Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virus - please help me [RESOLVED]

Started by sun123 , Aug 16 2008 05:34 PM

  • This topic is locked This topic is locked

#1
sun123
Posted 16 August 2008 - 05:34 PM

sun123

    Member

  • Member
  • PipPip
  • 17 posts
Please help me :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:29, on 17.8.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\ctffmon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\spolsvs.exe
C:\WINDOWS\system32\dlllhosts.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wincom.exe
C:\WINDOWS\system32\lsasss.exe
C:\WINDOWS\system32\winlog.exe
C:\WINDOWS\system32\winlogins.exe
C:\WINDOWS\system32\cssrss.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips\Philips SPC210NC Webcam\TrayMin210.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6403C6F0-62D4-4741-8453-20445135DD21} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O2 - BHO: (no name) - {C3E15DFE-D990-4C3F-9BE2-4CF4E3E007CE} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC210NC Webcam
O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install.exe -startup -product IncrediMail
O4 - HKLM\..\Run: [Microsoft Windows Express] Microsoft Update
O4 - HKLM\..\Run: [Windows Services] dllhost.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Express] Microsoft Update
O4 - HKLM\..\RunOnce: [pscheck] C:\WINDOWS\system32\psps2.exe
O4 - HKLM\..\RunOnce: [pscheck2] C:\WINDOWS\system32\gps.exe
O4 - HKLM\..\RunOnce: [pscheck3] C:\WINDOWS\system32\gic.exe
O4 - HKLM\..\RunOnce: [pscheck4] C:\WINDOWS\system32\winst.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...html?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Pošlji v OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: P&ošlji v OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF7A9836-1EB1-4650-ADD2-0EDA72D9CEB3}: NameServer = 193.189.160.23 193.189.160.13
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: xxyabcBq - xxyabcBq.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8730 bytes

Edited by sun123, 20 August 2008 - 07:44 AM.

  • 0

Advertisements

#2
Essexboy
Posted 21 August 2008 - 03:20 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there and sorry for the delay. I would like a deeper look at your system

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Under Additional Scans check the following:
    • Reg - BotCheck
    • File - Additional Folder Scans
    • File - Purity Scan
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#3
sun123
Posted 21 August 2008 - 05:02 PM

sun123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi...thank you for helping me :)

Attached File  OTScanIt.Txt   261.29KB   229 downloads
  • 0

#4
Essexboy
Posted 22 August 2008 - 09:17 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hmm quite a few to kill there

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Microsoft Windows Express -> [Microsoft Update]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> xxyabcBq -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YY -> HKEY_CURRENT_USER\: URLSearchHooks\\{b5146c40-189a-4311-bda9-fbae3e023187} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Multi_Media\tbMult.dll [Multi Media Toolbar]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1659004503-1614895754-839522115-1003\] > -> 
YY -> HKEY_USERS\S-1-5-21-1659004503-1614895754-839522115-1003\: URLSearchHooks\\{b5146c40-189a-4311-bda9-fbae3e023187} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Multi_Media\tbMult.dll [Multi Media Toolbar]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {b5146c40-189a-4311-bda9-fbae3e023187} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Multi_Media\tbMult.dll [Multi Media Toolbar]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> {b5146c40-189a-4311-bda9-fbae3e023187} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Multi_Media\tbMult.dll [Multi Media Toolbar]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YY -> WebBrowser\\{B5146C40-189A-4311-BDA9-FBAE3E023187} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Multi_Media\tbMult.dll [Multi Media Toolbar]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1659004503-1614895754-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1659004503-1614895754-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\
YY -> WebBrowser\\{B5146C40-189A-4311-BDA9-FBAE3E023187} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Multi_Media\tbMult.dll [Multi Media Toolbar]
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
YN -> FunWebProducts -> 
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINDOWS\system32\efcaYpnM -> 
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\winmng.exe -> %SystemRoot%\system32\winmng.exe [C:\WINDOWS\system32\winmng.exe:*:Enabled:Emule]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\wins\sor\WinSrv.exe -> %SystemRoot%\system32\wins\sor\WinSrv.exe [C:\WINDOWS\system32\wins\sor\WinSrv.exe:*:Enabled:Emule]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\System\win32.exe -> %CommonProgramFiles%\System\win32.exe [C:\Program Files\Common Files\System\win32.exe:*:Enabled:Windows Update]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\AMD~1.AMD\LOCALS~1\Temp\vasxvjs.exe -> %UserProfile%\Local Settings\Temp\vasxvjs.exe [C:\DOCUME~1\AMD~1.AMD\LOCALS~1\Temp\vasxvjs.exe:*:Enabled:Windows Update]
[Files/Folders - Created Within 90 days]
NY -> awtusppN.dll -> %SystemRoot%\System32\awtusppN.dll
NY -> cbXPgfeE.dll -> %SystemRoot%\System32\cbXPgfeE.dll
NY -> cbXQKAtQ.dll -> %SystemRoot%\System32\cbXQKAtQ.dll
NY -> dPrass.dll -> %SystemRoot%\System32\dPrass.dll
NY -> khfDvuTK.dll -> %SystemRoot%\System32\khfDvuTK.dll
NY -> khfGaBut.dll -> %SystemRoot%\System32\khfGaBut.dll
NY -> ljJAtTJY.dll -> %SystemRoot%\System32\ljJAtTJY.dll
NY -> nnnnKBUo.dll -> %SystemRoot%\System32\nnnnKBUo.dll
NY -> pmnkhhHy.dll -> %SystemRoot%\System32\pmnkhhHy.dll
NY -> urqNheFY.dll -> %SystemRoot%\System32\urqNheFY.dll
NY -> xxyYPgFu.dll -> %SystemRoot%\System32\xxyYPgFu.dll
NY -> idkwotbbq.exe -> %SystemRoot%\idkwotbbq.exe
NY -> loli.exe -> %SystemRoot%\loli.exe
NY -> winudpmgr.exe -> %SystemRoot%\winudpmgr.exe
[Files/Folders - Modified Within 90 days]
NY -> dPrass.dll -> %SystemRoot%\System32\dPrass.dll
NY -> gic.exe -> %SystemRoot%\System32\gic.exe
NY -> imon1.dat -> %SystemRoot%\System32\imon1.dat
NY -> inseml13.exe -> %SystemRoot%\System32\inseml13.exe
NY -> inspspfiles8.exe -> %SystemRoot%\System32\inspspfiles8.exe
NY -> MnpYacfe.ini -> %SystemRoot%\System32\MnpYacfe.ini
NY -> MnpYacfe.ini2 -> %SystemRoot%\System32\MnpYacfe.ini2
NY -> loli.exe -> %SystemRoot%\loli.exe
NY -> eraseme_16407.exe -> C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Local Settings\Temp\eraseme_16407.exe
NY -> eraseme_25372.exe -> C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Local Settings\Temp\eraseme_25372.exe
NY -> eraseme_60342.exe -> C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Local Settings\Temp\eraseme_60342.exe
NY -> eraseme_88125.exe -> C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Local Settings\Temp\eraseme_88125.exe
NY -> msnsearch.exe -> C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Local Settings\Temp\msnsearch.exe
NY -> xrvwyymg.exe -> C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Local Settings\Temp\xrvwyymg.exe
NY -> SIntfNT.dll -> C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Local Settings\Temp\SIntfNT.dll
NY -> DIFxAPI.dll -> C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Local Settings\Temp\CDM\{C9B8608D-E7A7-4088-BB14-FDFC7E696F58}\DIFxAPI.dll
NY -> DETemp384Gd78Sjke78Jks75.dat -> C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Local Settings\Temp\DETemp384Gd78Sjke78Jks75.dat
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

THEN

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs required : OTScanit report, MBAM and a new Hijackthis log.. Plus how is your computer now ?
  • 0

#5
sun123
Posted 22 August 2008 - 12:19 PM

sun123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Attached File  mbam_log_08_22_2008__19_42_24_.txt   6.1KB   100 downloads

Attached File  08222008_191638.txt   18.83KB   149 downloads

I was start OTScanIt...I was click Run Fix button...and then some window opens with text OTScanIt-Bad picture...I only had this problem when I encountered performing the steps.

I hope you understand my english :)

I think the computer is now a little bit more faster then before, but I want to know what is this (look attacment)...what is this log off AMD (odjavi AMD)
And when I double-click with left mouse button I must try a several time that I can open folder...

AMD.JPG

Attached Thumbnails

  • install_en.JPG

Edited by sun123, 22 August 2008 - 12:20 PM.

  • 0

#6
Essexboy
Posted 22 August 2008 - 12:46 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi again there is no problem with your English I can understand it :)

OTScanit fix worked OK

Reference the AMD folder - if you do not know why it is there then delete it .

One more scan should clear most of the remainder

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. It is imperative that you install this as it will enable a system recovery in the event of problems

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#7
sun123
Posted 22 August 2008 - 02:02 PM

sun123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Attached File  hijackthis_2.txt   6.71KB   99 downloads

Attached File  Combo_Fix_log.txt   14.13KB   114 downloads
  • 0

#8
Essexboy
Posted 22 August 2008 - 03:50 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
You have some old infections which I will now remove

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
r_server
Wincach 
NetLogonss

File::
C:\WINDOWS\system32\pstart.exe.New
C:\WINDOWS\system32\otherT1.exe.New
C:\WINDOWS\system32\RDpak.exe.New
C:\WINDOWS\system32\inspspfiles9.exe
C:\WINDOWS\system32\dlllhosts.exe
C:\WINDOWS\system32\wincom.exe
C:\WINDOWS\system32\spolsvs.exe
C:\WINDOWS\winudp.exe

Folder::
C:\Program Files\Multi_Media
C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Could you let me know how your computer is running on completion of this fix
  • 0

#9
sun123
Posted 22 August 2008 - 04:31 PM

sun123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi :)

Computer is not slow anymore...runing nice :)
But now I can't open Mozilla browser - "The Firefox is runing, but not comunicate with the system.To open a new window you must close proces Firefox or reboot your system again."Always the same message even I reboot again.

Attached File  Combo_Fix2_log.txt   17.22KB   134 downloads

Attached File  hijackthis_3.txt   6.64KB   116 downloads

Edited by sun123, 22 August 2008 - 04:33 PM.

  • 0

#10
Essexboy
Posted 22 August 2008 - 04:37 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
My fault lets restore it :)

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

DeQuarantine:: 
C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt .

  • 0

Advertisements

#11
sun123
Posted 22 August 2008 - 04:53 PM

sun123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hm...Still open the same message:"The Firefox is runing, but not comunicate with the system.To open a new window you must close proces Firefox or reboot your system again."Always the same message even I reboot again."



Attached File  Combo_Fix3.txt   11.09KB   154 downloads
  • 0

#12
Essexboy
Posted 23 August 2008 - 03:38 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK it was not me that did that then Phew...

It may be that the malware corrupted your firefox installation and its removal stopped it working properly. Could you re-install Firefox and let me know the result.

Meanwhile I will remove my tools

Now the best part of the day ----- Your log now appears clean :)

A good workman allways cleans up after himself so...Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :)
  • 0

#13
sun123
Posted 23 August 2008 - 02:40 PM

sun123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I was re-install the Firefox...but I get the same message again. :)
  • 0

#14
Essexboy
Posted 23 August 2008 - 02:43 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Did you uninstall and then reinstall firefox or just install over the top?
  • 0

#15
sun123
Posted 23 August 2008 - 02:51 PM

sun123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I did the uninstall an then reinstall.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP