Antivirus System Pro

Welcome Guest ( Login | Register )

Recent Posts

Home » Windows & System Security » Virus / Spyware Problems and Security... » Antivirus System Pro

Antivirus System Pro

Rate Topic

Display Mode

Topic Options

Author

Message

paramedic86

Posted 11/5/2009 8:55 AM

New Member

Group: Forum Members
Last Login: 6/17/2008 11:58 PM
Posts: 22, Visits: 19

This virus has taken control of my computer. I'm surprised I was even able to get to this website.

I tried opening Hijack This but when I do I get this pop up: Application cannot be executed. The file Hijack This is infected. Would you like to actived your antivirus software now? - The virus does this for other programs like, add/remove software, malware bytes, internet options etc.

Of course I always click no to all the pop-ups it keeps sending me. Another thing this virus does is try to open internet explorer to websites like www porno.org or adult. com

I have no clue what to do. SUPERAntiSpyware and Avira still work and removed about 40 viruses that most likely came with ASP. However, they can't remove the program itself.

Post #254814

RichieUK

Posted 11/5/2009 9:56 AM

Senior Forum Moderator

Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 35,658, Visits: 54,734

Welcome

Try running the following in the order they're posted:
Download SmitfraudFix (by S!Ri),to your desktop.
Alternate official download locations Here and Here.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt
Post the Smitfraudfix report into your next reply.

Download ComboFix from HERE or HERE to your Desktop,by following the steps below.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1.If you are using Firefox, make sure that your download settings are as follows:

* Click on Tools->Options->"Main" tab
* Set to "Always ask me where to Save the files".

2.During the download,rename Combofix to Combo-Fix as follows:

3.It is important you rename Combofix during the download, but not after.
4.Please do not rename Combofix to other names, but only to the one indicated.
5.Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
* Click Here to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

-----------------------------------------------------------

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts.
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

6.Double click on Combo-Fix.exe & follow the prompts,if you're running Windows Vista right click on Combo-Fix.exe and click on "Run as Administrator".
7.When finished, it will produce a report for you.
8.Please post the contents of "C:\Combo-Fix.txt" into your next reply.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

___________________________________________________________

Post #254815

paramedic86

Posted 11/5/2009 10:49 AM

New Member

Group: Forum Members
Last Login: 6/17/2008 11:58 PM
Posts: 22, Visits: 19

I ran the Smitfraudfix in safe mode and it seemed to clean everything. However when I restarted in normal mode ASP was still on my desktop. I tried to open the Smitfraud log I had saved on my desktop but ASP wouldn't let me.

The application cannot be executed. The file rapport.txt is infected. Would you like to actived your antivirus software now?

I get the same message for Combofix. However I was able to run it but couldn't open the save file. I can't even have it open for more than two seconds before ASP shuts it down.

When I restart my computer Avira detects this virus: TR/BHO.whc.15

Post #254816

paramedic86

Posted 11/5/2009 2:00 PM

New Member

Group: Forum Members
Last Login: 6/17/2008 11:58 PM
Posts: 22, Visits: 19

Sorry for the earlier post, I didn't think to open the logs in safe mode. I chose safe mode with networking. Hopefully that won't matter.

Here is the rapport log

SmitFraudFix v2.424

Scan done at 11:11:15.01, Thu 11/05/2009
Run from C:\Documents and Settings\Compaq_Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
::1 localhost
91.212.127.226 winguard-2009.com
91.212.127.226 www.winguard-2009.com

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AA5D9E02-B4FE-4F6F-896B-8DEF1158733B}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AA5D9E02-B4FE-4F6F-896B-8DEF1158733B}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AA5D9E02-B4FE-4F6F-896B-8DEF1158733B}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» RK.2

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Here's the Combofix log

ComboFix 09-11-04.05 - Compaq_Administrator 11/05/2009 13:36.5.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.754 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\ps2.bat
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-05 16:08 . 2009-11-05 16:08 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-11-05 16:08 . 2009-11-05 16:08 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-11-05 16:06 . 2009-11-05 16:06 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-05 05:50 . 2009-11-05 05:50 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\ryrlcb
2009-11-03 17:11 . 2009-11-03 17:12 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-23 18:05 . 2009-10-23 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-23 18:04 . 2009-05-26 23:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\yupdater.exe
2009-10-16 01:58 . 2009-10-16 01:58 152576 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-09 22:44 . 2008-06-18 15:49 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2009-10-09 22:40 . 2009-10-09 23:17 -------- d-----w- C:\Netgear

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 16:27 . 2009-09-01 01:53 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\FrostWire
2009-11-05 14:54 . 2009-08-12 19:05 117760 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-03 20:29 . 2008-05-14 22:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 17:13 . 2007-04-04 06:21 -------- d-----w- c:\program files\DivX
2009-10-23 18:05 . 2007-03-12 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-10-23 18:05 . 2007-03-12 01:22 -------- d-----w- c:\program files\Yahoo!
2009-10-21 23:39 . 2009-07-21 21:10 -------- d-----w- c:\program files\Pando Networks
2009-10-16 01:58 . 2008-08-14 00:32 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-04 13:18 . 2009-10-02 21:14 -------- d-----w- c:\program files\CamStudio
2009-10-02 02:10 . 2009-10-02 02:10 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-01 23:36 . 2007-05-06 21:18 -------- d-----w- c:\program files\EA Games
2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-19 08:53 . 2009-09-18 03:35 -------- d-----w- c:\program files\Shareaza
2009-09-18 03:55 . 2009-09-18 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\20151
2009-09-11 14:18 . 2004-08-10 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 08:00 . 2005-11-11 21:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-09 00:59 . 2005-11-11 21:15 46752 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-07 01:06 . 2005-11-11 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-07 00:58 . 2009-09-07 00:58 -------- d-----w- c:\program files\Avira
2009-09-07 00:58 . 2009-09-07 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-04 21:03 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 03:23 . 2009-09-01 03:23 0 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-08-29 08:08 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-10 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-12 19:04 . 2009-08-12 19:04 65024 ----a-r- c:\documents and settings\Compaq_Administrator\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-08-12 19:04 . 2009-08-12 19:04 18944 ----a-r- c:\documents and settings\Compaq_Administrator\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2007-04-04 06:22 . 2007-04-04 06:22 60518 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-04-04 06:22 . 2007-04-04 06:22 49248 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-04-04 06:22 . 2007-04-04 06:22 165992 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-03 2000112]
"rkgfwqui"="c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\ryrlcb\lirosysguard.exe" [2009-11-05 258048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"rkgfwqui"="c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\ryrlcb\lirosysguard.exe" [2009-11-05 258048]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-11 27136]

c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
FrostWire On Startup.lnk - c:\program files\FrostWire\FrostWire.exe [2008-9-3 114688]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-7-16 576000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-03 20:29 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 3:06 PM 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 74480]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/6/2009 7:58 PM 108289]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\HPCeeSchedule.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2005-09-09 03:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Lookup on CD - c:\ahd4withthesaurus\ahd.htm
DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} - hxxp://www.flyword.com/loaderword_win.cab
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\rt2f8rrc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ffsearch.net/
FF - prefs.js: browser.search.selectedEngine - FireSearch
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh2", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh2", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh2", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-svchost3 - c:\windows\svchost3.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-05 13:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-546570435-3270648620-3361626676-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(472)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-05 13:44
ComboFix-quarantined-files.txt 2009-11-05 18:43
ComboFix2.txt 2009-08-22 20:59

Pre-Run: 108,660,367,360 bytes free
Post-Run: 109,951,930,368 bytes free

Post #254819

RichieUK

Posted 11/5/2009 2:37 PM

Senior Forum Moderator

Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 35,658, Visits: 54,734

Copy and paste ALL the following text in the code box below into Notepad.
Click on Start/All Programs/Accessories/Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

KILLALL::

Folder::
c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\ryrlcb

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rkgfwqui"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rkgfwqui"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

___________________________________________________________

Post #254822

« Prev Topic | Next Topic »

All times are GMT -6:00, Time now is 8:00am