Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Redirect and Permission issues [Closed]


  • This topic is locked This topic is locked

#16
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Was able to update definitions and run a Quick Scan:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.08.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Administrator :: MARK-DESKTOP [administrator]

1/7/2012 10:00:01 PM
mbam-log-2012-01-07 (22-00-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 192833
Time elapsed: 14 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Still not able to open, copy, move, or delete OTL.exe
  • 0

Advertisements


#17
myrti

myrti

    Expert

  • Expert
  • 2,580 posts
Hi,

yes please do the following:
Please download GrantPerms.zip
http://download.blee.../GrantPerms.zip
and save it to your desktop.
Rightclick on the file and Extract All then right click on GrantPerms.exe and Run As Admin.
Copy and paste the following in the edit box:

c:\Documents and Settings\Administrator\Desktop\dnx825h5.exe
c:\Documents and Settings\Administrator\Desktop\OTL.exe
c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\WINDOWS\$NtUninstallKB58471$\2859774444

Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

You should now be able to rename OTL.

regards myrti
  • 0

#18
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Ran a Full Scan of Malwarebytes - Log below: Found 37

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.08.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Administrator :: MARK-DESKTOP [administrator]

1/7/2012 10:25:16 PM
mbam-log-2012-01-08 (08-04-18).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 360708
Time elapsed: 2 hour(s), 26 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 37
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\9\75536489-7240911d (Trojan.Agent.PE3) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\aa74b1ec\U\[email protected] (Backdoor.0Access) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\aa74b1ec\U\[email protected] (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\aa74b1ec\U\[email protected] (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\aa74b1ec\U\[email protected] (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\aa74b1ec\U\[email protected] (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\aa74b1ec\U\[email protected] (Rootkit.0Access) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\aa74b1ec\U\[email protected] (Backdoor.0Access) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\c_72346.nl_.vir (Backdoor.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP319\A0025566.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP320\A0025579.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP320\A0026579.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP320\A0026598.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP323\A0026652.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP324\A0026663.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP324\A0027663.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP327\A0027749.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP327\A0028749.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP331\A0028844.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP332\A0028860.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP332\A0028877.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP333\A0028885.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP333\A0029885.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP334\A0029898.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP335\A0029906.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP341\A0030021.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP346\A0030056.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP347\A0030066.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP347\A0030075.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP356\A0031075.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP357\A0031087.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP359\A0031137.ini (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP359\A0031164.ini (Rootkit.0Access) -> No action taken.
c:\windows\assembly\gac_msil\ (Rootkit.0Access) -> No action taken.
C:\_OTL\MovedFiles\12132010_214142\C_Documents and Settings\Administrator\Local Settings\Temp\kXVjsxrfbJ.exe (Trojan.FakeAlert) -> No action taken.
C:\_OTL\MovedFiles\12132010_214142\C_WINDOWS\ewuhahoz.dll (Trojan.Hiloti) -> No action taken.
C:\_OTL\MovedFiles\12132010_214142\C_WINDOWS\system32\esenmlby.dll (Trojan.Agent) -> No action taken.

(end)
  • 0

#19
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Malwarebytes log was created after a run last night - before GrantPerms instructions.

GrantPerms by Farbar
Ran by Administrator (administrator) at 2012-01-08 09:05:34

===============================================
ERROR: Parsing the SD of <\\?\c:\Documents and Settings\Administrator\Desktop\dnx825h5.exe > failed with: The system cannot find the file specified.


Operating system error message: The system cannot find the file specified.
ERROR: Parsing the SD of <\\?\c:\Documents and Settings\Administrator\Desktop\OTL.exe > failed with: The system cannot find the file specified.


Operating system error message: The system cannot find the file specified.
ERROR: Parsing the SD of <\\?\c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe > failed with: The system cannot find the file specified.


Operating system error message: The system cannot find the file specified.
\\?\c:\WINDOWS\$NtUninstallKB58471$\2859774444

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
BUILTIN\Administrators FULL ALLOW (I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(IO)(I)
BUILTIN\Power Users change ALLOW (I)
BUILTIN\Power Users change ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
  • 0

#20
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Unable to rename OTL.exe
  • 0

#21
myrti

myrti

    Expert

  • Expert
  • 2,580 posts
Hi,

please try this then:
We need to reset the permissions altered by the malware on some files.
  • Download this tool and save it to the desktop: http://download.blee...xes/Inherit.exe
  • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:

    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Administrator\Desktop\dnx825h5.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Administrator\Desktop\OTL.exe"

  • If you get a security warning select Run.
  • You will get a "Finish" popup. Click OK.
  • Do the same for the rest of the lines until you have run all the above commands one by one.

regards myrti
  • 0

#22
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
That might have been the trick. OTL is now able to run and a log from a QUICK Scan is below:

OTL logfile created on: 1/14/2012 3:29:07 PM - Run 10
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.00 Mb Total Physical Memory | 93.79 Mb Available Physical Memory | 36.92% Memory free
994.38 Mb Paging File | 569.55 Mb Available in Paging File | 57.28% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 190.87 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive L: | 232.88 Gb Total Space | 190.87 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
Drive P: | 232.88 Gb Total Space | 190.87 Gb Free Space | 81.96% Space Free | Partition Type: NTFS

Computer Name: MARK-DESKTOP | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\Program Files\Yahoo!\browser\ycommon.exe (Yahoo!, Inc.)
PRC - C:\Program Files\NavNT\rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\NavNT\vptray.exe (Symantec Corporation)
PRC - C:\Program Files\NavNT\defwatch.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\MSGSYS.EXE (Intel Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\WINDOWS\system32\vpnapi.dll ()
MOD - C:\Program Files\Yahoo!\browser\YCommonPS.dll ()
MOD - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
MOD - C:\Program Files\HP\HP Share-to-Web\hpgs2wnfps.dll ()


========== Win32 Services (SafeList) ==========

SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (Autodesk Licensing Service) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (Autodesk)
SRV - (Autodesk Network Licensing Service) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe (Autodesk, Inc.)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (CVPND) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (AdobeVersionCue) -- C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe (Adobe Sytems)
SRV - (Norton AntiVirus Server) -- C:\Program Files\NavNT\rtvscan.exe (Symantec Corporation)
SRV - (DefWatch) -- C:\Program Files\NavNT\defwatch.exe (Symantec Corporation)


========== Driver Services (SafeList) ==========

DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101013.002\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101013.002\NAVENG.SYS (Symantec Corporation)
DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (CVPNDRVA) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.)
DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)
DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs LLC)
DRV - (AFS2K) -- C:\WINDOWS\System32\drivers\AFS2K.SYS ()
DRV - (ltmodem5) -- C:\WINDOWS\system32\drivers\ltmdmnt.sys (LT)
DRV - (bvrp_pci) -- C:\WINDOWS\system32\drivers\bvrp_pci.sys ()
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (NAVAP) -- C:\Program Files\NavNT\navap.sys ()
DRV - (NAVAPEL) -- C:\Program Files\NavNT\Navapel.sys ()
DRV - (SymEvent) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (hpcd2k) -- C:\WINDOWS\System32\drivers\hpcd2k.sys (Windows ® 2000 DDK provider)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapp.../search/ie.html

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo....=utf-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.3: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@yverinfo.yahoo.com/YahooVersionInfoPlugin;version=1.0.0.1: C:\Program Files\Yahoo!\Shared\npYVerInfo.dll File not found
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Yahoo!\Common\npyaxmpb.dll File not found



O1 HOSTS File: ([2012/01/07 12:43:37 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O2 - BHO: (SidebarAutoLaunch Class) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\NavNT\vptray.exe (Symantec Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...tes/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1178222835250 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1178225679734 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{884CF773-F307-4452-9869-F3A6A8709AAC}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/27 21:34:43 | 000,000,000 | ---D | M] - C:\AutoCAD MEP 2010 -- [ NTFS ]
O32 - AutoRun File - [2009/08/03 06:05:46 | 000,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ]
O32 - AutoRun File - [2007/05/03 14:05:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/02/19 23:13:23 | 000,000,000 | ---D | M] - L:\AutoCAD MEP 2010 -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/14 15:06:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2012/01/08 09:31:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer
[2012/01/08 09:03:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\GrantPerms
[2012/01/07 21:55:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/07 21:55:04 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/01/07 21:55:03 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/01/07 21:34:16 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/01/07 21:08:38 | 000,000,000 | ---D | C] -- C:\Program Files\Copy of Malwarebytes' Anti-Malware
[2012/01/07 14:16:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/01/06 22:12:08 | 004,373,779 | ---- | C] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2012/01/05 18:32:38 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2012/01/02 14:19:27 | 000,607,017 | ---- | C] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\dds.pif
[2011/12/31 03:00:33 | 000,000,000 | ---D | C] -- C:\156a5e01decd32baa39cc21db13c
[2011/12/16 03:01:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2007/12/27 21:27:35 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL

========== Files - Modified Within 30 Days ==========

[2012/01/14 14:19:56 | 000,085,504 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Inherit.exe
[2012/01/14 13:57:05 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\WebReg .job
[2012/01/14 13:06:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/14 13:06:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/08 09:31:37 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2012/01/08 09:01:17 | 000,450,985 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\GrantPerms.zip
[2012/01/07 21:55:13 | 000,000,836 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/07 20:46:52 | 000,079,623 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Junction.zip
[2012/01/07 12:43:37 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/01/06 22:12:08 | 004,373,779 | ---- | M] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2012/01/06 11:32:01 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2012/01/05 00:14:33 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dnx825h5.exe
[2012/01/02 14:19:28 | 000,607,017 | ---- | M] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\dds.pif
[2012/01/02 11:12:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/12/31 03:04:39 | 000,441,112 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/12/31 03:04:39 | 000,071,430 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/24 18:29:47 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/16 03:20:22 | 000,323,168 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2012/01/14 14:26:27 | 000,085,504 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Inherit.exe
[2012/01/08 09:31:33 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2012/01/08 09:01:08 | 000,450,985 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\GrantPerms.zip
[2012/01/07 21:55:13 | 000,000,836 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/07 20:46:56 | 000,079,623 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Junction.zip
[2012/01/05 00:14:33 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dnx825h5.exe
[2011/12/24 18:29:47 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/30 02:19:42 | 000,944,120 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/12/13 22:27:53 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/12/13 22:27:52 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/12/13 22:27:51 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/12/13 22:27:51 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/12/13 22:27:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/01/22 22:22:59 | 000,000,265 | ---- | C] () -- C:\WINDOWS\hpqcopy.INI
[2008/12/22 13:53:54 | 000,035,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\AFS2K.SYS
[2008/11/24 10:23:44 | 000,416,704 | ---- | C] () -- C:\WINDOWS\System32\EPD.dll
[2008/11/05 13:42:45 | 000,062,400 | ---- | C] () -- C:\WINDOWS\System32\IFC.dll
[2008/11/05 13:41:56 | 000,422,848 | ---- | C] () -- C:\WINDOWS\System32\PPL.dll
[2008/11/02 20:12:29 | 000,002,476 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\evpro32.prf
[2007/10/30 07:54:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSREGUSR.INI
[2007/10/05 11:28:34 | 000,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2007/09/21 13:42:16 | 000,001,381 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/09/11 18:57:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2007/07/31 20:51:18 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2007/07/30 15:38:10 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2007/07/30 15:31:26 | 000,080,503 | ---- | C] () -- C:\WINDOWS\HPHins08.dat
[2007/07/30 15:31:26 | 000,004,011 | ---- | C] () -- C:\WINDOWS\hphmdl08.dat
[2007/07/30 08:14:12 | 000,099,049 | ---- | C] () -- C:\WINDOWS\hpiins04.dat
[2007/07/30 08:14:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpimdl04.dat
[2007/06/26 21:22:25 | 000,029,744 | ---- | C] () -- C:\WINDOWS\System32\InstHelper.dll
[2007/06/26 21:21:25 | 000,197,672 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007/06/26 21:21:23 | 000,193,576 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/06/23 20:16:39 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\FileOps.exe
[2007/06/21 08:57:43 | 000,000,475 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2007/05/25 05:24:19 | 000,099,840 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/05/25 00:18:31 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2007/05/22 21:28:55 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2007/05/03 16:48:11 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2007/05/03 14:32:47 | 000,004,272 | R--- | C] () -- C:\WINDOWS\System32\drivers\bvrp_pci.sys
[2007/05/03 14:30:32 | 000,000,592 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/03 14:25:15 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\vxpsapi.dll
[2007/05/03 14:23:04 | 000,019,968 | R--- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2007/05/03 14:22:53 | 000,000,132 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/05/03 14:08:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/05/03 14:02:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/05/03 09:41:51 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/05/03 09:41:05 | 000,323,168 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/07/16 11:48:28 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/07/16 11:48:27 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/07/16 11:35:07 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/07/16 11:35:06 | 000,441,112 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/07/16 11:35:05 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/07/16 11:35:03 | 000,071,430 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/07/16 11:33:18 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/07/16 11:28:25 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/07/16 11:28:14 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/07/16 11:21:49 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/07/16 11:20:48 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/03/05 11:38:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2001/09/24 06:59:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll
[2001/08/31 14:33:58 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\VxDMDcDlg.dll
[2000/09/18 16:12:40 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\CSSMS_IN.DLL
[1999/08/12 00:00:00 | 001,708,032 | ---- | C] () -- C:\WINDOWS\System32\MSO97V.DLL
[1999/08/12 00:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1999/08/12 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\MSORFS.DLL
[1999/08/12 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2009/10/17 17:19:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Autodesk
[2008/03/30 08:47:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\CADwerx
[2007/06/23 09:05:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\VERITAS
[2008/11/17 07:47:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Activision
[2010/12/22 14:31:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2008/08/21 22:17:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2008/08/21 22:34:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/10/22 19:31:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2010/07/20 15:24:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/05/12 02:02:02 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



< End of report >
  • 0

#23
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Also had this additional information come up from Norton, if it helps narrow down what we're looking at:

Notification 1
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Bloodhound.MalPE
File: C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP360\A0031278.exe
Location: Quarantine
Computer: MARK-DESKTOP
User: SYSTEM
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Sat Jan 14 17:10:43 2012


Notification 2
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Bloodhound.MalPE
File: C:\System Volume Information\_restore{350A1B1B-8402-4D3D-B67F-57715E6A9C64}\RP360\A0031279.dll
Location: Quarantine
Computer: MARK-DESKTOP
User: SYSTEM
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Sat Jan 14 18:10:33 2012
  • 0

#24
myrti

myrti

    Expert

  • Expert
  • 2,580 posts
Hi,

have the redirects stopped?

regards myrti
  • 0

#25
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Haven't seen any lately. To my knowledge yes. Had a bigger concern on the Read-Only / Access Denied issues, but haven't had these since running Inherit.exe.
  • 0

Advertisements


#26
myrti

myrti

    Expert

  • Expert
  • 2,580 posts
Hi,


yes inherit should have taken care of that. The detections you have listed are in system restore. They are inactive and we will remove them at the end.

For now please run a scan with Eset to check for other leftovers:
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

  • 0

#27
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
C:\Program Files\HP\Digital Imaging\bin\hpqusgl.exe Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\aa74b1ec\X.vir a variant of Win32/Sirefef.DD trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\aa74b1ec\U\[email protected] probably a variant of Win32/Sirefef.DV trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Bonjour\mDNSResponder.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\Cisco Systems\VPN Client\cvpnd.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\Common Files\Motive\McciCMService.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\iPod\bin\iPodService.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\NavNT\defwatch.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\NavNT\rtvscan.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\HPZipm12.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\wuauclt.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\WINDOWS\system32\MSGSYS.EXE Win32/Patched.HN trojan error while cleaning
C:\WINDOWS\system32\drivers\AFS2K.SYS Win32/Patched.NBE trojan deleted - quarantined
Operating memory Win32/Patched.HN trojan
  • 0

#28
myrti

myrti

    Expert

  • Expert
  • 2,580 posts
Hi,

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit.

C:\WINDOWS\system32\MSGSYS.EXE

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

regards myrti
  • 0

#29
myrti

myrti

    Expert

  • Expert
  • 2,580 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP