im having trouble getting rid of Generic.Bot.H
Started by
yahudi
, Apr 10 2010 11:47 AM
#1
Posted 10 April 2010 - 11:47 AM
yahudi
-
- Member
-
- 6 posts
New Member
#2
Posted 13 April 2010 - 12:17 AM
RKinner
-
- Expert
-
- 24,624 posts
Malware Expert
We prefer that you work through the Malware Removal Guide at the top of the forum
http://www.geekstogo...uide-t2852.html
but I can advise you to do the following:
Copy the text between the lines of stars by highlighting and Ctrl + c.
******************************************************************
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /f
**********************************************************************
Start, Run, cmd, OK to bring up a new Command Prompt window. Rightclick and select Paste and the above text should appear. Make sure you got it all and then hit Enter.
Close the Command Prompt window.
Download Flash_Disinfector.exe by sUBs
http://download.blee...Disinfector.exe
and save it to your desktop.
* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
You might also want to install AutoRun Eater v2.4
http://oldmcdonald.w...orun-eater-v24/
It will stay resident and prevent USB drives from infecting your PC.
It would be wise to work through the guide and post your logs just to make sure we got it all.
Ron
http://www.geekstogo...uide-t2852.html
but I can advise you to do the following:
Copy the text between the lines of stars by highlighting and Ctrl + c.
******************************************************************
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /f
**********************************************************************
Start, Run, cmd, OK to bring up a new Command Prompt window. Rightclick and select Paste and the above text should appear. Make sure you got it all and then hit Enter.
Close the Command Prompt window.
Download Flash_Disinfector.exe by sUBs
http://download.blee...Disinfector.exe
and save it to your desktop.
* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
You might also want to install AutoRun Eater v2.4
http://oldmcdonald.w...orun-eater-v24/
It will stay resident and prevent USB drives from infecting your PC.
It would be wise to work through the guide and post your logs just to make sure we got it all.
Ron
#3
Posted 13 April 2010 - 09:46 PM
yahudi
- Topic Starter
-
- Member
-
- 6 posts
New Member
hello, thank you for responding.
i followed yr advice, downloaded Flash_Disinfector.exe & AutoRun Eater v2.4 & followed the instructions you gave me. i also scanned my pc with Malwarebytes again & posted the log below:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3930
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702
4/13/2010 7:42:41 PM
mbam-log-2010-04-13 (19-42-41).txt
Scan type: Full scan (C:\|D:\|J:\|)
Objects scanned: 175846
Time elapsed: 41 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{23kln5j0-4opm-11we-aax5-24ef1f387232} (Generic.Bot.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{23kln5j0-4opm-11we-aax5-24ef1f387232} (Backdoor.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
im not sure if its useful but i also ran the GMER Rootkit Scanner as well just in case:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-13 20:07:59
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\pwldypob.sys
---- System - GMER 1.0.15 ----
SSDT 821F96D0 ZwConnectPort
SSDT 822207B0 ZwOpenProcess
SSDT 821FD240 ZwOpenThread
---- Kernel code sections - GMER 1.0.15 ----
? lyfp.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 01224832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 01149315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 0133DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 0133E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 0133DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 0133DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 0133DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 0133E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 0133DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!CallNextHookEx 77D4ED6E 5 Bytes JMP 0121DD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 01224832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 01149315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 0133DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 0133E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 0133DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 0121DBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 01181CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 0133DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 0133DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 0133E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 0133DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 0122488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\ie8\spuninst\iecustom.dll 58464 bytes executable
File C:\WINDOWS\ie8\spuninst\spuninst.exe 231456 bytes executable
File C:\WINDOWS\ie8\spuninst\spuninst.exe.manifest 781 bytes
File C:\WINDOWS\ie8\spuninst\spuninst.inf 433251 bytes
File C:\WINDOWS\ie8\spuninst\spuninst.txt 10950 bytes
File C:\WINDOWS\ie8\spuninst\updspapi.dll
i followed yr advice, downloaded Flash_Disinfector.exe & AutoRun Eater v2.4 & followed the instructions you gave me. i also scanned my pc with Malwarebytes again & posted the log below:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3930
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702
4/13/2010 7:42:41 PM
mbam-log-2010-04-13 (19-42-41).txt
Scan type: Full scan (C:\|D:\|J:\|)
Objects scanned: 175846
Time elapsed: 41 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{23kln5j0-4opm-11we-aax5-24ef1f387232} (Generic.Bot.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{23kln5j0-4opm-11we-aax5-24ef1f387232} (Backdoor.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
im not sure if its useful but i also ran the GMER Rootkit Scanner as well just in case:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-13 20:07:59
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\pwldypob.sys
---- System - GMER 1.0.15 ----
SSDT 821F96D0 ZwConnectPort
SSDT 822207B0 ZwOpenProcess
SSDT 821FD240 ZwOpenThread
---- Kernel code sections - GMER 1.0.15 ----
? lyfp.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 01224832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 01149315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 0133DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 0133E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 0133DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 0133DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 0133DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 0133E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2472] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 0133DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!CallNextHookEx 77D4ED6E 5 Bytes JMP 0121DD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 01224832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 01149315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 0133DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 0133E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 0133DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 0121DBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 01181CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 0133DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 0133DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 0133E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 0133DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3336] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 0122488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\ie8\spuninst\iecustom.dll 58464 bytes executable
File C:\WINDOWS\ie8\spuninst\spuninst.exe 231456 bytes executable
File C:\WINDOWS\ie8\spuninst\spuninst.exe.manifest 781 bytes
File C:\WINDOWS\ie8\spuninst\spuninst.inf 433251 bytes
File C:\WINDOWS\ie8\spuninst\spuninst.txt 10950 bytes
File C:\WINDOWS\ie8\spuninst\updspapi.dll
#4
Posted 13 April 2010 - 11:44 PM
RKinner
-
- Expert
-
- 24,624 posts
Malware Expert
Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:
:!: It must be saved to your desktop, do not run it :!:
:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html
Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Doubleclick on george to start the program.
* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.
Re-activate your protection programs at this time :!:
Ron
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:
:!: It must be saved to your desktop, do not run it :!:
:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html
Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Doubleclick on george to start the program.
* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.
Re-activate your protection programs at this time :!:
Ron
#5
Posted 17 April 2010 - 11:17 AM
yahudi
- Topic Starter
-
- Member
-
- 6 posts
New Member
hi, i couldn't disable the Norton Antivirus following the instructions on the link. although im on a administrator account it apparently doesn't have the authority to change the settings. i also tried to change it on safe mode but wasnt able to. despite that i still ran "george" & here is the log:
ComboFix 10-04-15.05 - Compaq_Owner_3 04/17/2010 9:08.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.176 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner_3\Desktop\george.exe.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\k-1-3542-4232123213-7676767-8888886
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
.
2010-04-14 07:33 . 2010-04-14 07:45 -------- d-----w- c:\windows\system32\Adobe
2010-04-08 18:30 . 2010-04-17 15:51 -------- d-----w- c:\windows\system32\NtmsData
2010-04-07 03:31 . 2003-06-25 23:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 16:02 . 2005-01-29 18:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-14 05:33 . 2010-01-10 18:39 966 ----a-w- c:\documents and settings\Compaq_Owner_3\Application Data\wklnhst.dat
2010-04-14 01:20 . 2010-01-18 20:12 117760 ----a-w- c:\documents and settings\Compaq_Owner_3\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-10 19:12 . 2009-10-10 17:09 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-07 06:09 . 2010-01-10 19:00 35704 ----a-w- c:\documents and settings\Compaq_Owner_3\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 02:46 . 2009-12-13 17:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 21:17 . 2009-09-30 16:55 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2010-03-31 20:15 . 2009-11-22 17:21 -------- d-----w- c:\program files\Common Files\Ahead
2010-03-31 18:27 . 2010-01-18 17:25 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 07:46 . 2009-12-13 17:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-12-13 17:08 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 16:11 . 2009-12-13 17:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-04 23:01 . 2003-03-19 04:20 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2010-03-04 23:01 . 2003-03-19 03:14 503808 ----a-w- c:\windows\system32\MSVCP71.DLL
2010-03-04 23:01 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\MSVCR71.DLL
2010-03-03 20:24 . 2010-03-03 20:20 -------- d-----w- c:\documents and settings\Compaq_Owner_3\Application Data\Ahead
2010-03-03 20:17 . 2010-03-03 20:17 -------- d-----w- c:\program files\Nero
2010-02-27 23:14 . 2010-02-27 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-27 23:14 . 2010-02-27 23:14 -------- d-----w- c:\documents and settings\Compaq_Owner_3\Application Data\NCH Swift Sound
2010-02-26 16:39 . 2010-02-26 16:39 -------- d-----w- c:\documents and settings\Compaq_Owner_3\Application Data\ArcSoft
2010-02-04 05:04 . 2009-10-07 22:18 35704 ----a-w- c:\documents and settings\Jellybean\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-06-06 18:16 . 2009-09-30 15:39 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-30 198160]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-09-30 100056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2005-1-29 45056]
SpySubtract.lnk - c:\program files\InterMute\SpySubtract\sslaunch.exe [2009-9-30 73728]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 9:43 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 66632]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 12872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-04-16 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Compaq_Owner.job
- c:\progra~1\NORTON~1\NORTON~1\NAVW32.EXE [2004-08-31 19:54]
2010-04-17 c:\windows\Tasks\User_Feed_Synchronization-{9EBE4621-524D-408D-A373-A4E39A2AD6CF}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{FA010552-4A27-4cb1-A1BB-3E2D697F1639} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-17 09:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(532)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\cscui.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2010-04-17 09:15:33
ComboFix-quarantined-files.txt 2010-04-17 16:15
Pre-Run: 48,173,494,272 bytes free
Post-Run: 48,138,022,912 bytes free
- - End Of File - - 1D7B7283098289B24D8A27149EBA321A
ComboFix 10-04-15.05 - Compaq_Owner_3 04/17/2010 9:08.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.176 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner_3\Desktop\george.exe.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\k-1-3542-4232123213-7676767-8888886
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
.
2010-04-14 07:33 . 2010-04-14 07:45 -------- d-----w- c:\windows\system32\Adobe
2010-04-08 18:30 . 2010-04-17 15:51 -------- d-----w- c:\windows\system32\NtmsData
2010-04-07 03:31 . 2003-06-25 23:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 16:02 . 2005-01-29 18:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-14 05:33 . 2010-01-10 18:39 966 ----a-w- c:\documents and settings\Compaq_Owner_3\Application Data\wklnhst.dat
2010-04-14 01:20 . 2010-01-18 20:12 117760 ----a-w- c:\documents and settings\Compaq_Owner_3\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-10 19:12 . 2009-10-10 17:09 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-07 06:09 . 2010-01-10 19:00 35704 ----a-w- c:\documents and settings\Compaq_Owner_3\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 02:46 . 2009-12-13 17:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 21:17 . 2009-09-30 16:55 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2010-03-31 20:15 . 2009-11-22 17:21 -------- d-----w- c:\program files\Common Files\Ahead
2010-03-31 18:27 . 2010-01-18 17:25 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 07:46 . 2009-12-13 17:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-12-13 17:08 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 16:11 . 2009-12-13 17:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-04 23:01 . 2003-03-19 04:20 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2010-03-04 23:01 . 2003-03-19 03:14 503808 ----a-w- c:\windows\system32\MSVCP71.DLL
2010-03-04 23:01 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\MSVCR71.DLL
2010-03-03 20:24 . 2010-03-03 20:20 -------- d-----w- c:\documents and settings\Compaq_Owner_3\Application Data\Ahead
2010-03-03 20:17 . 2010-03-03 20:17 -------- d-----w- c:\program files\Nero
2010-02-27 23:14 . 2010-02-27 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-27 23:14 . 2010-02-27 23:14 -------- d-----w- c:\documents and settings\Compaq_Owner_3\Application Data\NCH Swift Sound
2010-02-26 16:39 . 2010-02-26 16:39 -------- d-----w- c:\documents and settings\Compaq_Owner_3\Application Data\ArcSoft
2010-02-04 05:04 . 2009-10-07 22:18 35704 ----a-w- c:\documents and settings\Jellybean\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-06-06 18:16 . 2009-09-30 15:39 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-30 198160]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-09-30 100056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2005-1-29 45056]
SpySubtract.lnk - c:\program files\InterMute\SpySubtract\sslaunch.exe [2009-9-30 73728]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 9:43 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 66632]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 12872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-04-16 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Compaq_Owner.job
- c:\progra~1\NORTON~1\NORTON~1\NAVW32.EXE [2004-08-31 19:54]
2010-04-17 c:\windows\Tasks\User_Feed_Synchronization-{9EBE4621-524D-408D-A373-A4E39A2AD6CF}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{FA010552-4A27-4cb1-A1BB-3E2D697F1639} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-17 09:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(532)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\cscui.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2010-04-17 09:15:33
ComboFix-quarantined-files.txt 2010-04-17 16:15
Pre-Run: 48,173,494,272 bytes free
Post-Run: 48,138,022,912 bytes free
- - End Of File - - 1D7B7283098289B24D8A27149EBA321A
#6
Posted 17 April 2010 - 04:06 PM
RKinner
-
- Expert
-
- 24,624 posts
Malware Expert
Logs look good. Any sign of the bug?
We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f
I usually recommend a free BitDefender online scan as a final check to see if we missed anything. http://www.bitdefend...nline/free.html
If windows blocks the active x then try putting Bitdefender in your trusted sites: In IE, Tool, Internet Options, Security, Trusted Sites, Sites. Then uncheck the HTTPS box and put in *.bitdefender.com then ADD. OK.
Ron
We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f
I usually recommend a free BitDefender online scan as a final check to see if we missed anything. http://www.bitdefend...nline/free.html
If windows blocks the active x then try putting Bitdefender in your trusted sites: In IE, Tool, Internet Options, Security, Trusted Sites, Sites. Then uncheck the HTTPS box and put in *.bitdefender.com then ADD. OK.
Ron
#7
Posted 18 April 2010 - 03:29 PM
yahudi
- Topic Starter
-
- Member
-
- 6 posts
New Member
i think the BitDefender scanner has gotten rid of it:
BitDefender Online Scanner
Scan path: C:\Documents and Settings\Jellybean\My Documents;C:\Documents and Settings\Compaq_Owner_3\My Documents;C:\Documents and Settings\All Users\Documents;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;
Statistics
Time
01:17:35
Files
245300
Folders
6370
Boot Sectors
0
Archives
14331
Packed Files
12256
Results
Identified Viruses
1
Infected Files
1
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
1
Engines Info
Virus Definitions
5664666
Engine build
AVCORE v2.1 Windows/i386 11.0.0.33 (Feb 25 2010)
Scan plugins
17
Archive plugins
44
Unpack plugins
8
E-mail plugins
6
System plugins
4
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
J:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe
Infected with: Worm.Generic.79426
J:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe
Deleted
I greatly appreciate you helping me, thank you very much!
BitDefender Online Scanner
Scan path: C:\Documents and Settings\Jellybean\My Documents;C:\Documents and Settings\Compaq_Owner_3\My Documents;C:\Documents and Settings\All Users\Documents;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;
Statistics
Time
01:17:35
Files
245300
Folders
6370
Boot Sectors
0
Archives
14331
Packed Files
12256
Results
Identified Viruses
1
Infected Files
1
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
1
Engines Info
Virus Definitions
5664666
Engine build
AVCORE v2.1 Windows/i386 11.0.0.33 (Feb 25 2010)
Scan plugins
17
Archive plugins
44
Unpack plugins
8
E-mail plugins
6
System plugins
4
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
J:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe
Infected with: Worm.Generic.79426
J:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe
Deleted
I greatly appreciate you helping me, thank you very much!
#8
Posted 18 April 2010 - 10:32 PM
RKinner
-
- Expert
-
- 24,624 posts
Malware Expert
Looks like it found an infected USB drive.
You might want to install autorun eater v2.4 to protect your computer from infected USB drives.
http://oldmcdonald.w...orun-eater-v24/
You may not have the latest Java (6 update20). Get the latest at:
http://www.java.com/...nload/index.jsp
Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
lso make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.
Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.
I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html
It's a small program that will sit in your systray and warn you if something tries to make changes to your system.
If your current antivirus is not a paid up subscription you should dump it and install the free Avast
http://www.avast.com...avast-home.html
You can delete or uninstall any of the tools we had you download and return your system to its original state.
To delete Combofix and its associates folders:
Start, Run, cmd, OK and then type:
"%userprofile%\Desktop\george.exe" /Uninstall
Ron
You might want to install autorun eater v2.4 to protect your computer from infected USB drives.
http://oldmcdonald.w...orun-eater-v24/
You may not have the latest Java (6 update20). Get the latest at:
http://www.java.com/...nload/index.jsp
Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
lso make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.
Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.
I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html
It's a small program that will sit in your systray and warn you if something tries to make changes to your system.
If your current antivirus is not a paid up subscription you should dump it and install the free Avast
http://www.avast.com...avast-home.html
You can delete or uninstall any of the tools we had you download and return your system to its original state.
To delete Combofix and its associates folders:
Start, Run, cmd, OK and then type:
"%userprofile%\Desktop\george.exe" /Uninstall
Ron
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
