02-01 21:59 . 2008-02-15 14:48 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Skype
2008-02-01 21:57 . 2008-02-01 21:58 <DIR> d-------- C:\Program Files\Skype
2008-02-01 21:57 . 2008-02-01 21:57 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-02-01 21:57 . 2008-02-01 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-01-31 13:40 . 2008-02-05 20:19 <DIR> d-------- C:\Documents and Settings\Admin\Contacts
2008-01-31 13:39 . 2008-01-31 13:39 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-31 13:36 . 2008-01-31 13:39 <DIR> d-------- C:\Program Files\Windows Live
2008-01-31 13:36 . 2008-01-31 13:38 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-31 13:36 . 2008-01-31 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-31 13:34 . 2008-01-31 13:34 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-31 13:34 . 2005-02-25 03:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-31 13:30 . 2008-01-31 13:30 <DIR> d---s---- C:\Documents and Settings\Admin\UserData
2008-01-31 13:30 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-01-31 13:30 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-31 13:30 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-31 13:30 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-31 13:30 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-30 23:27 . 2008-01-30 23:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Media Player Classic
2008-01-29 22:06 . 2008-01-29 22:06 <DIR> d-------- C:\Program Files\Wanadoo Edition
2008-01-28 11:30 . 2008-01-28 11:30 <DIR> d-------- C:\Program Files\Ubisoft
2008-01-28 11:30 . 2008-01-28 11:30 1 --a------ C:\WINDOWS\system32\SI.bin
2008-01-27 12:11 . 2008-01-27 12:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-01-27 12:11 . 2008-02-15 20:43 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Azureus
2008-01-27 12:10 . 2008-01-27 12:10 <DIR> d-------- C:\Program Files\Azureus
2008-01-26 17:57 . 2004-08-04 06:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-26 16:05 . 2008-01-26 16:08 <DIR> d-------- C:\Heroes3
2008-01-26 15:30 . 1999-01-11 10:40 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-01-26 15:19 . 2008-01-26 15:19 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-01-26 13:16 . 2008-01-26 13:16 206 --a------ C:\WINDOWS\system32\npzupdate.conf
2008-01-26 13:16 . 2008-01-26 13:16 70 --a------ C:\WINDOWS\system32\npconf.md5
2008-01-25 21:20 . 2003-07-21 03:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-01-25 21:20 . 2005-01-04 18:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-01-25 21:16 . 2008-02-15 17:12 <DIR> d-------- C:\Program Files\Java
2008-01-25 21:16 . 2008-01-26 15:19 <DIR> d-------- C:\Program Files\Google
2008-01-25 21:16 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 21:15 . 2008-01-25 21:15 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-25 20:42 . 2008-01-25 20:42 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-01-25 20:35 . 2008-01-25 20:36 <DIR> d-------- C:\Program Files\ATI Technologies
2008-01-25 20:35 . 2007-09-28 21:05 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2008-01-25 20:30 . 2008-01-25 20:30 <DIR> d-------- C:\Program Files\C-Media 3D Audio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 15:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-12 17:37 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-01-25 20:35 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-25 19:42 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-01-25 19:42 --------- d-----w C:\Program Files\Common Files\NVIDIA Shared
2008-01-25 19:37 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-01-25 19:29 --------- d-----w C:\Program Files\microsoft frontpage
2001-11-23 12:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-02-07 12:53 3497984]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:32 455168]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-06-11 11:15 83968]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 04:32 208952]
"Cmaudio"="cmicnfg.cpl" []


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 20:51:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2008-02-15 20:54:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 20:54:43
ComboFix2.txt 2008-02-15 18:34:36
ComboFix3.txt 2008-02-15 15:50:53
ComboFix4.txt 2008-02-15 13:00:55
ComboFix5.txt 2008-02-13 21:19:36


and the HighJackThis is as follows,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:58:54, on 15/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201786215859
O16 - DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} (Npz Control) - https://secure.cabal...ect2007/npz.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4602 bytes


the file i created automaticly got deleted after the reboot when i draged it onto the combofix icon.

i have no idea what the CFScript.txt file was, but it did something, the things i assumed was wrong automaticly got removed, ive yet to "fix" anything inside highjackthis they have automaticly been removed,
~kin
  • 0

#6
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

i have no idea what the CFScript.txt file was, but it did something, the things i assumed was wrong automaticly got removed, ive yet to "fix" anything inside highjackthis they have automaticly been removed,

it removed some bad files, bad folders, bad drivers and bad registry entries. Hijackthis looks at registry entries and can remove them. we merely took the opportunity to remove those bad registry entries as part of the combofix script and therefore saved us some time.

your logs are looking better now. in this post we will do a couple of scans to see what else is on your machine.

also, i dont see an antivirus program on your machine - is this the case?


====STEP 1====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


====STEP 2====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


in your next reply can i see:
1. the SUPERantispyware log
2. the kaspersky scan log
3. a new hijackthis log
4. some idea of how your machine is running now

andrewuk
  • 0

#7
Kaito

Kaito

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hello,
sorry for the slow reply,
you are correct while doing them scans i did not have a virus scanner installed as i said in my first post, i have advest, but i uninstalled it after i "assumed" my computer was clean, it has been installed again since the last post.

SUPERAntiSpyware Scan Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/16/2008 at 06:35 PM

Application Version : 3.9.1008

Core Rules Database Version : 3403
Trace Rules Database Version: 1395

Scan type : Complete Scan
Total Scan Time : 01:17:30

Memory items scanned : 364
Memory threats detected : 0
Registry items scanned : 4151
Registry threats detected : 0
File items scanned : 56746
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\Admin\Cookies\[email protected][1].txt
C:\Documents and Settings\Admin\Cookies\[email protected][1].txt


KASPERSKY ONLINE SCANNER

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 16, 2008 8:47:27 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/02/2008
Kaspersky Anti-Virus database records: 569372
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 62434
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:02:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012008021620080217\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\Perflib_Perfdata_594.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DF9CAD.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{AD60D873-D050-4EBE-B5DA-A38FB2048DA9}\RP46\A0004568.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\System Volume Information\_restore{AD60D873-D050-4EBE-B5DA-A38FB2048DA9}\RP46\A0004568.exe NSIS: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_71c.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{53C63ABF-7EC0-4FB0-90E1-031E6D76ED93}\RP141\A0107930.exe/stream/data0006 Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
D:\System Volume Information\_restore{53C63ABF-7EC0-4FB0-90E1-031E6D76ED93}\RP141\A0107930.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
D:\System Volume Information\_restore{53C63ABF-7EC0-4FB0-90E1-031E6D76ED93}\RP141\A0107930.exe NSIS: infected - 2 skipped

Scan process completed.


Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:51:19, on 16/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201786215859
O16 - DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} (Npz Control) - https://secure.cabal...ect2007/npz.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5546 bytes


the online scanner says i have virus's but every scan i do, there are none, everything is totaly clean yet it says its got some.
the computer is loading faster now, i dont have pop up's. and ive installed a custom made regedit to put my C drive icon back from the red cross i said i have, to a normal icon. so all in all.

everything seems to be running fine,
i cant find any problems with virus's and adware, yet the one scan shows i have some. but i cant fine it/remove it.
~kin
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Kaito

congratulations, your logs are clean :)

you are correct while doing them scans i did not have a virus scanner installed as i said in my first post, i have advest, but i uninstalled it after i "assumed" my computer was clean, it has been installed again since the last post.

good news, always have one, and only one, antivirus program running on your machine. in todays world not having such protection is an invitation for trouble.

i cant find any problems with virus's and adware, yet the one scan shows i have some. but i cant fine it/remove it.

the online scan was picking up some infections in your restore points which we will clean out, so no problems there.


in this post we will flush your temp folders, clear away the fix tools, reset your restore points (there are infections lurking in there) and then i will leave you with some ideas on how to improve the protection of your machine against future infection.


====STEP 1====
flushing your temp folders

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 2====
clearing away the fix tools and resetting your restore points
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

andrewuk
  • 0

#9
Kaito

Kaito

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hello, and thank you Andrew.
Glad to hear the system is clean ^^ now i wont have my girlfriend complaining heh, "omg is that virus scan completed yet" ect.

thanks for the help ^^
  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
if your girlfriend's happy then we are all happy :)

glad to see you have joined GeekU - goodluck in your training!

andrewuk
  • 0

#11
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP