|
|
|
ALERT virus 'intervalhehehe' urgent help needed
|
|
|
sadfart
Junior Member
|
29. November 2008 @ 11:54 |
Link to this message
|
i was downloading a programme called winrar and i believe i have got a virus or malaware not sure of difference. when i open the internet page it is in chinese and keeps flashing up 'intervalhehehe' I have run spybot and avast but still there. I need your help as the wife and kids are giving me hell please please please HELP
|
|
Advertisement
|
  |
|
|
AfterDawn Addict
|
29. November 2008 @ 12:01 |
Link to this message
|
Originally posted by sadfart:
i was downloading a programme called winrar and i believe i have got a virus or malaware not sure of difference. when i open the internet page it is in chinese and keeps flashing up 'intervalhehehe' I have run spybot and avast but still there. I need your help as the wife and kids are giving me hell please please please HELP
Wrong forum, try here :
>>> http://forums.afterdawn.com/forum_view.cfm/166
|
Moderator
|
29. November 2008 @ 12:02 |
Link to this message
|
|
Senior Member
|
30. November 2008 @ 00:59 |
Link to this message
|
Hi sadfart
Please download Malwarebytes Anti-Malware and install it. Follow the prompts and reboot if required.
Launch Malwarebytes either by running C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe or double-click the Malwarebytes' Anti-Malware shortcut on your Desktop.
Configuring Malwarebytes
? Click on the tab Settings.
? Make sure only these boxes are checked:
Terminate Internet Explorer
Automatically save and display logfile after removal
Always scan memory objects
Always scan registry objects
Always scan filesystem
Always scan extra and heuristics objects
Updating Malwarebytes
? Click on the tab Update.
? Press the button Check for Updates
? Wait for Malwarebytes to be fully updated.
Scanning Time
? Click on the tab Scanner.
? Check Perform full scan and click on Scan
? Wait for the scan to complete, and then click on Show Results.
? Make sure all items are checked, then click on Remove Selected.
**If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If you are asked to restart the computer, please do so immediately.
Post A Log
? A text box will pop up after the removal process is over. Post the contents of the text here.
? If no text box pops up, launch Malwarebytes, and click on the tab Logs.
? The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open.
? Post the log here.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
sadfart
Junior Member
|
30. November 2008 @ 10:40 |
Link to this message
|
|
thanks for your response i am not very technical but i will follow your instructions. with a bit of luck family communications will recommence and i won't be that stupid so and so for much longer.
|
|
sadfart
Junior Member
|
30. November 2008 @ 11:35 |
Link to this message
|
|
Hi Cdavfrew,
Carried out your very clear instructions as above and i am now copying the log as requested. i have not tried to see if everything is working properly yet as i wanted to post the log just in case the computer froze on me - well it is a very cold day- please note i haven't lost my sense of humour- well u no wat they say if u don't laugh you will cry. thanks once again for all your help
Sadfart
|
|
sadfart
Junior Member
|
30. November 2008 @ 12:48 |
Link to this message
|
sorry my heads turned i forgot to attach log
Malwarebytes' Anti-Malware 1.30
Database version: 1437
Windows 5.1.2600 Service Pack 2
11/30/2008 16:25:48
mbam-log-2008-11-30 (16-25-48).txt
Scan type: Full Scan (C:\|)
Objects scanned: 158543
Time elapsed: 33 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 27
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 11
Files Infected: 152
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\videoegg.activexloader (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{168dc258-1455-4e61-8590-9dac2f27b675} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1a8642f1-dc80-4edc-a39d-0fb62a58b455} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f91eb90-ef62-44ee-a685-fac29af111cd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c29c7e4-5321-4cad-be2e-877666bed5df} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83dfb6ee-ab18-41b5-86d4-b544a141d67e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{88d6cf0e-cf70-4c24-bf6e-e4e414bc649c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8f6a82a2-d7b1-443e-bb9f-f7dc887dd618} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9856e2d8-ffb2-4fe5-8cad-d5ad6a35a804} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a3d06987-c35e-49e4-8fe2-ac67b9fbfb4c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a58c497b-3ee2-45e7-9594-daca6be2a0d0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad0a3058-fd49-4f98-a514-fd055201835e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad5915ea-b61a-4dba-b5c8-ef4b2df0a3c7} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bb187c0d-6f53-4f3e-9590-98fd3a7364a2} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5041fd9-4819-4dc4-b20e-c950b5b03d2a} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d17726cc-d4dd-4c4a-9671-471d56e413b5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db8cce99-59c6-4552-8bfc-058feb38d6ce} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dc3a04ee-cdd7-4407-915c-a5502f97eecd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e1a63484-a022-4d42-830a-fbd411514440} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e282c728-189d-419e-8ee2-1601f4b39ba5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=0.2.0 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/updater,version=0.2.0 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explore (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\All Users\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Updater (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Updater\2364 (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Updater\2663 (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817 (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\messages (Adware.VideoEgg) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\VideoEgg\Loader\2364\npvideoegg-loader.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\VideoEgg\user.dat (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Updater\updater.ver (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Updater\2364\updater.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Updater\2364\libcurlve.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Updater\2663\updater.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Updater\2663\libcurlve.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\publisher.ver (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\npvideoegg-publisher.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\VideoEgg_FLVWriter.ax (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\LevelMeter.ax (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\FLVEncoder.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\libpng.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\libcurlve.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\crashRpt.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\lame_enc.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\zlib.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\avcodec.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\report.log (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\dataCollection.tmp (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\aol_watermark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\audio_combo.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\audio_source.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\big_gray_logo.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\big_logo_cropped.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\blank_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\button_browse_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\button_browse_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\button_browse_up.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\camcorder_btn_highlighted.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\camcorder_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\camcorders_title.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\corners_bottom_left.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\corners_bottom_left_curve.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\corners_bottom_right.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\corners_top_right.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\done.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\done_capture.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\done_capture_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\done_capture_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\done_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\done_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\dropshadow_bottom_left.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\dropshadow_horiz.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\dropshadow_vertical.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\dropzone.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\dv_fast_forward.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\dv_pause.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\dv_play.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\dv_rewind.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\dv_stop.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\email_instructions.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\email_sent.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\email_sent_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\email_sent_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\eraser_cursor.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\file_btn_highlighted.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\file_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\help.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_camcorder.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_camcorder_dark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_camcorder_light.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_camcorders.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_ff.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_file_dark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_file_light.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_pause.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_phone_dark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_phone_light.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_play.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_rewind.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_stop.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_webcam.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_webcam_dark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_webcam_light.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\icon_webcams.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\loading.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\loading_movie.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\locating.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\logo.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\logo_bottom.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\logo_middle.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\logo_top.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\mobile_btn_highlighted.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\mobile_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\mobile_slide_disabled.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\movie_placeholder.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\ok.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\ok_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\ok_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\player_fast_forward.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\player_fast_forward_disabled.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\player_fill.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\player_pause.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\player_play.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\player_rewind.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\player_rewind_disabled.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\player_rewind_to_start.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\playhead.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\powered_by.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\progress.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\refresh_list_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\refresh_list_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\refresh_list_up.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\restart.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\restart_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\start_capture.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\start_capture_disabled.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\start_capture_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\start_capture_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\start_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\start_over_highlight.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\start_slider.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\stop_capture.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\stop_capture_disabled.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\stop_capture_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\stop_capture_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\stop_slider.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\tab_slide_deselected.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\tape_control.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\text_camcorder.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\text_camcorder_highlight.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\text_file.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\text_file_highlight.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\text_phone.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\text_phone_highlight.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\text_webcam.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\text_webcam_highlight.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\title.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\upload.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\upload_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\upload_from.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\upload_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\uploading.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\uploading_fill.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\uploading_high.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\uploading_low.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\uploading_medium.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\uploading_thumbnail.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\volume_gray.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\volume_green.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\volume_high.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\volume_low.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\volume_orange.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\volume_red.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\volume_slider.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\waiting_for_email.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\webcam_btn_highlighted.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\webcam_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\webcams_title.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\images\eraser.CUR (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\murf\Application Data\VideoEgg\Publisher\2817\resources\VideoEgg\messages\messages.en-US.bundle (Adware.VideoEgg) -> Quarantined and deleted successfully.
|
|
sadfart
Junior Member
|
30. November 2008 @ 13:37 |
Link to this message
|
Hi cdav,
I dont think the problem is resolved when i open mozila firfox i get chinese writing and when i open the internet explorer i get a message saying i have a virus and wants me to pay for software to resolve it. I understand this is the scam i.e. the buggers put a virus on and want you to pay to supposedly remove it but i presume if you paid up and downloaded there programme it would probably muck up the computer even more. I have copied below the message from firefox. I know i am areal pain but your help would be very much appreciated.
Sadfart
无法找到该页
您正在搜索的页面可能已经删除、更名或暂时不可用。
请尝试以下操作:
* 确保浏览器的地址栏中显示的网站地址的拼写和格式正确无误。
* 如果通过单击链接而到达了该网页,请与网站管理员联系,通知他们该链接的格式不正确。
* 单击后退按钮尝试另一个链接。
HTTP 错误 404 - 文件或目录未找到。
Internet 信息服务 (IIS)
技术信息(为技术支持人员提供)
* 转到 Microsoft 产品支持服务并搜索包括?HTTP?和?404?的标题。
* 打开?IIS 帮助?(可在 IIS 管理器 (inetmgr) 中访问),然后搜索标题为?网站设置?、?常规管理任务?和?关于自定义错误消息?的主题。
|
Senior Member
|
30. November 2008 @ 22:33 |
Link to this message
|
Hey sadfart
I understand Chinese and the chinese message you have is the common Internet Explorer error (i.e. This page cannot be found blah blah blah), which leads me to suspect that you are infected by Chinese malware, which has altered some of your settings.
Now, please download ComboFix.
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save it to your Desktop.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
? Run Combo-Fix.exe and follow the prompts.
? Accept the End-User License Agreement.
? Allow the Recovery Console to be installed.
? When you see the window below, click on Yes.
? When the Recovery Console has been installed, click on Yes to start the scan.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
? Wait for the scan to be fully completed.
? If it requires a reboot, please do so.
? After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
Do not click on the ComoboFix window, as it may cause it to stall.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
jojokimy
Suspended due to non-functional email address
|
1. December 2008 @ 20:19 |
Link to this message
|
Malwarebytes' Anti-Malware 1.30
Database version: 1443
Windows 5.1.2600 Service Pack 3
01/12/2008 5:11:54 PM
mbam-log-2008-12-01 (17-11-54).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 106684
Time elapsed: 42 minute(s), 11 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
C:\WINDOWS\system32\explore.exe (Backdoor.Bot) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explore (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\explore.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
|
Senior Member
|
2. December 2008 @ 04:29 |
Link to this message
|
|
Hey jojokimy
Please open a new thread for your problem, as your posting here might confused up this thread.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
db7
Suspended due to non-functional email address
|
2. December 2008 @ 06:47 |
Link to this message
|
I just got rid of this virus by going to run entering C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Then opening up the host file with notepad. I deleted the contents and replaced it with
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
I then saved it and did a system restore and now all is cool. However I wouldn't do any banking or sensitive stuff for while. I've used so many diferent spyware progs and none have worked. So I will wait to see what happens with others who have had this crap
This message has been edited since posting. Last time this message was edited on 2. December 2008 @ 07:00
|
|
sadfart
Junior Member
|
2. December 2008 @ 15:48 |
Link to this message
|
Hi Cdav,
sorry in the delay in getting back to you, i deleted a Rar file i found in the windows system file which was empty last night, i then rebooted the computer and ruddy thing wouldn't start again even in safe mode I was crying and thought tonight I would have to do a restore from the cd and lose everythjing. But hey presto when i turned the computer on tonight it opened, although i believe i still have the virus/trojan (whatever)because when i do a search on the internet explorer page it keeps going back to a page pretending to be from microsoft and looking for me to pay them money to download something or other that they state will fix the problem, this has been reported as a scam on some other sites i have been on.
Sorry for the above rant just wanted to give you an update on current position.
I have tried to do a system restore but the computer has refused permission to do this.
I have now followed your instructions and copied log below. I was not advised by computer that i needed to reboot, so i decided not to do so just in case it wouldn't start again and will leave it running until i hear from you.
I have also reactivated avast antivirus and firewall.
Thanks for all your help so far.
ComboFix 08-12-01.03 - murf 2008-12-02 20:19:21.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.148 [GMT 0:00]
Running from: c:\documents and settings\murf\Desktop\Combo-Fix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\msn.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IE4 Error Log.txt
c:\windows\system32\ipflr.dll
.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.
2008-11-30 15:45 . 2008-11-30 15:45 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-30 15:45 . 2008-11-30 15:45 <DIR> d-------- c:\documents and settings\murf\Application Data\Malwarebytes
2008-11-30 15:45 . 2008-11-30 15:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 15:45 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-30 15:45 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-21 20:38 . 2008-11-21 20:38 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-21 20:38 . 2008-11-21 20:38 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-21 20:38 . 2008-11-21 20:38 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-21 20:38 . 2008-11-21 20:38 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 17:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 16:42 1,106,944 ------w c:\windows\system32\dllcache\msxml3.dll
2004-08-01 23:08 25,456 ----a-w c:\program files\adupdmanager.xml
2004-06-24 00:03 4,040 ----a-w c:\program files\-dcch$v
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{f3730ce0-582d-4b69-883c-613308706456}"= "c:\program files\bigmaq2\tbbig0.dll" [2008-11-24 1784856]
"{00b8e20c-5c71-4c2f-85a5-6ad541500df0}"= "c:\program files\thechatterbox.cc\tbthe1.dll" [2008-07-04 1569304]
[HKEY_CLASSES_ROOT\clsid\{f3730ce0-582d-4b69-883c-613308706456}]
[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
2008-07-04 17:40 1569304 --a------ c:\program files\thechatterbox.cc\tbthe1.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f3730ce0-582d-4b69-883c-613308706456}]
2008-11-24 20:52 1784856 --a------ c:\program files\bigmaq2\tbbig0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{f3730ce0-582d-4b69-883c-613308706456}"= "c:\program files\bigmaq2\tbbig0.dll" [2008-11-24 1784856]
"{00b8e20c-5c71-4c2f-85a5-6ad541500df0}"= "c:\program files\thechatterbox.cc\tbthe1.dll" [2008-07-04 1569304]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F3730CE0-582D-4B69-883C-613308706456}"= "c:\program files\bigmaq2\tbbig0.dll" [2008-11-24 1784856]
"{00B8E20C-5C71-4C2F-85A5-6AD541500DF0}"= "c:\program files\thechatterbox.cc\tbthe1.dll" [2008-07-04 1569304]
[HKEY_CLASSES_ROOT\clsid\{f3730ce0-582d-4b69-883c-613308706456}]
[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-04-13 18576936]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"avast!"="c:\avast4~2\ashDisp.exe" [2008-11-26 81000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-18 180269]
"IW ControlCenter"="c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2003-03-12 836096]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"EPSON PictureMate"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0P1.EXE" [2003-10-10 99840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-08 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 c:\windows\SOUNDMAN.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-04-28 82026]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-07-05 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= c:\windows\system32\ir32_32.dll
"vidc.iv32"= c:\windows\system32\ir32_32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\FRONTPG.EXE"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\MSN6.EXE"=
"c:\\WINDOWS\\System32\\rtcshare.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\MSN Gaming Zone\\zclient.exe"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-03-31 111184]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-04 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobiw.sys [2003-04-10 187392]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-03-31 20560]
R2 HPFECP16;HPFECP16;c:\windows\system32\drivers\HPFECP16.SYS [1998-08-18 52800]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 cdrdrv;Cdrdrv;c:\windows\system32\Drivers\Cdrdrv.sys [2002-12-13 64000]
S3 hmajeeq.sys;hmajeeq.sys;\??\c:\windows\System32\hmajeeq.sys []
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-12-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
2008-12-02 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~2\MESSAGES\SDNotify.exe [2007-09-26 08:53]
2008-12-01 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24]
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-_{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
BHO-{} - (no file)
HKCU-Run-PcSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
HKLM-Run-VTTimer - VTTimer.exe
HKLM-Run-I/O Controllers - svcnet.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\murf\Application Data\Mozilla\Firefox\Profiles\xytoy8qd.Default User\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1666617&SearchSource=3&q=
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 20:20:33
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-02 20:21:07
ComboFix-quarantined-files.txt 2008-12-02 20:21:06
Pre-Run: 41,500,278,784 bytes free
Post-Run: 41,986,818,048 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
174 --- E O F --- 2008-12-01 18:45:58
|
|
sadfart
Junior Member
|
2. December 2008 @ 16:14 |
Link to this message
|
Hi cdav,
just to let you know b4 i run combo fix i deleted firefox from my computer.
Best Regards
sadfart
|
Senior Member
|
2. December 2008 @ 22:26 |
Link to this message
|
Hey sadfart
How willing are you to download another software to scan your computer? I understand that disk space may be an issue, so it's your call.
Please download the HijackThis zip file. Save it onto a convenient place in your computer, and then unzip the file.
Rename HijackThis(.exe) to scanner(.exe).
Next, run scanner(.exe). A window will pop up.
? Click on the button which says Main Menu, then Do a system scan and save a logfile.
? Please wait for the scan to be completed.
? After the scan has completed, a text window will pop up. Please post the contents of this window here.
This will also be located at hijackthis(.txt) in the same folder that HijackThis was originally saved.
NOTE:: Do not fix anything using HijackThis, as this may also damage legitimate components of your computer.
Also, it's probably best to let your computer restart. Better to know now than later, right?
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
db7
Suspended due to non-functional email address
|
2. December 2008 @ 23:44 |
Link to this message
|
I ran HijackThis and it told me to delete all the stuff that was in the host file. However it does not replace it with what was in it before I infected my puter. It also comes up with other stuff that is not in the host file.
The worry for you is that you may not have a restore point anymore that is before the date you loaded the crap onto your machine.
Google "intervalhehehe host file" if you want a cleaer explanation of what to do.
I also downloaded the trial version of Kaspersky internet security which seemed to find a few threats that all the others missed
This message has been edited since posting. Last time this message was edited on 2. December 2008 @ 23:49
|
|
bertumx
Newbie
|
4. December 2008 @ 10:06 |
Link to this message
|
Hi to all.
I have the exact same problem of sadfart.I'm infected with 'intervalhehehe' which i downloaded with winrar as well.Same sympthoms and everything.i read the thread , downloaded combofix, ran it and gave me the log in a notepad form...what do i do next...really appiciate your help.. and if you could tell me, how dangerous is this virus?? this is the log
ComboFix 08-12-03.04 - Roberto 2008-12-04 14:25:02.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.864 [GMT 0:00]
Running from: c:\users\Roberto\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.
2008-12-04 12:36 . 2008-12-04 12:36 <DIR> d-------- c:\windows\System32\drivers\Avg
2008-12-04 12:36 . 2008-12-04 12:36 97,928 --a------ c:\windows\System32\drivers\avgldx86.sys
2008-12-04 12:36 . 2008-12-04 12:36 69,128 --a------ c:\windows\System32\drivers\avgwfpx.sys
2008-12-04 12:36 . 2008-12-04 12:36 10,520 --a------ c:\windows\System32\avgrsstx.dll
2008-12-04 12:35 . 2008-12-04 12:35 <DIR> d----c--- c:\users\All Users\avg8
2008-12-04 12:35 . 2008-12-04 12:35 <DIR> d----c--- c:\programdata\avg8
2008-12-04 12:35 . 2008-12-04 12:35 <DIR> d----c--- c:\program files\AVG
2008-12-04 12:23 . 2008-12-04 12:23 <DIR> d----c--- c:\program files\Opera
2008-12-04 12:16 . 2008-12-04 12:16 <DIR> d----c--- c:\program files\XviD
2008-12-04 12:15 . 2008-12-04 12:15 <DIR> d----c--- c:\program files\K-Lite Codec Pack
2008-12-04 12:15 . 2008-12-04 12:15 <DIR> d----c--- c:\program files\AC3Filter
2008-12-04 12:15 . 2003-08-19 09:20 180,224 --a------ c:\windows\System32\ac3filter.cpl
2008-12-04 11:11 . 2008-12-04 11:11 <DIR> dr---c--- c:\program files\Norton Support
2008-12-04 08:56 . 2008-12-04 11:05 <DIR> d-a--c--- c:\users\All Users\TEMP
2008-12-04 08:56 . 2008-12-04 11:05 <DIR> d-a--c--- c:\programdata\TEMP
2008-12-04 01:37 . 2008-12-04 09:51 <DIR> d----c--- c:\users\All Users\Symantec
2008-12-04 01:37 . 2008-12-04 09:51 <DIR> d----c--- c:\programdata\Symantec
2008-12-04 01:36 . 2008-12-04 01:36 <DIR> d-------- c:\windows\System32\drivers\NIS
2008-12-04 01:36 . 2008-12-04 01:36 <DIR> d----c--- c:\program files\Symantec
2008-12-04 01:36 . 2008-12-04 01:36 <DIR> d----c--- c:\program files\Norton Internet Security
2008-12-04 01:36 . 2008-12-04 09:51 <DIR> d----c--- c:\program files\Common Files\Symantec Shared
2008-12-04 01:36 . 2008-12-04 01:36 124,464 --a------ c:\windows\System32\drivers\SYMEVENT.SYS
2008-12-04 01:36 . 2008-12-04 01:36 25,136 -ra------ c:\windows\System32\drivers\SymIMV.sys
2008-12-04 01:36 . 2008-12-04 01:36 10,635 --a------ c:\windows\System32\drivers\SYMEVENT.CAT
2008-12-04 01:36 . 2008-12-04 01:36 806 --a------ c:\windows\System32\drivers\SYMEVENT.INF
2008-12-04 01:32 . 2008-12-04 01:32 <DIR> d----c--- c:\users\All Users\NortonInstaller
2008-12-04 01:32 . 2008-12-04 01:36 <DIR> d----c--- c:\users\All Users\Norton
2008-12-04 01:32 . 2008-12-04 01:32 <DIR> d----c--- c:\programdata\NortonInstaller
2008-12-04 01:32 . 2008-12-04 01:36 <DIR> d----c--- c:\programdata\Norton
2008-12-04 01:32 . 2008-12-04 01:36 <DIR> d----c--- c:\program files\NortonInstaller
2008-12-04 01:28 . 2008-12-04 01:28 <DIR> d----c--- c:\users\All Users\Symantec Temporary Files
2008-12-04 01:28 . 2008-12-04 01:28 <DIR> d----c--- c:\programdata\Symantec Temporary Files
2008-12-04 00:50 . 2008-12-04 00:50 <DIR> d-------- c:\users\Roberto\AppData\Roaming\McAfee
2008-12-03 08:07 . 2008-10-16 21:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-12-03 08:07 . 2008-10-16 20:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-12-03 08:07 . 2008-10-16 21:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-12-03 08:07 . 2008-10-16 21:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-12-03 08:06 . 2008-10-16 21:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-12-03 08:06 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-12-03 08:06 . 2008-10-16 20:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-12-03 08:06 . 2008-10-16 21:08 34,328 --a------ c:\windows\System32\wups.dll
2008-12-03 08:06 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-26 21:28 . 2008-11-26 21:28 <DIR> d-------- c:\users\Roberto\AppData\Roaming\NCH Software
2008-11-26 20:19 . 2008-11-26 20:19 <DIR> d----c--- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-26 20:19 . 2008-11-26 20:19 <DIR> d----c--- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-26 20:19 . 2008-11-26 20:19 <DIR> d----c--- c:\program files\iTunes
2008-11-26 20:19 . 2008-11-26 20:19 <DIR> d----c--- c:\program files\iPod
2008-11-26 19:09 . 2008-11-26 19:12 <DIR> d-------- c:\users\Roberto\AppData\Roaming\TigerPlayer
2008-11-26 19:07 . 2008-11-26 19:09 <DIR> d----c--- c:\program files\MpcStar
2008-11-26 18:33 . 2008-12-04 12:32 <DIR> d----c--- c:\users\Roberto\APPLICATIONS
2008-11-26 18:23 . 2008-12-04 12:18 <DIR> d----c--- c:\users\Roberto\FILMS
2008-11-26 17:27 . 2008-11-26 17:27 <DIR> d----c--- c:\program files\Dziobas Rar Player
2008-11-26 15:50 . 2008-11-26 15:52 <DIR> d----c--- C:\Netgear
2008-11-26 14:55 . 2008-12-04 11:38 <DIR> d----c--- C:\Downloads
2008-11-26 14:54 . 2008-11-26 14:54 <DIR> d----c--- c:\program files\BitComet
2008-11-26 13:31 . 2008-10-21 05:16 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-26 13:31 . 2008-08-28 03:22 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-26 13:31 . 2008-08-28 03:24 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-26 13:31 . 2008-08-28 03:22 347,648 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-26 13:31 . 2008-10-22 03:43 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-26 13:31 . 2008-10-22 03:43 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2008-11-26 13:31 . 2008-10-22 03:43 95,232 --a------ c:\windows\System32\PortableDeviceClassExtension.dll
2008-11-24 13:10 . 2008-11-26 20:17 <DIR> d----c--- c:\program files\QuickTime
2008-11-20 23:25 . 2008-11-20 23:25 <DIR> d----c--- c:\program files\DNA
2008-11-20 23:25 . 2008-11-20 23:25 <DIR> d----c--- c:\program files\BitTorrent
2008-11-20 23:24 . 2008-11-20 23:24 <DIR> d----c--- c:\program files\AskBarDis
2008-11-12 10:03 . 2008-09-10 03:25 1,341,440 --a------ c:\windows\System32\msxml6.dll
2008-11-12 10:03 . 2008-09-05 04:48 1,194,496 --a------ c:\windows\System32\msxml3.dll
2008-11-12 10:03 . 2008-08-26 01:11 211,456 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-12 10:03 . 2008-09-10 03:21 2,048 --a------ c:\windows\System32\msxml6r.dll
2008-11-12 10:03 . 2008-09-05 04:45 2,048 --a------ c:\windows\System32\msxml3r.dll
2008-11-07 14:23 . 2008-11-07 14:23 32,000 --a------ c:\windows\System32\drivers\usbaapl.sys
2008-11-04 19:06 . 2008-11-04 19:06 <DIR> d-------- c:\users\Guest\Bluetooth Software
2008-11-04 19:05 . 2008-11-04 19:05 <DIR> d-------- c:\users\Guest\AppData\Roaming\Roxio
2008-11-04 19:05 . 2008-11-04 19:05 <DIR> d--h----- c:\users\Guest\AppData\Roaming\GTek
2008-11-04 19:04 . 2008-11-04 19:04 <DIR> dr------- c:\users\Guest\Videos
2008-11-04 19:04 . 2008-11-04 19:04 <DIR> dr------- c:\users\Guest\Searches
2008-11-04 19:04 . 2008-11-04 19:04 <DIR> dr------- c:\users\Guest\Saved Games
2008-11-04 19:04 . 2008-11-04 19:04 <DIR> dr------- c:\users\Guest\Pictures
2008-11-04 19:04 . 2008-11-04 19:04 <DIR> dr------- c:\users\Guest\Music
2008-11-04 19:04 . 2008-11-04 19:04 <DIR> dr------- c:\users\Guest\Links
2008-11-04 19:04 . 2008-11-04 19:04 <DIR> dr------- c:\users\Guest\Downloads
2008-11-04 19:04 . 2008-11-04 19:06 <DIR> dr------- c:\users\Guest\Documents
2008-11-04 19:04 . 2008-11-04 19:04 <DIR> dr------- c:\users\Guest\Contacts
2008-11-04 19:04 . 2006-11-02 12:37 <DIR> d-------- c:\users\Guest\AppData\Roaming\Media Center Programs
2008-11-04 19:04 . 2008-11-04 19:04 <DIR> d--h----- c:\users\Guest\AppData
2008-11-04 19:04 . 2008-12-04 14:07 <DIR> d----c--- c:\users\Guest
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\System32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\System32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 09:15 --------- dc----w c:\programdata\McAfee
2008-11-28 20:35 --------- d-----w c:\users\Roberto\AppData\Roaming\LimeWire
2008-11-28 19:40 27,525 ----a-w c:\users\Roberto\AppData\Roaming\nvModes.dat
2008-11-26 23:41 --------- dc----w c:\programdata\NCH Swift Sound
2008-11-26 23:41 --------- dc----w c:\program files\NCH Swift Sound
2008-11-26 20:19 --------- dc----w c:\program files\Common Files\Apple
2008-11-26 20:17 --------- dc----w c:\programdata\Apple Computer
2008-11-26 17:47 --------- dc----w c:\program files\Common Files\Nero
2008-11-26 17:45 --------- dc----w c:\programdata\Nero
2008-11-23 16:07 --------- d-----w c:\users\Roberto\AppData\Roaming\skypePM
2008-11-23 01:05 --------- d-----w c:\users\Roberto\AppData\Roaming\Skype
2008-11-20 17:42 --------- d-----w c:\users\Roberto\AppData\Roaming\Apple Computer
2008-10-28 01:33 --------- dc----w c:\program files\LimeWire
2008-10-20 16:38 --------- dc----w c:\program files\Windows Live
2008-10-20 16:36 --------- dc----w c:\program files\Microsoft SQL Server Compact Edition
2008-10-20 16:33 --------- dc----w c:\program files\Microsoft
2008-10-20 16:29 --------- dc----w c:\program files\Common Files\Windows Live
2008-10-16 21:49 --------- dc----w c:\programdata\CyberLink
2008-10-16 21:49 --------- d-----w c:\users\Roberto\AppData\Roaming\CyberLink
2008-10-16 02:12 --------- dc----w c:\program files\Windows Mail
2008-10-15 21:18 --------- d-----w c:\users\Roberto\AppData\Roaming\Camfrog
2008-10-15 21:17 --------- dc----w c:\program files\Camfrog
2008-10-13 13:02 28,672 ----a-w c:\windows\System32\ssconfig.exe
2008-10-13 13:02 180,224 ----a-w c:\windows\UninstallWSST.exe
2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2008-09-30 16:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-19 21:38 56 -c-ha-w c:\users\All Users\ezsidmv.dat
2008-09-19 21:38 56 -c-ha-w c:\programdata\ezsidmv.dat
2008-09-18 14:41 753,664 ----a-w c:\windows\System32\NET11c32.dll
2008-09-18 14:41 2,777,088 ----a-w c:\windows\System32\NET11r32.dll
2008-09-18 14:36 61,224 -c--a-w c:\users\Roberto\GoToAssistDownloadHelper.exe
2008-09-18 04:35 3,505,208 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 04:35 3,470,904 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:03 2,027,520 ----a-w c:\windows\System32\win32k.sys
2008-09-11 07:54 537,600 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-09-11 07:54 449,536 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-09-11 07:54 4,247,552 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-09-11 07:54 28,160 ----a-w c:\windows\System32\Apphlpdm.dll
2008-09-11 07:54 2,560 ----a-w c:\windows\AppPatch\AcRes.dll
2008-09-11 07:54 2,144,256 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-09-11 07:54 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-09-11 07:54 1,686,528 ----a-w c:\windows\System32\gameux.dll
2008-09-11 07:53 303,616 ----a-w c:\windows\System32\wmpeffects.dll
2008-09-11 07:53 268,800 ----a-w c:\windows\System32\es.dll
2008-09-08 23:03 51,712 ----a-w c:\windows\System32\sirenacm.dll
2008-09-07 21:20 174 --sha-w c:\program files\desktop.ini
2008-09-07 20:36 61,440 ----a-w c:\windows\System32\winipsec.dll
2008-09-07 20:36 361,984 ----a-w c:\windows\System32\IPSECSVC.DLL
2008-09-07 20:36 28,672 ----a-w c:\windows\System32\FwRemoteSvr.dll
2008-09-07 20:36 272,896 ----a-w c:\windows\System32\polstore.dll
2008-09-07 20:35 704,000 ----a-w c:\windows\System32\PhotoScreensaver.scr
2008-09-07 20:35 67,584 ----a-w c:\windows\System32\wlanhlp.dll
2008-09-07 20:35 542,720 ----a-w c:\windows\System32\sysmain.dll
2008-09-07 20:35 502,784 ----a-w c:\windows\System32\wlansvc.dll
2008-09-07 20:35 47,104 ----a-w c:\windows\System32\wlanapi.dll
2008-09-07 20:35 299,008 ----a-w c:\windows\System32\wlansec.dll
2008-09-07 20:35 289,280 ----a-w c:\windows\System32\wlanmsm.dll
2008-09-07 20:35 24,064 ----a-w c:\windows\System32\wtsapi32.dll
2008-09-07 20:35 2,923,520 ----a-w c:\windows\explorer.exe
2008-09-07 20:34 194,560 ----a-w c:\windows\System32\WebClnt.dll
2008-09-07 20:32 2,048 ----a-w c:\windows\System32\tzres.dll
2008-09-07 20:30 8,147,968 ----a-w c:\windows\System32\wmploc.DLL
2008-09-07 20:30 7,680 ----a-w c:\windows\System32\spwmp.dll
2008-09-07 20:30 4,096 ----a-w c:\windows\System32\dxmasf.dll
2008-09-07 20:30 356,864 ----a-w c:\windows\System32\MediaMetadataHandler.dll
2008-09-07 20:28 9,892,864 ----a-w c:\windows\System32\NlsLexicons000a.dll
2008-09-07 20:25 181,760 ----a-w c:\windows\System32\fsquirt.exe
2008-09-07 20:23 9,728 ----a-w c:\windows\System32\LAPRXY.DLL
2008-09-07 20:23 223,232 ----a-w c:\windows\System32\WMASF.DLL
2008-09-07 20:23 2,048 ----a-w c:\windows\System32\asferror.dll
2008-09-07 20:22 296,448 ----a-w c:\windows\System32\gdi32.dll
2008-09-07 20:22 14,848 ----a-w c:\windows\System32\wshrm.dll
2008-09-07 20:21 83,968 ----a-w c:\windows\System32\dnsrslvr.dll
2008-09-07 20:21 24,576 ----a-w c:\windows\System32\dnscacheugc.exe
2008-09-07 20:21 11,776 ----a-w c:\windows\System32\sbunattend.exe
2008-09-07 20:20 84,480 ----a-w c:\windows\System32\INETRES.dll
2008-09-07 20:20 788,992 ----a-w c:\windows\System32\rpcrt4.dll
2008-09-07 20:20 737,792 ----a-w c:\windows\System32\inetcomm.dll
2008-09-07 20:20 1,327,616 ----a-w c:\windows\System32\quartz.dll
2008-09-05 21:16 1,900,544 ----a-w c:\windows\System32\usbaaplrc.dll
2008-09-05 14:56 287,744 ----a-w c:\windows\WLXPGSS.SCR
2007-11-24 14:46 76 --sha-r c:\windows\CT4CET.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 17:24 325000 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-24 68856]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2008-09-08 3513344]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-09-20 1410344]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-09-07 1232896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 857648]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-29 36864]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-25 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-25 8478720]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-25 81920]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2007-09-25 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2007-11-24 77824]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-24 1838592]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-04 1234712]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-03 703280]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-11-24 45056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= i263_32.drv
"vidc.tscc"= c:\progra~1\MpcStar\Codecs\tscc\tsccvid.dll
"vidc.XVID"= xvid.dll
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D18116E7-8636-4DA0-AEB0-EE6D4263A8AF}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{BF9D1942-D4DE-4AB6-A744-7CD075A6CCA5}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{F0BAB53D-4597-41ED-BF80-06C715004BDF}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{540D9235-A6B6-4DCB-BC73-3364E323DECE}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{6212DBD9-43B7-4046-9DAB-038C75AD4634}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B72E65C2-6F63-4207-ABEF-7758D3E4B7BF}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B78BC15C-2316-4EAF-BECE-759C5E5FA8AE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{D31238A5-0170-43F6-8507-EA9F6428BF60}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{ECE65B30-FC2F-4896-937B-1BC168B0DE7A}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{9F46F2A6-F9FC-45C6-9903-F570D75E2C45}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{7E67C9E0-DFC9-4C7A-981A-DDA8B94DBFCA}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{C1295366-BB88-469A-AD4B-05A06C95DE32}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{1CB37482-7508-4073-9C90-8D79E0B1F839}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{32C2A325-ACE6-485B-AEC4-A954A5D34081}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{6E5ACB26-0D7F-4FDE-B625-4E3207A3F860}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1001000.021\SYMEFA.SYS [2008-12-04 309296]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-04 97928]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NIS\1001000.021\BHDrvx86.sys [2008-12-04 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NIS\1001000.021\ccHPx86.sys [2008-12-04 362544]
R1 IDSVix86;IDSVix86;\??\c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSvix86.sys [2008-12-04 289840]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-24 73728]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-04 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-04 231704]
R2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R3 AvgWfpX;AVG Free8 Firewall Driver x86;c:\windows\system32\Drivers\avgwfpx.sys [2008-12-04 69128]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-11-24 179712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-04 99376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\DRIVERS\OEM02Dev.sys [2007-11-24 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\DRIVERS\OEM02Vfx.sys [2007-11-24 7424]
R3 SYMNDISV;SYMNDISV;\??\c:\windows\system32\drivers\NIS\1001000.021\SYMNDISV.SYS [2008-12-04 40496]
S3 GoToAssist;GoToAssist;"c:\program files\Citrix\GoToAssist\514\g2aservice.exe" Start=service [2008-09-18 16680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\autoRcd.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 14:31:13
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\avgrsstx.dll
- - - - - - - > 'lsass.exe'(676)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-04 14:41:44
ComboFix-quarantined-files.txt 2008-12-04 14:41:42
Pre-Run: 44,755,689,472 bytes free
Post-Run: 57,541,799,936 bytes free
319 --- E O F --- 2008-12-01 13:54:18
|
|
bertumx
Newbie
|
4. December 2008 @ 10:26 |
Link to this message
|
hey sadfart i think i just found the solution..i read on another forum what to do and it worked for me till now. i did the process 2 mins ago and the microsoft thing on the browser left .this is what i did:
Download HighJack this from the following link
http://www.download.com/Trend-Micro-Hija...
Then click install Highjack this
Click scan
Then check all of the following files with the check mark...After you have checked off all of these files hit FIX your problems should be solved. Mine were...a lot simpler than I thought it would be.
O1 - Hosts: 61.157.217.210 www.yahoo.com
O1 - Hosts: 61.157.217.210 www.google.com
O1 - Hosts: 61.157.217.210 www.google.co.uk
O1 - Hosts: 61.157.217.210 www.myspace.com
O1 - Hosts: 61.157.217.210 www.youtube.com
O1 - Hosts: 61.157.217.210 www.facebook.com
O1 - Hosts: 61.157.217.210 www.live.com
O1 - Hosts: 61.157.217.210 www.yahoo.com
O1 - Hosts: 61.157.217.210 www.yahoo.co.uk
O1 - Hosts: 61.157.217.210 www.antispyware.com
O1 - Hosts: 61.157.217.210 antispyware.com
O1 - Hosts: 61.157.217.210 antispy.com
O1 - Hosts: 61.157.217.210 www.msn.com
O1 - Hosts: 204.16.197.121 www.asfvb.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.3.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.657.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.34.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.45.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.asdv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvtrv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.g.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.bb.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.dfyu.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.bb.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.dfyu.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.bb.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.dfyu.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.bb.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.dfyu.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.xvv.com
O1 - Hosts: 204.16.197.121 www.msasern.com
O1 - Hosts: 61.157.217.210 www.antispy.com
|
|
sadfart
Junior Member
|
4. December 2008 @ 14:23 |
Link to this message
|
Hi Bertumx,
Thanks for your post would be interested if you could forward details of the site that you got the result from. After all the shit i have been through i have turned into a doubting tomas. Although i have to say it seems like the easiest solution so far, except that hijack might b a problem as you will see below.
Hi Cdav,
Was trying to follow your instructions but made a horlicks of trying to rename hijack this to scanner and had no win zip to open it with. I then downloaded jzip and tried to unzip the file but when itried to rename it within jzip it wouldn't let me so i deleted it but i thinthink it may still be on computer somewhere. i feel like such a dimwit and you probably think to yourself what have i got involved with, but would like any advice you could give me at this time.
Regards
Safart.
ps. what do u think B's solution above do you think i should try it?
|
|
bertumx
Newbie
|
5. December 2008 @ 08:31 |
Link to this message
|
|
hi sadfart
so far it worked for me...ill try and forward the site for u...but whatever i wrote up there was copied and pasted from the site i told u about.......
regards...
|
Senior Member
|
6. December 2008 @ 02:38 |
Link to this message
|
Hey sadfart
Yes, bertumx's instructions were what I was leading up to. You shouldn't need winzip or jzip to unzip a zip file; windows has it naturally.
Here are the instructions:
Go to C:\Windows\system32\drivers\etc\, and find a file called hosts. Open this file in notepad, and delete everything under "127.0.0.1 localhost". Save this file, and restart your computer.
Is your problem fixed now?
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
Lisha
Newbie
|
6. December 2008 @ 16:39 |
Link to this message
|
Hi,
I had the same intervalhehehe virus and I have followed the steps on a few forums on how to resolve the issue.
Some people are saying they can't delete the host websites because it says its an invalid path. I had the same problem and I found a way of fixing it. I don't know whether it is a good way, but it worked for me.
Copy the host file and paste it onto the desktop. Then delete everything in the desktop file (the infected host names). Once the desktop file is blank save it. You can then cut the file from the desktop and paste it into the original folder so it overwrites the unable to delete file.
You should now be able to access websites. I would reccommend still checking for viruses though.
(I hope this made sense)
|
|
sadfart
Junior Member
|
7. December 2008 @ 12:20 |
Link to this message
|
Thanks Cdav and other contributors,
Really appreciated all your help, I owe you all a big Pint of Guiness.
I believe the matter is resolved, although just curious do you think it is safe to do my online banking or buy online with my credit card using this computer?
I have copied below the latest path i used which has hopefully sorted me out or at least my computer.
Keep up the good work Cdav and lets hope i don't have to contact you in the near future.
POST
Got this in the same way as everyone else. I am an IT professional but that doesn't mean this will be perfect since it isn't quite my domain!
Anyway, I'll try explain in as simple terms as I know how.
Good news is that I think I am all fixed now.
Most importantly, you should fix this asap. Don't go to your banking sites or use Outlook or anything like that until you are fixed. If you are paranoid then re-install Windows. If like me you want to do a DIY fix then here's how I did it.
First I uninstalled WinRar and deleted the folders. You still get the annoying messages.
Then I downloaded a bunch of anti-malware, making sure that in every instance it came from a pukka site. This means ignoring the "megafilesharezone" type sites offered by Google and going to the vendors site and following only their instructions to valid "mirrors" or download servers. If you are having trouble getting Google to work then this takes you direct to SpyBot S&D:
http://www.safer-networking.org/en/downl...
you can trust me and go straight there (!); use another PC and use a a USB key to transfer them to the infected machine (safe to do in this case as far as I can tell) or if you know another language then my guess is a foreign google such as www.google.fr should bypass the problem (the malware only affects the UK and US Google addresses I think).
Rule 1 is to run these in Safe Mode (reboot, press F8 and then boot windows in "Safe Mode with Networking"). Can't be sure, but the socially inept, friendless, tiny mahood person who designed intervalhehehe seems to have got it to avoid detection in normal Windows mode.
This will take up to an hour or so depending on your machine and the amount of files you have.
For reference, the anti-malware that actually got the stuff was Spybot S&D updated with the latest files. I also ran CCleaner, MV RegClean and Malwarebytes - all of them spotted some things but not necessarily this. I had Trend anti-virus installed but this didn't spot anything.
Run these until the scans come back clean, then reboot into normal mode. You should have no annoying messages now. If you do, then my answer hasn't worked for you.
Once that was done, some smart cookie on the net suggested that if you are still getting Chinese Google/ fake Microsoft site syndrome then your hosts file has been tampered with. If your interested, (which you certainly don't have to be to solve this!) the host file tells your machine that certain requests for URLS by any your browsers should ignore the real site (to do with a service called DNS) and go to wherever the file tells it to - in this case, requests for google and a few other sites are being sent to a malware site or Chinese Google. For me, this was absolutely the case.
For those not familiar with this it is perfectly safe and easy to repair:
Go to C:/Windows/system32/drivers/et c/hosts
Open this in notepad (ignoring system messages telling you that you ought not to play with these files) and delete everything. Then to return to the windows original add this single line and then save:
127.0.0.1 localhost
If you don't trust my reply here check on the web for "windows host file" example and you should find that's OK!
If you see another version of this with lots of text in it don't worry that the descriptive text above the line above isn't there; windows will ignore that since it was for your benefit only. Or add it in, it really doesn't matter.
Note: If you are using a PC which has IIS or Apache or some other reason to have a special hosts file then you may need to reconstruct your host file a little more carefully but then if you are doing that, refer to the documentation for that!
That should return you back to normal.
|
|
jeedai555
Newbie
|
10. December 2008 @ 07:11 |
Link to this message
|
Malwarebytes' Anti-Malware 1.31
Database version: 1482
Windows 5.1.2600 Service Pack 1
12/10/2008 5:09:45 AM
mbam-log-2008-12-10 (05-09-45).txt
Scan type: Full Scan (C:\|)
Objects scanned: 99061
Time elapsed: 25 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{cd24eb02-9831-4838-99d0-726d411b1328} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f20da564-9254-49fe-a678-cc3cef172252} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8c875948-9c60-4381-9248-0df180542d53} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{37b85a2b-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\SbHostOL.MailAnim (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vrmon (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\spamblockerutility 4.7.1 (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Extensions\spam blocker for ms outlook (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\MyGlobalSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyGlobalSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyGlobalSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\Chris Natividad\Local Settings\Application Data\CyberDefender\cdmyidd.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\MyGlobalSearch\bar\1.bin\M9FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyGlobalSearch\bar\1.bin\M9NTSTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyGlobalSearch\bar\1.bin\M9PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\SpamBlockerUtility.inf (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
|
|
Advertisement
|
|
|
|
jeedai555
Newbie
|
10. December 2008 @ 07:57 |
Link to this message
|
|
hello i am still having issue trying to get rid of that virus can some one please help me, i am not very tech savvy and i have done my best to follow everyone's instructions.
thank you for your time and help
|
|
