Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Lots of viruses and malware [RESOLVED]


  • This topic is locked This topic is locked

#1
MatrixEquilibrium

MatrixEquilibrium

    Member

  • Member
  • PipPipPip
  • 329 posts
My retarded friend decided to download a keygen on my computer, which is illegal, and which no doubt would be filled with viruses.

The wallpaper changed instantly to 'spyware ad' crap, and windows popped up, and task manager was disactivated. I used HijackThis! instantly and removed somethings, but when I scanned with SpyBot, a lot of viruses were still there. I can't even use AdAware, the virus blocks it.

Here is what SpyBot produced:
Would you like me to paste the HJT log?

--- Search result list ---
Inet Delivery: Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-854245398-606747145-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery

Inet Delivery: Program directory (Directory, nothing done)
C:\Program Files\Inet Delivery\

GoldenPalace.Casino: Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-854245398-606747145-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW

MagicControl.Agent: Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-854245398-606747145-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent

MagicControl.Agent: Program directory (Directory, nothing done)
C:\WINDOWS\mslagent\

Smitfraud-C.: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\MSVPS.MSVPSApp

Microsoft.WindowsSecurityCenter.TaskManager: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-854245398-606747145-725345543-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr!=dword:0

MediaPlex: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)


BlueStreak: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)


AdRevolver: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)


AdRevolver: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)


Statcounter: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)


TagASaurus: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)


Win32.Small.ddx: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)


Virtumonde: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-03-06 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-08-15 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-15 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-08-15 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-15 Includes\KeyloggersC.sbi (*)
2007-08-01 Includes\Malware.sbi (*)
2007-08-15 Includes\MalwareC.sbi (*)
2007-08-08 Includes\PUPS.sbi (*)
2007-08-15 Includes\PUPSC.sbi (*)
2007-08-15 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-15 Includes\SecurityC.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-15 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-08-01 Includes\Trojans.sbi (*)
2007-08-15 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
  • 0

Advertisements


#2
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hey MatrixEquilibrium,
welcome back :)

No need to post the HJT log, I already took a look at it :)

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Glad to be able to help again.

Harry
  • 0

#3
MatrixEquilibrium

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
Hello Harry,

Once again, I appreciate this very much. My computer has been nice and clean since about half a year ago when I came here

with the Zedo problem, which I figured out came from Metacafe.

Anyway, here's the Combofix log, the Malwarebytes one is in red/bold right after it:

ComboFix 08-03-30.5 - Administrator 2008-04-01 12:53:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.286 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\Media\GeeksToGo\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktopblackbird.jpg
C:\Documents and Settings\Administrator\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Administrator\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Administrator\Desktopfilemanagerclient.exe
C:\Documents and Settings\Administrator\Desktopfkwp1.5.exe
C:\Documents and Settings\Administrator\Desktopfkwp2.0.exe
C:\Documents and Settings\Administrator\Desktopfwebd.exe
C:\Documents and Settings\Administrator\DesktopFWebdEditor.exe
C:\Documents and Settings\Administrator\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Administrator\Desktopvirii
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\dwltqnmx.exe
C:\WINDOWS\fkdnrwsv.dll
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\stfngdvw.dll
C:\WINDOWS\sxfnewqb.dll
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\[email protected]@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-04-01 12:46 . 2008-04-01 12:46 <DIR> d-------- C:\ComboFix[1]
2008-04-01 12:34 . 2008-04-01 12:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-01 12:34 . 2008-04-01 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application

Data\Malwarebytes
2008-04-01 12:34 . 2008-04-01 12:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application

Data\Malwarebytes
2008-04-01 11:31 . 2008-04-01 11:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nkrofcha
2008-04-01 11:31 . 2008-04-01 11:31 106,496 --a------ C:\WINDOWS\system32\buvexano.exe
2008-04-01 11:31 . 2008-04-01 11:31 21,596 --a------ C:\Program Files\antiviirus.exe
2008-04-01 11:31 . 2008-04-01 11:31 16,472 -r-hs---- C:\Program Files\tmp3.exe
2008-04-01 11:31 . 2008-04-01 11:31 16,472 -r-hs---- C:\Program Files\tmp2.exe
2008-04-01 11:31 . 2008-04-01 11:31 16,472 -r-hs---- C:\Program Files\tmp1.exe
2008-04-01 11:31 . 2008-04-01 11:31 16,472 -r-hs---- C:\Program Files\tmp0.exe
2008-03-31 10:11 . 2008-03-31 10:11 <DIR> d-------- C:\Program Files\RealVNC
2008-03-17 14:40 . 2008-03-24 20:57 <DIR> d-------- C:\Program Files\ShredderChess
2008-03-17 14:40 . 2008-03-17 14:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application

Data\ShredderChess
2008-03-17 02:19 . 2008-03-17 02:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application

Data\PogoChessBuddy
2008-03-17 02:18 . 2008-03-17 02:18 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-03-17 02:18 . 2008-03-20 13:58 <DIR> d-------- C:\Program Files\Chess Buddy Pogo
2008-03-17 02:18 . 2008-03-20 14:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 17:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search &

Destroy
2008-04-01 16:37 --------- d-----w C:\Program Files\FlashGet
2008-04-01 00:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-03-27 05:40 --------- d-----w C:\Program Files\AIM6
2008-03-27 05:39 --------- d-----w C:\Program Files\Viewpoint
2008-03-27 05:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-27 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-27 05:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-20 18:53 --------- d-----w C:\Program Files\Pawn 2
2008-03-12 20:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 00:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Hamachi
2008-02-29 04:29 --------- d-----w C:\Program Files\Java
2008-02-29 04:07 --------- d-----w C:\Program Files\Opera
2007-11-29 02:29 85,192 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 06:51 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 17:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 14:58 1744896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"9goXcGXZAM"= C:\Documents and Settings\All Users\Application Data\nkrofcha\vibavyzu.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 11:15 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1140464654\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
C:\Program Files\Media Access\MediaAccK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2005-08-31 20:27 1658592 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-03-23 12:20 227328 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-20 15:30 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

S3 DIGIRPS;Digi PortServer Driver;C:\WINDOWS\system32\DRIVERS\digirlpt.sys [2001-08-17 12:17]
S4 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04

16:38]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 12:58:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-01 13:02:51
ComboFix-quarantined-files.txt 2008-04-01 18:02:43
Pre-Run: 2,305,282,048 bytes free
Post-Run: 2,293,477,376 bytes free


Here's the Malwarebytes log:

Malwarebytes' Anti-Malware 1.09
Database version: 578

Scan type: Quick Scan
Objects scanned: 29293
Time elapsed: 10 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Installer\{1fedbdb9-3505-47b1-8bec-b69237f0d1b2}\zip.dll (Trojan.Alphabet) -> Unloaded module successfully.
C:\WINDOWS\Installer\{93bea38d-bd14-46b5-ba40-78d09dfc8d58}\RamCD.dll (Trojan.Alphabet) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{1fedbdb9-3505-47b1-8bec-b69237f0d1b2} (Trojan.Alphabet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{93bea38d-bd14-46b5-ba40-78d09dfc8d58} (Trojan.Alphabet) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-

1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-

587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-

61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-

0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zip (Trojan.Alphabet) -> Quarantined

and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\RamCD (Trojan.Alphabet) ->

Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-

e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\Installer\{1fedbdb9-3505-47b1-8bec-b69237f0d1b2} (Trojan.Alphabet) -> Delete on reboot.
C:\WINDOWS\Installer\{93bea38d-bd14-46b5-ba40-78d09dfc8d58} (Trojan.Alphabet) -> Delete on reboot.

Files Infected:
C:\WINDOWS\Installer\{1fedbdb9-3505-47b1-8bec-b69237f0d1b2}\zip.dll (Trojan.Alphabet) -> Delete on reboot.
C:\WINDOWS\Installer\{93bea38d-bd14-46b5-ba40-78d09dfc8d58}\RamCD.dll (Trojan.Alphabet) -> Delete on reboot.
C:\WINDOWS\Web\def.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.



Hijack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:44 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\nkrofcha\vibavyzu.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [9goXcGXZAM] C:\Documents and Settings\All Users\Application Data\nkrofcha\vibavyzu.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 3298 bytes



Thank you again Harry :)
Matrix
  • 0

#4
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Pretty neat how the tools have gotten better here MatrixEquilibrium, lots of work has been done since your last visit.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\All Users\Application Data\nkrofcha
    C:\Program Files\Media Access\MediaAccK.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

As usual, a fresh HJT log, and a report on how its running.
(and get rid of the P2P programs)

Harry
  • 0

#5
MatrixEquilibrium

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
C:\Documents and Settings\All Users\Application Data\nkrofcha moved successfully.
File/Folder C:\Program Files\Media Access\MediaAccK.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 04012008_133431


Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:28 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\nwlypavs.exe
C:\Documents and Settings\All Users\Application Data\zoxsbmjy\xmpwlsho.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [vgiauuwe] C:\WINDOWS\system32\nwlypavs.exe
O4 - HKLM\..\Policies\Explorer\Run: [9goXcGXZAM] C:\Documents and Settings\All Users\Application Data\zoxsbmjy\xmpwlsho.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 3362 bytes

I took a shower and came back while AdAware ran. Something called AdBlaster was found, and tracking cookies. Nothing else was found. AdAware had an error and shut down again while I tried to remove it.

Thanks,
Matrix
  • 0

#6
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Time to take a different look:
  • Download RenV.exe by sUBs to your desktop
  • Double click on it to run it
  • It will search your system drive looking for any modified .exe file and will produce a log for you.
  • Please attach this report to your reply (Do not copy and paste)

I will be away for a bit, hang in there :)

Harry
  • 0

#7
MatrixEquilibrium

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
Thanks Harry, everything's almost back to normal.

I was just reading The Onion :)

RenV isn't doing anything. As soon as I clicked it, a log showed up on the desktop, and two new '.exe' files.

The log says: Ran on Tue 04/01/2008 - 14:00:13.92

The exe files are: nircmd.exe and sed.exe

I'll be going for a little too.

Thank you VERY MUCH Harry :)
  • 0

#8
MatrixEquilibrium

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
Should I worry about keyloggers?

I'm paranoid about typing my password into any field.

Edited by MatrixEquilibrium, 01 April 2008 - 12:08 PM.

  • 0

#9
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts

Should I worry about keyloggers?

I'm paranoid about typing my password into any field.

No worries, we will try to make your machine as secure as possible.

Its a bit different from the last time, read the instructions:
Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.

Harry
  • 0

#10
MatrixEquilibrium

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
Was it supposed to take 5 seconds?

Because that's what it did...

It's attached in txt.

Attached Files


  • 0

Advertisements


#11
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hi MatrixEquilibrium,
Yes the scan is very quick.
More cleaning:

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [Registry - Non-Microsoft Only]
    < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> vgiauuwe -> %SystemRoot%\system32\nwlypavs.exe
    [Files/Folders - Created Within 30 days]
    NY -> buvexano.exe -> %SystemRoot%\System32\buvexano.exe
    NY -> fdsv.exe -> %SystemRoot%\System32\fdsv.exe
    NY -> grep.exe -> %SystemRoot%\System32\grep.exe
    NY -> nwlypavs.exe -> %SystemRoot%\System32\nwlypavs.exe
    NY -> sed.exe -> %SystemRoot%\System32\sed.exe
    NY -> zip.exe -> %SystemRoot%\System32\zip.exe
    [Files/Folders - Modified Within 30 days]
    NY -> buvexano.exe -> %SystemRoot%\System32\buvexano.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.

  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Include a fresh HJT log also.

Harry
  • 0

#12
MatrixEquilibrium

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
File/Folder [Registry - Non-Microsoft Only] not found.
File/Folder < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run not found.
File/Folder YY -> vgiauuwe -> %SystemRoot%\system32\nwlypavs.exe not found.
File/Folder [Files/Folders - Created Within 30 days] not found.
File/Folder NY -> buvexano.exe -> %SystemRoot%\System32\buvexano.exe not found.
File/Folder NY -> fdsv.exe -> %SystemRoot%\System32\fdsv.exe not found.
File/Folder NY -> grep.exe -> %SystemRoot%\System32\grep.exe not found.
File/Folder NY -> nwlypavs.exe -> %SystemRoot%\System32\nwlypavs.exe not found.
File/Folder NY -> sed.exe -> %SystemRoot%\System32\sed.exe not found.
File/Folder NY -> zip.exe -> %SystemRoot%\System32\zip.exe not found.
File/Folder [Files/Folders - Modified Within 30 days] not found.
File/Folder NY -> buvexano.exe -> %SystemRoot%\System32\buvexano.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 04022008_125253


I locked my computer and left, came back and one of those spyware ads was there. ;\

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:49 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\zoxsbmjy\xmpwlsho.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nwlypavs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [vgiauuwe] C:\WINDOWS\system32\nwlypavs.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKLM\..\Policies\Explorer\Run: [9goXcGXZAM] C:\Documents and Settings\All Users\Application Data\zoxsbmjy\xmpwlsho.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 3497 bytes

Edit: I was using my computer and suddenly windows 5.1 tried to install. Instead of next, I put cancel, and it came up again. I kept cancelling it and it kept coming up till I ended the process from task manager. But...I have no idea why that happened. :\

Edit2: I scanned using Ad-Aware, a full scan, and after about 30 minutes it completed and the result was that I had AdBlaster adware, and a few tracking cookies. I deleted both, but this isn't the first time I scan and find it since I posted this topic.

Edited by MatrixEquilibrium, 02 April 2008 - 01:08 PM.

  • 0

#13
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Unfortunatly my work has consumed a lot of time, I will be responding tonight or tommorow morning.

Sorry for the delay :)

Harry
  • 0

#14
MatrixEquilibrium

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
It's all good.

You're the one helping me, don't apologize :)
  • 0

#15
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hey Matrix,
I believe most of the baddies are gone, let look at the rest of things.
This is just a search tool for now:
Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

And to double check on any rooties in there, run the latest scanner:
Download RootAlyzer to your desktop.
  • Unzip it to a folder on your desktop, close all windows, and run RootAlyzer.exe
  • Click Ok to the two prompts and let the program run it's Quick Scan automatically, this should only take a few seconds
  • Click the Deep Scan tab, check all the boxes and click Ok. Let the scan run un-interrupted, it will take a few minutes.
  • When it is finished scanning, a Log tab will appear at the top, click that. Highlight all the text, right-click on it and press Copy.
  • Paste that information back here by pressing Ctrl + V, or right-click and press Paste. Also mention if you had any problems.

Lets see if we can find the last of the pop-ups :)

Harry
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP