Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected Badly - Please Help [CLOSED]

Started by jf3000 , Aug 13 2008 09:54 AM

  • This topic is locked This topic is locked

#1
jf3000
Posted 13 August 2008 - 09:54 AM

jf3000

    New Member

  • Member
  • Pip
  • 5 posts
I have no idea where this came from as I am usually careful with everything, these 2 files appear in my startup:

lphcn8qj0ene5.exe

and

bwwwqaex.dll

For some weird reason Kodak installer also started and installed the software, which I removed a longggggggg time ago, so strange it decided to go install itself. Back wallpaper has been replaced with the usual you have spyware msg, antivirus xp 2007 tried to install as well but I killed the install.

Virus scanner is going berserko says I have something called Win32.Vapsup-EB [Adw]also found this: Win32:Agent-LTS [Trj]

====Hijackthis Log====

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:22 AM, on 14/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\ILOVEAIMEEFOREVER\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.besttoolbars.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.160.69.2:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O3 - Toolbar: vwsrfton - {ABA69CF4-20FB-42CE-BB6D-B6171D64B8EC} - C:\WINDOWS\vwsrfton.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} - http://unshaped.paci...u/SpeedCtrl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1215895027671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198153022625
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD5B32CA-63FC-4501-B5C8-982A4F7C10EA}: NameServer = 10.1.1.1,10.1.1.4
O18 - Protocol: cdefs - {B5F329B4-2BBD-48F5-ADAF-9EAF2AFE37B3} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Virtual PDF Printer (Service1) - Unknown owner - C:\Program Files\Virtual PDF Printer\VirtualPrinting.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 5153 bytes

=======

I see the besttoolbars is there, that has got to be bad and causing my headaches.

Thank you.

Attached Thumbnails

  • hijackthis.jpg

Edited by jf3000, 13 August 2008 - 11:14 AM.

  • 0

Advertisements

#2
andrewuk
Posted 13 August 2008 - 11:21 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi jf3000

welcome to geekstogo :)

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm


andrewuk
  • 0

#3
jf3000
Posted 13 August 2008 - 11:26 AM

jf3000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
SmitFraudFix v2.336

Scan done at 3:24:11.53, Thu 14/08/2008
Run from C:\Documents and Settings\ILOVEAIMEEFOREVER\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\totalcmd\Totalcmd.exe
C:\Documents and Settings\ILOVEAIMEEFOREVER\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ILOVEAIMEEFOREVER


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ILOVEAIMEEFOREVER\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ILOVEA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

[!] Suspicious: vwsrfton.dll
Toolbar: vwsrfton - {ABA69CF4-20FB-42CE-BB6D-B6171D64B8EC}
TypeLib: {A09DB1D7-43D1-48FA-A240-31FF37AFFBDC}
Interface: {86544E26-4093-43DC-8E53-FDB8DDC5838A}
Classe: vwsrfton.bmaf
Classe: vwsrfton.ToolBar.1


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller - Packet Scheduler Miniport
DNS Server Search Order: 10.1.1.1
DNS Server Search Order: 10.1.1.4

HKLM\SYSTEM\CCS\Services\Tcpip\..\{FD5B32CA-63FC-4501-B5C8-982A4F7C10EA}: NameServer=10.1.1.1,10.1.1.4
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FD5B32CA-63FC-4501-B5C8-982A4F7C10EA}: NameServer=10.1.1.1,10.1.1.4
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FD5B32CA-63FC-4501-B5C8-982A4F7C10EA}: NameServer=10.1.1.1,10.1.1.4


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#4
andrewuk
Posted 13 August 2008 - 11:28 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
if you have already downloaded combofix then could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. (All the instructions for installing the Recovery Console are in the above link, but for more information on the Windows XP Recovery Console read http://support.micro...com/kb/314058.)

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#5
jf3000
Posted 13 August 2008 - 11:31 AM

jf3000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
http://support.micro...com/kb/314058.) is dead
  • 0

#6
andrewuk
Posted 13 August 2008 - 11:35 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

http://support.micro...com/kb/314058.) is dead

that would be because of my bad typing :)

complete instructions redone below (though technically you dont need that link to make this all work, it is just for more information):

if you have already downloaded combofix then could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. (All the instructions for installing the Recovery Console are in the above link, but for more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#7
jf3000
Posted 13 August 2008 - 12:34 PM

jf3000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Combo Fix Report:

ComboFix 08-08-12.01 - ILOVEAIMEEFOREVER 2008-08-14 3:57:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.632 [GMT 10:00]
Running from: C:\Documents and Settings\ILOVEAIMEEFOREVER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ILOVEAIMEEFOREVER\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\ILOVEAIMEEFOREVER\Application Data\temp.dll
C:\WINDOWS\17PHolmes1597.exe
C:\WINDOWS\BMcbd8c149.txt
C:\WINDOWS\BMcbd8c149.xml
C:\WINDOWS\edpw.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\2.exe
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\blphcn8qj0ene5.scr
C:\WINDOWS\system32\ddcBSJbc.dll
C:\WINDOWS\system32\fdjlugly.dll
C:\WINDOWS\system32\khfDvuRL.dll
C:\WINDOWS\system32\LRuvDfhk.ini
C:\WINDOWS\system32\LRuvDfhk.ini2
C:\WINDOWS\system32\phcn8qj0ene5.bmp
C:\WINDOWS\system32\qdaklmws.ini
C:\WINDOWS\system32\swmlkadq.dll
C:\WINDOWS\system32\uifhqbbx.dll
C:\WINDOWS\system32\uiupyo.dll
C:\WINDOWS\system32\vtUMgeBr.dll
C:\WINDOWS\system32\wfowoffd.dll
C:\WINDOWS\xml2u32h.dll

----- BITS: Possible infected sites -----

http://pornotube8.net
.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-14 03:24 . 2008-08-14 03:24 1,252 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-14 03:23 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-14 03:23 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-14 03:23 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-14 03:23 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-14 03:23 . 2008-08-11 18:07 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-08-14 03:23 . 2008-08-09 15:37 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-14 03:23 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-14 03:23 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-14 03:23 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-14 01:58 . 2008-08-14 01:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 01:23 . 2008-08-14 01:23 91,136 --a------ C:\WINDOWS\system32\bwwwqaex.dll.quaritine
2008-08-14 01:12 . 2008-08-13 19:02 286,720 --a------ C:\WINDOWS\wbqxfpgl.dll
2008-08-14 01:12 . 2008-08-13 19:02 155,648 --a------ C:\WINDOWS\vwsrfton.dll
2008-08-14 01:12 . 2008-08-14 01:12 130,048 --a------ C:\WINDOWS\system32\lphcn8qj0ene5.exe.quaritined
2008-08-14 01:12 . 2008-08-13 19:02 86,016 --a------ C:\WINDOWS\ateqoflr.exe
2008-08-13 18:42 . 2008-08-13 22:21 <DIR> d-------- C:\Program Files\Hunting Unlimited 2009
2008-08-13 17:27 . 2008-08-13 17:27 41,674 --a------ C:\logo.jpg
2008-08-13 13:15 . 2006-10-06 18:43 10,716 --a------ C:\website.sql
2008-08-13 10:29 . 2008-08-14 02:15 <DIR> d-------- C:\Program Files\RSS Submit
2008-08-13 10:26 . 2008-08-13 17:05 0 --a------ C:\index.php
2008-08-13 09:30 . 2008-08-13 09:31 418,790 --a------ C:\electric_wrdp1.sql
2008-08-13 09:01 . 2008-08-13 17:28 <DIR> d-------- C:\mp3
2008-08-12 23:54 . 2008-08-12 23:54 <DIR> d-------- C:\Program Files\Activision
2008-08-10 00:17 . 2008-08-10 00:17 <DIR> d-------- C:\Documents and Settings\ILOVEAIMEEFOREVER\Application Data\NCH Software
2008-08-10 00:16 . 2008-08-10 00:18 <DIR> d-------- C:\Program Files\NCH Software
2008-08-10 00:16 . 2008-08-10 00:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-08-09 23:57 . 2008-08-10 01:31 <DIR> d-------- C:\Program Files\particleIllusion_3
2008-08-09 22:46 . 2008-08-09 22:46 32,315 --a------ C:\Alan Hopwood.rtf
2008-08-09 22:44 . 2008-08-09 22:45 65,029,120 --a------ C:\backup.pst
2008-08-08 16:23 . 2008-08-08 16:26 <DIR> d-------- C:\Documents and Settings\ILOVEAIMEEFOREVER\Application Data\Torrent Episode Downloader
2008-08-08 16:18 . 2008-08-09 03:48 <DIR> d-------- C:\Program Files\Conduit
2008-08-07 13:00 . 2008-08-07 13:00 <DIR> d--h----- C:\lgfolder
2008-08-07 12:46 . 2008-08-07 12:46 <DIR> d-------- C:\Program Files\7-Zip
2008-07-25 20:46 . 2008-07-25 20:46 <DIR> d-------- C:\Program Files\Windows Live
2008-07-19 11:13 . 2008-07-19 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-19 06:58 . 2008-07-19 07:03 <DIR> d--h----- C:\Program Files\Zero G Registry
2008-07-19 06:58 . 2008-08-02 14:28 <DIR> d-------- C:\Program Files\Starry Night Pro Plus 6
2008-07-19 06:56 . 2008-07-19 06:56 <DIR> d--h----- C:\Documents and Settings\ILOVEAIMEEFOREVER\InstallAnywhere
2008-07-19 02:17 . 2008-07-19 02:17 <DIR> d-------- C:\Program Files\Software Bisque
2008-07-14 21:59 . 2008-07-29 07:25 <DIR> d-------- C:\Program Files\Vstep
2008-07-14 09:07 . 2005-01-14 12:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-07-14 05:35 . 2008-07-14 05:35 35,842 --a------ C:\WINDOWS\system32\J80JNES2.exe_
2008-07-14 01:46 . 2008-08-08 12:59 200 --a------ C:\WINDOWS\MPPAGER.INI
2008-07-14 01:28 . 2008-07-14 01:28 35,842 --a------ C:\WINDOWS\system32\J80JNES2.exe.[bleep]off
2008-07-13 20:15 . 2008-07-13 20:40 <DIR> d-------- C:\Program Files\SpaceShuttleMission2007
2008-07-13 11:46 . 2008-06-13 23:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-07-13 11:46 . 2008-06-13 23:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-13 08:04 . 2008-07-13 08:04 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-07-13 06:58 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-13 06:58 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 17:03 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-13 16:58 --------- d-----w C:\Program Files\Common Files\DAZ
2008-08-13 16:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-08-13 16:20 --------- d-----w C:\Program Files\Common Files\Kodak
2008-08-13 15:27 --------- d-----w C:\Program Files\Google
2008-08-13 15:05 --------- d-----w C:\Program Files\FlashGet
2008-08-13 12:05 --------- d-----w C:\Documents and Settings\ILOVEAIMEEFOREVER\Application Data\Thinstall
2008-08-12 15:57 --------- d-----w C:\Program Files\flasm
2008-08-12 14:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 13:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-09 12:50 --------- d-----w C:\Program Files\MSBuild
2008-08-09 11:20 --------- d-----w C:\Program Files\XoftSpySE
2008-08-04 00:06 317,732 ----a-w C:\ProxyList.zip
2008-08-03 23:11 --------- d-----w C:\Program Files\ProxyFinderEnterprise
2008-08-03 23:05 --------- d-----w C:\Documents and Settings\ILOVEAIMEEFOREVER\Application Data\UseNeXT
2008-07-17 10:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-13 15:14 --------- d-----w C:\Program Files\3GP Player
2008-07-01 12:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2008-06-28 23:47 --------- d-----w C:\Program Files\UseNeXT
2008-06-27 22:16 --------- d-----w C:\Documents and Settings\ILOVEAIMEEFOREVER\Application Data\Ace
2008-06-26 07:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-06-23 06:21 --------- d-----w C:\Program Files\Sonalysts Combat Simulations
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 04:58 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-06-17 21:57 --------- d-----w C:\Program Files\skwas
2008-06-17 21:41 --------- d-----w C:\Program Files\SH3 Crush Depth V2
2008-06-16 16:29 --------- d-----w C:\Program Files\Puzzle Quest
2008-06-16 15:53 --------- d-----w C:\Program Files\OpenAL
2008-06-15 14:57 --------- d-----w C:\Program Files\Ubisoft
2008-06-13 21:18 --------- d-----w C:\Program Files\Mio Technology
2008-05-14 12:42 22,328 ----a-w C:\Documents and Settings\ILOVEAIMEEFOREVER\Application Data\PnkBstrK.sys
2008-02-25 15:24 88,576 ---ha-w C:\Documents and Settings\ILOVEAIMEEFOREVER\Application Data\rbap550.dll
2008-02-25 15:24 29,184 ---ha-w C:\Documents and Settings\ILOVEAIMEEFOREVER\Application Data\RBInternetEncodings550.dll
2007-12-17 08:23 1,136,640 ----a-w C:\Program Files\Common Files\ewutils2.dll
2007-11-22 13:39 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-11-20 09:31 8,524 ---ha-w C:\Program Files\tactile.tdb
2007-01-23 04:07 1,847,296 ----a-w C:\Program Files\mozilla firefox\plugins\Seadragon.dll
2007-12-04 01:34 2 --shatr C:\WINDOWS\winstart.bat
2007-12-04 05:16 8 --sh--r C:\WINDOWS\system32\F84C7AC620.sys
2007-12-04 05:20 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-04 05:43 810,016 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-04 05:43 55,584 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABA69CF4-20FB-42CE-BB6D-B6171D64B8EC}"= "C:\WINDOWS\vwsrfton.dll" [2008-08-13 19:02 155648]

[HKEY_CLASSES_ROOT\clsid\{aba69cf4-20fb-42ce-bb6d-b6171d64b8ec}]
[HKEY_CLASSES_ROOT\vwsrfton.1]
[HKEY_CLASSES_ROOT\TypeLib\{A09DB1D7-43D1-48FA-A240-31FF37AFFBDC}]
[HKEY_CLASSES_ROOT\vwsrfton]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuEjectPC"= 0 (0x0)
"NoInternetIcon"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideRunAsVerb"= 1 (0x1)
"NoRecycleFiles"= 0 (0x0)
"NoWelcomeScreen"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^ILOVEAIMEEFOREVER^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ILOVEAIMEEFOREVER^Start Menu^Programs^Startup^HDDlife.lnk]
backup=C:\WINDOWS\pss\HDDlife.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTDCH

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 22:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2007-08-24 03:18 437160 C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-09-01 05:01 1037736 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-02-26 18:53 65024 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"UPS"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\IBP 9\\IBP.exe"=
"C:\\Program Files\\MindArk\\Entropia Universe\\ClientLoader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-31 13:22]
R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 20:27]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-20 00:35]
R1 hwinterface;hwinterface;C:\WINDOWS\system32\Drivers\hwinterface.sys [2008-01-11 12:13]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-20 00:37]
S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys []
S3 ddsxeiservice;ddsxeiservice;C:\Program Files\sXe Injected\ddsxei.sys []
S3 EWAVE;EWAVE;C:\WINDOWS\system32\drivers\ew.sys []
S3 FILESPY;FILESPY;C:\WINDOWS\system32\drivers\FILESPY.sys []
S3 NSTATION;NSTATION;C:\WINDOWS\system32\drivers\nstation.sys []
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-12 C:\WINDOWS\Tasks\Pareto UNS.job
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []

2008-08-13 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2007-07-14 01:43]

2007-07-16 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2007-07-14 01:43]
.
- - - - ORPHANS REMOVED - - - -

BHO-{F3A299B7-3318-447F-90A2-20BB11223255} - C:\Documents and Settings\ILOVEAIMEEFOREVER\Local Settings\Temporary Internet Files\Content.IE5\UV5WFJPG\3077htsbdjyf[1].dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\ILOVEAIMEEFOREVER\Application Data\Mozilla\Firefox\Profiles\yjjlqsla.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\nppsynth.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\nproougcplugin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
FF -: plugin - C:\WINDOWS\system32\Photosynth\nppsynth.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 04:19:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-08-14 4:28:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-13 18:28:54

Pre-Run: 11,595,804,672 bytes free
Post-Run: 11,561,693,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

266 --- E O F --- 2008-07-29 03:44:28


==============

Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:32:46, on 14/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ILOVEAIMEEFOREVER\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.160.69.2:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: vwsrfton - {ABA69CF4-20FB-42CE-BB6D-B6171D64B8EC} - C:\WINDOWS\vwsrfton.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} - http://unshaped.paci...u/SpeedCtrl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1215895027671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198153022625
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD5B32CA-63FC-4501-B5C8-982A4F7C10EA}: NameServer = 10.1.1.1,10.1.1.4
O18 - Protocol: cdefs - {B5F329B4-2BBD-48F5-ADAF-9EAF2AFE37B3} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Virtual PDF Printer (Service1) - Unknown owner - C:\Program Files\Virtual PDF Printer\VirtualPrinting.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 5511 bytes
  • 0

#8
andrewuk
Posted 13 August 2008 - 01:36 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will update your java and remove the malware that i can see:

====STEP 1====
Clearing the Java cache:
there is a nice set of instructions http://www.java.com/.../5000020300.xml

  • Click Start > Control Panel.
  • Double-click the Java icon in the control panel and then the Java Control Panel will appear.
  • Click Settings under Temporary Internet Files and the Temporary Files Settings dialog box appears.
  • Click Delete Files and the Delete Temporary Files dialog box appears.
  • Make sure all three boxes are ticked: Downloaded Applets, Downloaded Applications and Other Files and then Click OK on Delete Temporary Files window. Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click OK on Temporary Files Settings window.
Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")
====STEP 2====

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


====STEP 3====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

File::
C:\WINDOWS\system32\bwwwqaex.dll.quaritine
C:\WINDOWS\wbqxfpgl.dll
C:\WINDOWS\vwsrfton.dll
C:\WINDOWS\system32\lphcn8qj0ene5.exe.quaritined
C:\WINDOWS\ateqoflr.exe
C:\WINDOWS\system32\J80JNES2.exe_


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABA69CF4-20FB-42CE-BB6D-B6171D64B8EC}"=-
[-HKEY_CLASSES_ROOT\CLSID\{ABA69CF4-20FB-42CE-BB6D-B6171D64B8EC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\cdefs]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

andrewuk
  • 0

#9
jf3000
Posted 14 August 2008 - 12:45 AM

jf3000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hey Andrew followed your prompts and it killed the windows, I repaired windows instead of re-install because there was data that needed to be backed up, thanks for your help.
  • 0

#10
andrewuk
Posted 14 August 2008 - 01:28 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
hmm.......odd. at what step did it kill windows?
  • 0

#11
andrewuk
Posted 17 August 2008 - 06:33 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP