RE GreyKnight Pre .. VirusRemover 2008 problem [Solved]
Started by
dowsp
, Feb 16 2009 12:57 AM
This topic is locked
#151
Posted 26 March 2009 - 03:26 PM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
#152
Posted 26 March 2009 - 03:48 PM
dowsp
- Topic Starter
-
- Member
-
- 543 posts
Member
Hi Fenz
The business I run is NOT a pyramid..It offers copies of dvds on How anyone can market their business on the internet what ever their business.
The virus only seemed to have attacked the index.html pages and I could see the malware code that I did post in the other thread...I have removed the pages effected by this.
I also have several other websites ( not all business ones ) and these were affected too...
I am however put off with running ANY tye of website that has any sort of opt in form asking for anyones details ( Name and email) to send them further information by whats known as an autoresponder) as I have now been informed that its vertually impossible to stop anyone who opts in to this form from sending the code to my site again and again...
SO unless there is some way to stop this happening, it seems a pointless excercise.
I was given some info and a website on how to try and control it, BUT it seems a LOT of extra work and time in trying to do it without any guarantees..
Its just Far too easy for the Hackers / virus creators to destroy websites..and Antivirus / firewalls dont work on websites NOR do the Host companys seem to have any way to prevent attacks... so the ODDs are not in my favour !.
-----------------------------------------------------------------------
2. your website indeed contains malware.. That's the reason you keep getting infected after we clean the computer up before..
If you need a website for business purpose, it is better for you to start again from scratch.. And be sure your site contains legitimate business..
The business I run is NOT a pyramid..It offers copies of dvds on How anyone can market their business on the internet what ever their business.
The virus only seemed to have attacked the index.html pages and I could see the malware code that I did post in the other thread...I have removed the pages effected by this.
I also have several other websites ( not all business ones ) and these were affected too...
I am however put off with running ANY tye of website that has any sort of opt in form asking for anyones details ( Name and email) to send them further information by whats known as an autoresponder) as I have now been informed that its vertually impossible to stop anyone who opts in to this form from sending the code to my site again and again...
SO unless there is some way to stop this happening, it seems a pointless excercise.
I was given some info and a website on how to try and control it, BUT it seems a LOT of extra work and time in trying to do it without any guarantees..
Its just Far too easy for the Hackers / virus creators to destroy websites..and Antivirus / firewalls dont work on websites NOR do the Host companys seem to have any way to prevent attacks... so the ODDs are not in my favour !.
-----------------------------------------------------------------------
2. your website indeed contains malware.. That's the reason you keep getting infected after we clean the computer up before..
If you need a website for business purpose, it is better for you to start again from scratch.. And be sure your site contains legitimate business..
Edited by dowsp, 26 March 2009 - 03:51 PM.
#153
Posted 26 March 2009 - 04:37 PM
dowsp
- Topic Starter
-
- Member
-
- 543 posts
Member
Hi Fenz,
I PM the Combo log to you.
I ran combo and Just as it was starting it detected Avira and indicated that I needed to disable it before I continued running combo.
I HAD not been aware that it was working even though I had seen it do some updates from a few days ago that If I recall I mentioned to you... BUT I could not open it...
I dont know if it had been working before I ran combo... BUT I am pleased to say that it is NOW !
I can open it OK....
I keep my fingers crossed that it may have resolved my problem.
Thank you
Pete
I PM the Combo log to you.
I ran combo and Just as it was starting it detected Avira and indicated that I needed to disable it before I continued running combo.
I HAD not been aware that it was working even though I had seen it do some updates from a few days ago that If I recall I mentioned to you... BUT I could not open it...
I dont know if it had been working before I ran combo... BUT I am pleased to say that it is NOW !
I can open it OK....
I keep my fingers crossed that it may have resolved my problem.
Thank you
Pete
Edited by dowsp, 26 March 2009 - 04:38 PM.
#154
Posted 26 March 2009 - 05:08 PM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
1. Please open Notepad
2. Now copy/paste the entire content of the codebox below into the Notepad window:
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::
File::
c:\windows\SYSTEM32\ptlx55.dat.{5728B11F-B697-47AA-9C1B-8ECB545B5193}
c:\windows\WVS_InstDBLogFile.csv
c:\windows\SYSTEM32\1825017301.dat
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArcaCheck.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arcavir.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashDisp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashEnhcd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashServ.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashUpd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswUpdSv.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcls.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz4.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz_se.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdinit.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caav.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caavguiscan.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccupdate.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfpupdat.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cmdagent.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DRWEB32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fpscan.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxservice.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxup.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navigator.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSTUB.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nvcc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\preupd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pskdr.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SfFnUp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32arkit.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vba32ldr.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zanda.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zlh.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zoneband.dll]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0dee7640-277e-11dd-ae2c-000e50f2f029}]3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
- A new HijackThis log.
#155
Posted 26 March 2009 - 06:15 PM
dowsp
- Topic Starter
-
- Member
-
- 543 posts
Member
Hi Fenz
When I try and drag the CFScript.txt file into the Combofix icon, Should it automatically start Combofix ?
I thought that the previous times I had done this that IT did start automatically.
BUT When I tried it just now, IT shows a box where I have to click run... instead in order to start it..
I note that instead of the CFScript file disappearing into the combo fix that it is still showing.
I will rerun it when I try it again if it shows the Box again asking me to click run..
But I am concerned it may not have worked correctly.. so If there is some sort of an error, and I have to run it again later ....I will need your comments and then I will need to re check what I have done..
When I try and drag the CFScript.txt file into the Combofix icon, Should it automatically start Combofix ?
I thought that the previous times I had done this that IT did start automatically.
BUT When I tried it just now, IT shows a box where I have to click run... instead in order to start it..
I note that instead of the CFScript file disappearing into the combo fix that it is still showing.
I will rerun it when I try it again if it shows the Box again asking me to click run..
But I am concerned it may not have worked correctly.. so If there is some sort of an error, and I have to run it again later ....I will need your comments and then I will need to re check what I have done..
#156
Posted 26 March 2009 - 06:43 PM
dowsp
- Topic Starter
-
- Member
-
- 543 posts
Member
Hi Fenz
I created the notepad CFScript.txt file and dragged it into the combofix icon and I had to click on run to start it.
I sent the Log by PM to you..
I hope that it was OK..
I created the notepad CFScript.txt file and dragged it into the combofix icon and I had to click on run to start it.
I sent the Log by PM to you..
I hope that it was OK..
#157
Posted 26 March 2009 - 06:52 PM
dowsp
- Topic Starter
-
- Member
-
- 543 posts
Member
After my computer restarted after the combofix scan,
I just checked and the CFScript.txt log is no longer showing, so I assume that it did work ok.
I just checked and the CFScript.txt log is no longer showing, so I assume that it did work ok.
#158
Posted 26 March 2009 - 07:22 PM
dowsp
- Topic Starter
-
- Member
-
- 543 posts
Member
Sorry I almost forgot to do and send a hijack this log..
here it is ....
----------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:18:35, on 28/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Tesco internet phone\TescoIP.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.group...oo.com/group/d/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Tesco internet phone] "C:\Program Files\Tesco internet phone\TescoIP.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/US...nfo/webscan.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1E76C8A-BF62-4277-8664-3395D74E0128}: NameServer = 212.139.132.73 212.139.132.75
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Update Service (gupdate1c9ad062ddca2f0) (gupdate1c9ad062ddca2f0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe
--
End of file - 6806 bytes
here it is ....
----------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:18:35, on 28/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Tesco internet phone\TescoIP.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.group...oo.com/group/d/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Tesco internet phone] "C:\Program Files\Tesco internet phone\TescoIP.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/US...nfo/webscan.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1E76C8A-BF62-4277-8664-3395D74E0128}: NameServer = 212.139.132.73 212.139.132.75
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Update Service (gupdate1c9ad062ddca2f0) (gupdate1c9ad062ddca2f0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe
--
End of file - 6806 bytes
#159
Posted 26 March 2009 - 08:02 PM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
Delete your version of Dr.Web CureIt if any and then do below..
Please download AVPTool by Kaspersky and save it to your desktop.
Please download AVPTool by Kaspersky and save it to your desktop.
- Please reboot into Safe Mode
- Once you are in Safe Mode, double click the setup file to run and install it.
- By default it will install to your Desktop (as Kaspersky Lab Tool folder)
- A Kaspersky Virus Removal Tool window will open. There will be a tab that says Automatic Scan.
- Under Automatic Scan make sure these are checked.
- [1.] System Memory
[2.] Startup Objects
[3.] Disk Boot Sectors.
[4.] My Computer.
[5.] Also any other drives (Removable that you may have)
- [1.] System Memory
- After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
- Then choose OK again then you are back to the main screen.
- Then click on Scan button.
- It will automatically Neutralize any objects found.
- If some objects are left unneutralized then click the button that says Neutralize all
- If it says it cannot be Neutralized, then chooose the Delete option when prompted.
- After that is done click on the Report button at the bottom and save it to file name as Kas.
- Save it somewhere convenient like your Desktop and just post only the detected Virus\malware in the report. It will be at the very top under Detected. Post those results in your next reply.
- When you close the AVPTool, you will be asked to uninstall the program.. Choose Yes..
#160
Posted 26 March 2009 - 08:22 PM
dowsp
- Topic Starter
-
- Member
-
- 543 posts
Member
Hi Fenz,
I will do in the next hour...
I also did a full scan with Avira earlier and it found and deleted just 2 viruses.
I will do in the next hour...
I also did a full scan with Avira earlier and it found and deleted just 2 viruses.
#161
Posted 27 March 2009 - 12:30 AM
dowsp
- Topic Starter
-
- Member
-
- 543 posts
Member
Hi Fenz
I attempted to do the Kaspersky Scan, and it seems to be taking a VERY long time..
I am not sure how long you would expect it to take , but after 3 hrs it had only done 31% of the scan.
At this rate it will take me another 9 hours to complete.
I just want to check on something incase I have done something wrong..
when you say ..... click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
I noted that there was two other boxes already ticked. The lower box is probably correctly ticked but I am not sure about the one above that I think was Enable rootkit search.....
I wonder when I click on Enable Deep rootkit search, if I should untick the Enable rootkit search option.
Also roughly How long would you expect the scan to take.
When selecting the My computer option... I can also select C drive as a 5th option...
But as this is already in the my computer option, there is no need.
The 31% scan so far seems to be mainly My documents and settings with most seeming so far my documents.
This did find 3 viruses which Ive deleted.
I am wondering if possible if I could try and select other certain files to scan within my C drive
such as windows / program files etc and avoid the my documents for now as I think overall these have been scanned many times with all the AVs I have used.
This is only if Its going to take me at least another 3 hrs just to get through the my doc files...
when I scan again....
Then if the next scan has been done in a reasonable time , I may rescan the My doc files later.
[1.] System Memory
[2.] Startup Objects
[3.] Disk Boot Sectors.
[4.] My Computer.
I may have to redo it tomorrow or over the weekend or next week as I may be away over the weekend.
thank you
Dowsp
------------------------------------------------------------------------------------------------------
After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.
Then click on Scan button.
I attempted to do the Kaspersky Scan, and it seems to be taking a VERY long time..
I am not sure how long you would expect it to take , but after 3 hrs it had only done 31% of the scan.
At this rate it will take me another 9 hours to complete.
I just want to check on something incase I have done something wrong..
when you say ..... click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
I noted that there was two other boxes already ticked. The lower box is probably correctly ticked but I am not sure about the one above that I think was Enable rootkit search.....
I wonder when I click on Enable Deep rootkit search, if I should untick the Enable rootkit search option.
Also roughly How long would you expect the scan to take.
When selecting the My computer option... I can also select C drive as a 5th option...
But as this is already in the my computer option, there is no need.
The 31% scan so far seems to be mainly My documents and settings with most seeming so far my documents.
This did find 3 viruses which Ive deleted.
I am wondering if possible if I could try and select other certain files to scan within my C drive
such as windows / program files etc and avoid the my documents for now as I think overall these have been scanned many times with all the AVs I have used.
This is only if Its going to take me at least another 3 hrs just to get through the my doc files...
when I scan again....
Then if the next scan has been done in a reasonable time , I may rescan the My doc files later.
[1.] System Memory
[2.] Startup Objects
[3.] Disk Boot Sectors.
[4.] My Computer.
I may have to redo it tomorrow or over the weekend or next week as I may be away over the weekend.
thank you
Dowsp
------------------------------------------------------------------------------------------------------
After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.
Then click on Scan button.
#162
Posted 27 March 2009 - 09:03 AM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
Please complete the scan, then post the result here.. And tell me about your computer condition.. We should be almost finish by now.. 
#163
Posted 31 March 2009 - 10:20 PM
dowsp
- Topic Starter
-
- Member
-
- 543 posts
Member
Hi Fenz
I eventually managed to do a complete run AVPTool by Kaspersky and it did not find any further viruses...
It did find 3 viruses when I did a earlier partial scan the first time and deleted them.
What is frustrating me now though , Is I have had my Avira AV detect another virus threat but It is not the same as that I had last time...
PLEASE NOTE : I HAVE ALSO NOT visited my website since directly...or clciked on any of the pages that had been or were targeted..
I have only been within it to delete it and any of the code that I could find on the index pages and I have not
opened up any of those index pages since deleting them.
I am not sure if I have actually got the virus or if Avira is blocking it... as every now and then I get Avira pop up
detecting the threat..
Having said that IT does suggest that the virus is in my "C" System Volume Information folder...
BUT It says that Action Perfomed .... Deny Access. Last time this was shown when I had that last virus and I tried to delete it, it took me to another page with only 3 options and one of these options was again selected as deny access again.. when clicked Ok, I went on to have a major problem.
THIS VIRUS is titled as TR / Trash Gen trojan
When Avira detected it when it poped up, I was not doing anything at the time other than looking at the screen...
ie I had not just clicked on a page ..
The 2nd time my firewall detected something that I was unsure about as I am not very familiar with it as yet.
I have had some Firewalls that continue to show the same messages and they can become annoying.
I am not always sure what I should click or if they are sometimes too sensitive.. I need to get used to
PC tools firewall.
It said Antivirus sytem tray tool is attempting to modify the memory 0f the AV control centre....
Maybe it broke through the firewall. BUT when Avira AV says DENY acess I am not sure if this prevented the virus from doing any damage...
What does seem to have happened is a lot of my folders in shown in MY COMPUTER Folder seem to have
been a bit messed up... Some folders Including the Sytem Volume Information folder is a seperate folder to any of the other main folders and some are showing as being faded out... ( I dont know if this is how it should be but I never noticed this before) I thought the SYS VOL INFO folder had been within another folder..
Also I noted in the Windows folder there are Numerous files titled similar to C:\WINDOWS\$NtUninstallKB893756$
and theres a lot of Log files.... There are a fair few normal folders, but I seem to recall there had also been a lot
of indivual files and they no longer seem to be there to the extent they had been.
They May have moved into some of the folders , I dont really know for sure...
I have not or wont rerun Avira again until I get your feedback on what I should do if it shows Deny access again.
I eventually managed to do a complete run AVPTool by Kaspersky and it did not find any further viruses...
It did find 3 viruses when I did a earlier partial scan the first time and deleted them.
What is frustrating me now though , Is I have had my Avira AV detect another virus threat but It is not the same as that I had last time...
PLEASE NOTE : I HAVE ALSO NOT visited my website since directly...or clciked on any of the pages that had been or were targeted..
I have only been within it to delete it and any of the code that I could find on the index pages and I have not
opened up any of those index pages since deleting them.
I am not sure if I have actually got the virus or if Avira is blocking it... as every now and then I get Avira pop up
detecting the threat..
Having said that IT does suggest that the virus is in my "C" System Volume Information folder...
BUT It says that Action Perfomed .... Deny Access. Last time this was shown when I had that last virus and I tried to delete it, it took me to another page with only 3 options and one of these options was again selected as deny access again.. when clicked Ok, I went on to have a major problem.
THIS VIRUS is titled as TR / Trash Gen trojan
When Avira detected it when it poped up, I was not doing anything at the time other than looking at the screen...
ie I had not just clicked on a page ..
The 2nd time my firewall detected something that I was unsure about as I am not very familiar with it as yet.
I have had some Firewalls that continue to show the same messages and they can become annoying.
I am not always sure what I should click or if they are sometimes too sensitive.. I need to get used to
PC tools firewall.
It said Antivirus sytem tray tool is attempting to modify the memory 0f the AV control centre....
Maybe it broke through the firewall. BUT when Avira AV says DENY acess I am not sure if this prevented the virus from doing any damage...
What does seem to have happened is a lot of my folders in shown in MY COMPUTER Folder seem to have
been a bit messed up... Some folders Including the Sytem Volume Information folder is a seperate folder to any of the other main folders and some are showing as being faded out... ( I dont know if this is how it should be but I never noticed this before) I thought the SYS VOL INFO folder had been within another folder..
Also I noted in the Windows folder there are Numerous files titled similar to C:\WINDOWS\$NtUninstallKB893756$
and theres a lot of Log files.... There are a fair few normal folders, but I seem to recall there had also been a lot
of indivual files and they no longer seem to be there to the extent they had been.
They May have moved into some of the folders , I dont really know for sure...
I have not or wont rerun Avira again until I get your feedback on what I should do if it shows Deny access again.
#164
Posted 01 April 2009 - 07:28 AM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
That's from your System Restore.. Do below...Having said that IT does suggest that the virus is in my "C" System Volume Information folder...
BUT It says that Action Perfomed ....
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous Restore Points which are likely to be infected)
To create a new Restore Point.
- On the Desktop, right-click My Computer.
- Click Properties.
- Click the System Restore tab.
- Check Turn off System Restore.
- Click Apply, and then click OK. This will flush your old System Restore.
- Then please UNCHECK the Turn off System Restore.
- Click again on Apply, and then click OK. This will create a new Restore Point
Also I noted in the Windows folder there are Numerous files titled similar to C:\WINDOWS\$NtUninstallKB893756$
That folders are legit.. Associate with your Windows update.. Don't touch it..
#165
Posted 02 April 2009 - 02:30 AM
dowsp
- Topic Starter
-
- Member
-
- 543 posts
Member
Hi Fenz,
Thanks for the feedback on my concerns / problems..
I will try it and see how it runs for a day or so..
It will be a relief if the machine avoids any further infection as
I dont kniw if I could handle it if It came back/ reactivated or I catch another virus
would there be anything else you suggest I still need to do to?
Cheers Dowsp
Thanks for the feedback on my concerns / problems..
I will try it and see how it runs for a day or so..
It will be a relief if the machine avoids any further infection as
I dont kniw if I could handle it if It came back/ reactivated or I catch another virus
would there be anything else you suggest I still need to do to?
Cheers Dowsp
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
