Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cant Run .exe files on Vista (Malware Infection) [Solved]


  • This topic is locked This topic is locked

#1
jhedrixz

jhedrixz

    Member

  • Member
  • PipPip
  • 11 posts
My sister was just playing at facebook game Yoville and an adobe flash installer pop out to update it, she downloaded and opened it.. next thing i know my computer cannot run any .exe files, regedit even my avg antivirus/ and the icon of my programs has changed. I can only run firefox. when i run an exe file a pop up box shows (cannot load rom <fake nes./mcs>) that what i remember..

I tried scanning w/ kaspersky online scanner today and found 2 infections and deleted the files (sorry i forgot to save the log file) And yet the problem still persist. after i deleted i tried running any program,the pop out window changed to.( open with - IE )or opening the task manager says(application not found) I may have worsen the problem

My suspicion that it is the koobface virus,

In advance thank you!
  • 0

Advertisements


#2
jhedrixz

jhedrixz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
i just read a post with the same problem from torthing(here is the url http://www.geekstogo...un-t249418.html ) i followed Essexboy advice.. downloaded the Kill(AVZ Antiviral Toolkit) and it did run found some viruses or worms..after i restarted it didnt fix the problem.

Ive attach here the log files virusinfo_syscure.zip ,virusinfo_syscheck.zip
virusinfo_cure.zip
Attached File  virusinfo_syscure.zip   24.48KB   158 downloads
Attached File  virusinfo_syscheck.zip   23.12KB   179 downloads
Attached File  virusinfo_cure.zip   6.81KB   147 downloads
I hope this could add info.. i still cant run my .exe files, I do not know what to do next, THanks!
  • 0

#3
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Hello and welcome to Geeks to Go! I'm Dave and I'll be helping you out. Let's get started:

Please go to the GMER Rootkit Scanner Download Site.
  • Click on the Download EXE button.
  • The file you are downloading will have a random name in order to circumvent the attempts of malware to block it from running.
  • Take note of the name of the file (please don't change it), and then save it directly to your desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click on the file you downloaded (Vista users please right-click it and select Run as Administrator). The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure that the "Show all" box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity, don't worry.
  • Click Ok.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it to a location where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

Then:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to cf.com. This name is important and must be exactly as I have given it to you here, including the .com file extension. After changing the name, click on the drop down menu for the box labeled Save as type: and change it to All files. Once you made these changes, save the file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here for instructions. Installing the recovery console if you're running an XP machine is another critical step. Although these prelimiary steps may seem unnecessary, by following the directions in that guide closely you give ComboFix the best possible chance at a successful run and minimize the likelihood of having serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Cheers,
Dave
  • 0

#4
jhedrixz

jhedrixz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello Dave!!

Thank you for the response..

The first scan you want me to perform would not work. When i right click on the program icon, i can't find the "run as administrator " or double clicking it it will prompt me with "run with" and an (IE icon is in the box) /same problem with the other exe files.

I read the instruction from ComboFix and there is an instruction to turn off the antivirus software. I have avg8.5 and it wont let me turn off the resident shield when i tried saving the settings. the prompt says "This file does not have a program associated with it for performing this action. Create an association in the Set Associations control panel"

Is it Alright to run Combofix..
I haven't tried it yet

Thanks
  • 0

#5
jhedrixz

jhedrixz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
i tried downloading ComboFix i can change the file name to cf.com but i cant change the save as type to all files.
  • 0

#6
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts

i cant change the save as type to all files.

What do you mean by this? Is the box greyed out? What happens when you try?

Download FixSwen to your desktop. Right-click on it and select Install, and it will make some changes to your registry, nothing will appear to happen, this is normal.

Once you've done that try GMER and CF again, if you are still unable to disable AVG go ahead and run it with AVG active.

Cheers,
Dave
  • 0

#7
jhedrixz

jhedrixz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

i cant change the save as type to all files.

What do you mean by this? Is the box greyed out? What happens when you try?


On your ComboFix guide,1st changing its file name to cf.com and on the save as type bar there is no drop down menu. its just an empty box and it wont drop down. the box is greyed out and when i click it turns blue.. after downloading, tried running the program but it wont work.. it still ask "open with" prompt with an IE icon on the box inside the prompt.

Sorry i cant give you any pictures for the details. I still cant open any programs such as paint..

I installed FixSwen and tried running GMER and ComboFix but with no avail.. It wont allow me to run it..

Thanks
  • 0

#8
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Delete any copies of ComboFix you have now as well as the folders C:\ComboFix and C:\Qoobox if they exist. Then try this:

Please download and save vistaexefix.reg to your desktop. Once it's saved, doubleclick on this .reg file and answer yes when asked if you would like to merge with the registry.

Once that's done, please download and save a fresh copy of ComboFix named cf.exe if you are still unable to change the file extension. Then try to run it as detailed above and let me know how that goes.

Cheers,
Dave

Edited by Transience, 20 September 2009 - 07:50 AM.

  • 0

#9
jhedrixz

jhedrixz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
When i run the vistaexefix.reg an error message prompts when i choose yes "cannot import, Error opening the file. There maybe a disk or file system error"

Thanks
  • 0

#10
jhedrixz

jhedrixz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Dave..

I downloaded a exe registry fix from the net. and it fixed the problem, now i can run exe files. I run the GMER but theres an error halfway on the scan.. While in ComboFix
it runned perfectly but the avg antivirus was still detected running "even i already turned it off"

Thanks

Here is the log of CF


ComboFix 09-09-18.02 - Michael T. Jadie 09/21/2009 9:06.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.63.1033.18.1014.361 [GMT -10:00]
Running from: c:\users\Michael T. Jadie\Desktop\cf.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2365545147-1999384947-2466353664-500
c:\$recycle.bin\S-1-5-21-2383898078-223146835-1332443675-500
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\users\MICHAE~1.JAD\FAVORI~1\Download programs.url
c:\users\MICHAE~1.JAD\FAVORI~1\EscapeRosecliffIslandSetup.exe
c:\users\MICHAE~1.JAD\FAVORI~1\Translator.url
c:\users\MICHAE~1.JAD\FAVORI~1\Videos.url
c:\users\Michael T. Jadie\AppData\Roaming\.#
c:\users\Michael T. Jadie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Download programs.url
c:\users\Michael T. Jadie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Translator.url
c:\users\Michael T. Jadie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Videos.url
c:\users\Michael T. Jadie\Favorites\Download programs.url
c:\users\Michael T. Jadie\Favorites\EscapeRosecliffIslandSetup.exe
c:\users\Michael T. Jadie\Favorites\Translator.url
c:\users\Michael T. Jadie\Favorites\Videos.url

.
((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-17 21:49 . 2009-09-17 21:49 -------- d-sh--w- c:\windows\system32\%APPDATA%
2009-09-16 18:34 . 2009-09-16 18:34 -------- d-----w- c:\program files\IAHGames
2009-09-10 00:23 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-10 00:23 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-10 00:23 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-10 00:23 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-10 00:23 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-10 00:23 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-10 00:23 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-10 00:23 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-10 00:23 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-10 00:23 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-10 00:19 . 2009-07-11 19:32 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-10 00:19 . 2009-07-11 19:29 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-10 00:19 . 2009-07-11 19:32 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-09-10 00:18 . 2009-07-11 19:32 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-10 00:18 . 2009-06-10 12:11 2868224 ----a-w- c:\windows\system32\mf.dll
2009-09-07 02:30 . 2009-09-07 02:30 -------- d-----w- c:\users\Michael T. Jadie\tom
2009-09-06 02:01 . 2009-09-06 02:01 -------- d-----w- c:\users\Michael T. Jadie\AppData\Roaming\Many Years Ago
2009-09-05 03:15 . 2009-09-05 03:15 -------- d-----w- c:\users\Michael T. Jadie\AppData\Roaming\ERS G-Studio
2009-09-03 17:14 . 2009-08-28 12:39 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-03 17:14 . 2009-08-28 10:15 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-31 21:33 . 2009-08-31 21:33 -------- d-----w- c:\program files\Tumblebugs 2
2009-08-30 17:10 . 2009-08-30 17:10 -------- d-----w- c:\programdata\Total Gameplay
2009-08-29 23:31 . 2009-08-29 23:31 -------- d-----w- c:\program files\Conduit
2009-08-29 23:31 . 2009-08-29 23:31 -------- d-----w- c:\program files\MyPlayCity
2009-08-29 06:21 . 2009-08-29 06:21 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-08-29 06:20 . 2009-08-29 06:20 -------- d-----w- c:\users\Michael T. Jadie\AppData\Local\Downloaded Installations
2009-08-29 06:20 . 2009-08-29 06:20 -------- d-----w- c:\program files\Sony
2009-08-29 06:20 . 2009-08-29 06:20 -------- d-----w- c:\programdata\Sony Corporation
2009-08-27 18:10 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-25 20:01 . 2009-08-25 20:01 -------- d-----w- c:\users\Michael T. Jadie\AppData\Local\Apple Computer
2009-08-25 08:30 . 2009-08-25 08:30 -------- d-----w- C:\Patriot Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-21 18:42 . 2008-08-02 07:39 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-17 18:28 . 2008-08-09 05:40 -------- d-----w- c:\programdata\Yahoo! Companion
2009-09-17 16:58 . 2009-08-06 00:58 -------- d-----w- c:\users\Michael T. Jadie\AppData\Roaming\DMCache
2009-09-15 21:31 . 2009-05-08 21:59 -------- d-----w- c:\program files\Warcraft III
2009-09-15 19:25 . 2009-05-08 20:06 -------- d-----w- c:\program files\Garena
2009-09-14 08:59 . 2008-05-20 01:44 -------- d-----w- c:\users\Michael T. Jadie\AppData\Roaming\LimeWire
2009-09-10 18:07 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-06 08:13 . 2008-04-03 01:32 -------- d-----w- c:\users\Michael T. Jadie\AppData\Roaming\mIRC
2009-09-02 08:52 . 2009-07-15 11:24 -------- d-----w- c:\program files\Yahoo!
2009-09-02 07:31 . 2008-08-08 08:45 -------- d-----w- c:\users\Michael T. Jadie\AppData\Roaming\Yahoo!
2009-09-02 07:31 . 2008-01-24 22:59 -------- d-----w- c:\programdata\Yahoo!
2009-08-31 21:52 . 2009-03-09 00:46 -------- d-----w- c:\users\Michael T. Jadie\AppData\Roaming\Wildfire
2009-08-30 05:04 . 2009-07-21 07:35 -------- d-----w- c:\program files\Camfrog
2009-08-29 19:31 . 2009-06-28 19:04 -------- d-----w- c:\programdata\AVG Security Toolbar
2009-08-29 06:21 . 2009-07-11 20:42 -------- d-----w- c:\users\Michael T. Jadie\AppData\Roaming\Sony
2009-08-29 06:18 . 2009-07-11 19:52 -------- d-----w- c:\program files\Sony Setup
2009-08-27 05:05 . 2008-05-17 02:24 -------- d-----w- c:\program files\LimeWire
2009-08-25 08:09 . 2008-07-08 23:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-25 08:08 . 2009-08-07 00:18 -------- d-----w- c:\users\Michael T. Jadie\AppData\Roaming\My Games
2009-08-15 23:53 . 2009-08-15 23:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf
2009-08-15 23:45 . 2009-08-15 23:45 25512 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2009-08-15 23:45 . 2009-08-15 23:45 13224 ----a-w- c:\windows\system32\drivers\ggflt.sys
2009-08-15 23:45 . 2009-08-15 23:45 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2009-08-15 19:21 . 2009-01-29 19:16 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-15 19:21 . 2008-06-12 19:31 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-15 19:21 . 2008-06-12 19:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 06:47 . 2009-08-14 06:47 -------- d-----w- c:\programdata\BVRP Software
2009-08-10 23:48 . 2009-07-21 07:36 -------- d-----w- c:\users\Michael T. Jadie\AppData\Roaming\Camfrog
2009-08-06 21:00 . 2008-01-04 06:47 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\AVG7
2009-08-06 03:14 . 2008-05-17 02:53 -------- d-----w- c:\program files\Java
2009-08-06 03:02 . 2009-06-29 02:52 -------- d-----w- c:\program files\Virtual Villagers Halloween Edition
2009-08-06 02:58 . 2009-08-06 02:58 -------- d-----w- c:\program files\VS Revo Group
2009-07-26 14:49 . 2009-07-26 14:49 -------- d-----w- c:\program files\Virtual Villagers - The Secret City
2009-07-21 21:52 . 2009-07-29 23:13 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 23:13 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 23:13 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 23:13 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-18 05:10 . 2009-07-18 05:10 213 ----a-w- C:\UnInstall.dat
2009-07-17 14:35 . 2009-08-13 14:47 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-14 13:00 . 2009-08-13 14:47 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-08-13 14:47 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-08-13 14:47 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-08-13 14:46 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2000-06-09 01:00 . 2007-02-23 01:07 93040 --sha-r- c:\windows\ConfigSetRoot\COMMAND.COM
2001-05-16 02:57 . 2007-02-23 01:07 116736 --sha-r- c:\windows\ConfigSetRoot\IO.SYS
2001-04-07 21:40 . 2007-02-23 01:07 9 --sha-r- c:\windows\ConfigSetRoot\MSDOS.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2008-03-19 1267040]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyPl.dll" [2009-01-21 1881112]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
2009-01-21 01:11 1881112 ----a-w- c:\program files\MyPlayCity\tbMyPl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 19:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyPl.dll" [2009-01-21 1881112]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
"{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC}"= "c:\program files\MyPlayCity\tbMyPl.dll" [2009-01-21 1881112]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-15 2007832]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8D0DE677-5B47-41C5-9878-439A0D7DE49C}"= UDP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{4A673F88-F751-468B-9239-D30FC2BDD045}"= TCP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{343ED1C9-1C76-4FCC-AC37-E0BA4F856E35}"= UDP:c:\program files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{924DEB12-3ABD-486D-AADD-44D508E7BC67}"= TCP:c:\program files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{E8149655-7407-4C17-8419-AD8BCC21830F}"= UDP:c:\program files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{EEF38018-1FD3-4951-B7F0-050FB8EF9FD2}"= TCP:c:\program files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{3052AD80-A660-42C5-AB89-9DB56B3BD985}"= UDP:c:\program files\Grisoft\AVG7\avgemc.exe:avgemc.exe
"TCP Query User{8BBBBFBD-1124-46B5-A852-01FDBCF3AA8C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{79E7E64E-BDEA-4463-BDE5-E126BD576031}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{F1FE3A91-4168-422B-A5A4-5D653E6AE076}"= UDP:c:\program files\Winamp Remote\bin\Orb.exe:Orb
"{2B7C3E0D-412B-4EAC-BBA2-E673F85AE7B8}"= TCP:c:\program files\Winamp Remote\bin\Orb.exe:Orb
"{857FA409-0EC7-4D35-B151-BACDE219FD50}"= UDP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{94A34731-B30E-476C-8E04-F48C2884007A}"= TCP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{A4529135-6277-4B7E-AE45-CE11430BBD72}"= UDP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{81B03AE9-091A-4830-88C3-59E5032A1E0D}"= TCP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"TCP Query User{D574B8F5-035A-40A8-819F-AD2501FF6AC6}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{370B4AF8-5767-4E46-B868-4F31CA12AAB6}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{FAFBB08C-C33B-47F1-8A6D-34CE257382FF}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"TCP Query User{BD5C76C8-BF13-48DC-BDCE-AD7AFD7C61BD}c:\\program files\\tvuplayer\\tvuplayer.exe"= UDP:c:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component
"UDP Query User{676D51C9-47E7-421E-8ECB-362E9878F57F}c:\\program files\\tvuplayer\\tvuplayer.exe"= TCP:c:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component
"TCP Query User{743087BA-5FAB-4629-B7A1-FEC19F6D9078}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{91CEC756-839A-480F-A0EA-870D5F166756}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{EFF8D234-29D8-4C77-B013-B11A6D1D310B}c:\\users\\michael t. jadie\\appdata\\local\\temp\\rar$ex00.444\\bookwormdeluxe(trymediafix)\\bookwormdeluxe(trymediafix)\\bwd-kfgd63.exe"= UDP:c:\users\michael t. jadie\appdata\local\temp\rar$ex00.444\bookwormdeluxe(trymediafix)\bookwormdeluxe(trymediafix)\bwd-kfgd63.exe:bwd-kfgd63.exe
"UDP Query User{52E3E398-9920-4BEC-83A0-E6D2E08F4012}c:\\users\\michael t. jadie\\appdata\\local\\temp\\rar$ex00.444\\bookwormdeluxe(trymediafix)\\bookwormdeluxe(trymediafix)\\bwd-kfgd63.exe"= TCP:c:\users\michael t. jadie\appdata\local\temp\rar$ex00.444\bookwormdeluxe(trymediafix)\bookwormdeluxe(trymediafix)\bwd-kfgd63.exe:bwd-kfgd63.exe
"TCP Query User{ABFABA4B-2366-4919-9EB4-9FEFA2E6EB16}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{E3EC9099-AD60-4F41-86D1-48C1F61BD44C}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{151BB86F-0FC1-44E4-9A5A-2909A87E0D52}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC
"UDP Query User{0AB17D3B-64E5-4290-8E9C-6991DDA48216}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC
"TCP Query User{57933F45-E9FF-4E23-90A4-BE9D8256505F}c:\\users\\michael t. jadie\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= UDP:c:\users\michael t. jadie\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe
"UDP Query User{748D0A76-2F06-450E-BD00-0EFDD3D66B80}c:\\users\\michael t. jadie\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= TCP:c:\users\michael t. jadie\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe
"TCP Query User{7116C929-8084-4F11-995B-D784EC441EC1}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{077289F9-2935-4643-B42D-C413EF7B5D05}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{329DFCDD-072B-4FB0-B7E4-2FAE836B9B34}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{5116BEE2-DA1A-4D84-AB28-92D27B0580BE}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{1ACD39B1-BDE0-4441-8F75-F4B7EBAC9930}c:\\program files\\garena\\garena.exe"= UDP:c:\program files\garena\garena.exe:Garena
"UDP Query User{7A92826D-234D-4415-B73E-DA20974DBB25}c:\\program files\\garena\\garena.exe"= TCP:c:\program files\garena\garena.exe:Garena
"TCP Query User{2E2C262A-F679-466F-8501-91068ECCDD7B}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{1588836F-AB76-4C09-A468-6E32CA40BA06}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{541E546D-4C3F-467E-858D-492CAC143622}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC
"UDP Query User{B8F62570-B5F9-4F6C-8B92-F253A69F650A}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC
"TCP Query User{23167526-B477-497E-9192-3FE540CC4200}c:\\program files\\sony ericsson\\update service\\update service.exe"= UDP:c:\program files\sony ericsson\update service\update service.exe:Update Service
"UDP Query User{11880AAB-7591-46D8-B19F-2D63AAF7457E}c:\\program files\\sony ericsson\\update service\\update service.exe"= TCP:c:\program files\sony ericsson\update service\update service.exe:Update Service
"TCP Query User{CDF64906-C0DC-4E01-8AE5-CC0786C9DBB2}c:\\program files\\camfrog\\camfrog video chat\\camfrog video chat.exe"= UDP:c:\program files\camfrog\camfrog video chat\camfrog video chat.exe:Camfrog Client Module
"UDP Query User{3C30317A-B1A3-4517-A9D6-17543F5D2D59}c:\\program files\\camfrog\\camfrog video chat\\camfrog video chat.exe"= TCP:c:\program files\camfrog\camfrog video chat\camfrog video chat.exe:Camfrog Client Module
"TCP Query User{0F1A7053-4B62-4ACB-84B9-10A2F6C2DA48}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{D90FFA9A-A188-4E90-BE68-A654D2A84883}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{21AF8B5E-ED36-411A-9A6B-7A6E355A4FDE}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"UDP Query User{1D9CE6C1-0DDB-476A-BF18-238457B6E5E0}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [6/12/2008 9:31 AM 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 9:16 AM 297752]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 12:25 AM 2589184]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\System32\drivers\ggflt.sys [8/15/2009 1:45 PM 13224]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\System32\drivers\s0016bus.sys [8/13/2009 8:27 PM 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\System32\drivers\s0016mdfl.sys [8/13/2009 8:27 PM 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\System32\drivers\s0016mdm.sys [8/13/2009 8:27 PM 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s0016mgmt.sys [8/13/2009 8:27 PM 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\System32\drivers\s0016nd5.sys [8/13/2009 8:27 PM 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\System32\drivers\s0016obex.sys [8/13/2009 8:27 PM 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\System32\drivers\s0016unic.sys [8/13/2009 8:27 PM 115752]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\System32\drivers\s115bus.sys [4/23/2007 1:54 PM 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\System32\drivers\s115mdfl.sys [4/23/2007 1:54 PM 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\System32\drivers\s115mdm.sys [4/23/2007 1:54 PM 108680]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\System32\drivers\s115obex.sys [4/23/2007 1:54 PM 98568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\User_Feed_Synchronization-{C64B20C9-D506-48EF-8F31-DC6F5476DCBB}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ph.yahoo.com
mStart Page = hxxp://ph.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://aa.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://ph.yahoo.com
IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to AMV Converter... - f:\amvconverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - f:\mediamanager\grab.html
TCP: {E8699370-86D2-4BBE-A73D-3979843737BD} = 202.138.128.50,202.138.128.2
FF - ProfilePath - c:\users\Michael T. Jadie\AppData\Roaming\Mozilla\Firefox\Profiles\ffk3fa9p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://ph.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\programdata\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\users\MICHAE~1.JAD\AppData\Local\Temp\WJDF6FB.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3969667037-2662496139-1359730812-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):2a,03,35,fb,c2,ec,a5,de,71,2f,4c,92,eb,17,40,ab,c3,03,d7,ad,74,
11,01,20,c9,62,25,78,cc,4f,ab,be,f1,51,87,d7,45,64,e8,72,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-3969667037-2662496139-1359730812-1000_Classes\CLSID\{ac82a3c7-1e13-407e-b77d-65616477c76b}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:000000f6
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,44,8c,5f,f2,7f,3b,b5,cc,f0,c7,5f,3b,1d,12,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-09-21 9:18
ComboFix-quarantined-files.txt 2009-09-21 19:18

Pre-Run: 24,047,943,680 bytes free
Post-Run: 23,861,293,056 bytes free

328 --- E O F --- 2009-09-18 16:44
  • 0

Advertisements


#11
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Looking better glad that worked, let's run some final checks.

First we'll clean out your unnecessary temp files to speed up the scans:

1. TFC
  • Please download TFC to your desktop.
  • Save any work, then close all open windows.
  • Double-click TFC to run it, and allow the process to complete, which should not take more than a couple minutes.
  • You may or may not be prompted to reboot, if you are click "Yes" and allow the computer to reboot.
  • Close TFC when it has completed.
2. Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from here.

Doubleclick (Vista users please right-click Run as Administrator) on mbam-setup.exe to install the program.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware at the end of setup, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full Scan, then click Scan.
  • The scan is different from the quick scan and will take a fairly long time to finish (you can leave it to run and go do something else), please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab.
  • Copy & Paste the entire report in your next reply.
3. Kaspersky Online Scan

Kaspersky online scanner uses Java technology to perform the scan. Because your Java is out of date, we need to update it first so that the scan will run without issues.

Update Java

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts. A log will appear (JavaRa.log), DO NOT post this log, I have no need for it.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
Scan
  • Follow this link to the Kaspersky WebScanner
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
So post back with the logs from MBAM and Kaspersky when you have them and give me an update on how the PC is running, and we should have you on your way :).

- Dave
  • 0

#12
jhedrixz

jhedrixz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Dave!

Sorry for the late reply. Ive been busy at work..
I downloaded Malwarebytes from CNET, when i tried running it(Run as administrator)
an error prompt appears "The setup files are corrupted. Please obtain a new copy of the program" I tried re downloading the file from CNET, but with no avail.

Thanks
  • 0

#13
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Quick heads-up for you before we continue:

I see you're using or have in the past used p2p software such as LimeWire. Although p2p programs are not usually malware in their own right, oftentimes malware is installed alongside them. Even if the program is clean, people often upload infected files to be shared using these programs, and it is very easy to end up compromising your PC. It's your decision about whether or not you use p2p programs, you don't have to remove them to be deemed clean and I'll still give you help if you want to keep them. It's just important that you're aware of the risks. If you want to continue using p2p programs that's fine with me, all I ask is that you not download anything from them until you're clean so we aren't taking steps backwards here. To remove p2p programs if you wish to do so, uninstall them from the Add/Remove Programs (it's Programs and Features in Vista) menu of your Control Panel.

Don't worry about MBAM for the moment go ahead with Kaspersky.

Cheers,
Dave
  • 0

#14
jhedrixz

jhedrixz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Dave!

Here are the log results from kaspersky online scan,

Thanks

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, September 27, 2009
Operating system: Microsoft Windows Vista Home Basic Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, September 27, 2009 10:11:16
Records in database: 2927598
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
E:\

Scan statistics:
Objects scanned: 109660
Threats found: 2
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 03:24:22


File name / Threat / Threats count
C:\Users\Michael T. Jadie\Desktop\Infected\2009-09-17\avz00001.dta Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Users\Michael T. Jadie\Documents\dar\ARISP II-MIke-HTC files\PROGS\mbeam41.zip Infected: Virus.DOS.VCL.Crapper 3

Selected area has been scanned.
  • 0

#15
jhedrixz

jhedrixz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I finally got MBAM running, here are the scan log results.

but It didn't find the infected files from kaspersky,

Thanks


Malwarebytes' Anti-Malware 1.41
Database version: 2865
Windows 6.0.6001 Service Pack 1

9/28/2009 12:45:34 AM
mbam-log-2009-09-28 (00-45-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 210557
Time elapsed: 1 hour(s), 30 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cf5c6a80-c938-478c-bc8b-8d7b00788154} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Tumblebugs 2\Uninstall.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Users\Michael T. Jadie\Desktop\Game Installer\ReflexivePatch2009\FFF-ReflexV2.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP