Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Downloaded a virus and its driving me nuts [RESOLVED]


  • This topic is locked This topic is locked

#16
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do you see bak folders for those paths I listed?

For Avast, try reinstalling it. If you have Norton Antivirus, then yes, uninstall it. Otherwise, it might cause conflict with Avast.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

AWF::
c:\Program Files\Microsoft Works\bak\
C:\PROGRA~1\QUICKENW\bak\
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bak\
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

Advertisements


#17
coryw

coryw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Sorry it has taken me awhile i have been busy with work i hope you can still help me here is the log you asked for.

ComboFix 08-04-24.1 - Owner 2008-05-04 0:02:12.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.134 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-04-19 09:24 . 2008-04-19 09:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 10:54 . 2008-04-13 14:51 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2008-04-12 17:17 . 2008-04-12 17:17 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2008-04-12 17:01 . 2008-04-12 17:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Netscape
2008-04-12 10:50 . 2008-04-12 10:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2008-04-11 16:22 . 2008-05-03 23:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-11 16:22 . 2008-04-11 16:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-09 18:09 . 2008-04-09 18:09 118 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-04-06 11:15 . 2008-04-06 11:15 <DIR> d-------- C:\Program Files\iPod
2008-04-06 11:14 . 2008-04-06 11:15 <DIR> d-------- C:\Program Files\iTunes
2008-04-05 18:46 . 2008-04-05 18:49 <DIR> d-------- C:\Program Files\QuickTime
2008-04-05 18:12 . 2008-04-05 18:12 <DIR> d-------- C:\Program Files\Secunia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 03:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-24 21:00 --------- d-----w C:\Program Files\Absolute Poker
2008-04-18 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-04-13 14:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 14:34 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-09 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\bqhanczq
2008-04-06 15:25 --------- d-----w C:\Program Files\Java
2008-03-29 17:12 --------- d-----w C:\Program Files\Belltech Business Card Designer Pro
2008-03-24 14:32 --------- d-----w C:\Program Files\SpywareGuard
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-03-08 22:26 --------- d-----w C:\Program Files\LimeWire
2008-03-08 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2008-02-07 08:18 335,872 ----a-w C:\WINDOWS\SYSTEM32\EKIJ5000MON.dll
2007-02-12 22:23 628 -c--a-w C:\Program Files\INSTALL.LOG
2001-07-26 21:58 47 -c--a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 17:46 8,116 -c--a-w C:\Program Files\OSLO3071b2.USB
2001-05-11 15:39 53,248 -c--a-w C:\Program Files\ACMonitor_X73.exe
2001-05-08 20:36 114,688 -c--a-w C:\Program Files\lxarscan.dll
2001-04-23 19:22 1,437 -c--a-w C:\Program Files\gtx73.ini
2001-02-22 14:54 768 -c--a-w C:\Program Files\x73_lut.dat
2006-01-22 22:08 32 --sha-w C:\WINDOWS\{9A5D8627-833A-4A25-9E74-26DE2A9FEC84}.dat
2006-01-22 22:08 32 --sha-w C:\WINDOWS\SYSTEM32\{DD249312-BD13-4496-8B9A-B6BC6A82251D}.dat
.

((((((((((((((((((((((((((((( [email protected]_11.50.21.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-26 15:35:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-04 03:49:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-04 03:49:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-01-22 18:17 100056]
"S3TRAY2"="S3tray2.exe" [2001-10-04 15:06 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 19:34 212992]
"QAGENT"="C:\PROGRA~1\QUICKENW\QAGENT.EXE" [ ]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [ ]
"NvCplDaemon"="NvQTwk" []
"LTMSG"="LTMSG.exe" [2003-07-14 14:52 40960 C:\WINDOWS\ltmsg.exe]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44 61440]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 21:25 143360]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 13:04 52736]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 01:08 49152]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 20:36 90112]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-07 04:18 1052672]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-09-15 00:22 38592]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 18:32 58984]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-05 18:03 267064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Secunia PSI (RC1).lnk - C:\Program Files\Secunia\PSI (RC1)\psi.exe [2008-02-22 05:09:52 626688]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 01:28:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 02:39:30 73728]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]
MsnVirRem.exe [2007-03-11 12:16:13 23552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.DVSD"= miroDV2avi.DLL
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault™\\mohpa.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Netscape\\Navigator 9\\navigator.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-12-13 12:07]
R3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-02-19 04:24]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-28 23:02:46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-30 22:48:42 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt [email protected]
"2008-05-02 23:00:49 C:\WINDOWS\Tasks\Kodak AiO Scheduled Maintenance.job"
- C:\Program Files\Kodak\Printer\Center\Kodak.Statistics.exe
"2007-03-12 22:09:02 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
"2008-04-19 00:31:27 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-05-04 04:12:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 00:07:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-04 0:14:12
ComboFix-quarantined-files.txt 2008-05-04 04:13:47
ComboFix2.txt 2008-04-27 16:28:49
ComboFix3.txt 2008-04-26 15:51:03

Pre-Run: 52,978,176,000 bytes free
Post-Run: 52,965,355,520 bytes free

157 --- E O F --- 2008-04-09 22:12:56
  • 0

#18
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete this folder in Safe Mode:

C:\Documents and Settings\All Users\Application Data\bqhanczq

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#19
coryw

coryw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
wow thanks for your time and patience.

Cory
  • 0

#20
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP