We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Worm in c:\windows\system32\user32.dll - help needed!!!
Comments
-
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exeFCopy::
c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\system32\user32.DLL
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.0 -
I think 'glary' does the same job reluctant:idea:0
-
I did not know that - OP stick with Riks suggestion for the time being0
-
According to the software
SYSTEM FILE CHECKER ~
Scan all protected files to verify their versions. If a protected file has been overwritten, it replaces the incorrect file with the correct version from the cache folder
Now I cant say as ive ever actually tried it before but its supposed to be safe as houses to use. SO my plan was to run it then scan with Avira which 'should' flag it up if it was still infected:idea:0 -
Sounds like a good plan to me.0
-
OK, Ive used AVIRA as requested above, full system scan and here is the log:-
Avira AntiVir Personal
Report file date: 12 April 2009 13:20
Scanning for 1347111 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : WILL-AMILOA1650
Version information:
BUILD.DAT : 9.0.0.387 17962 Bytes 24/03/2009 11:04:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 24/02/2009 11:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 09:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 10:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 09:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 11:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 11/02/2009 19:33:26
ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 01/04/2009 12:19:10
ANTIVIR3.VDF : 7.1.3.42 169984 Bytes 11/04/2009 12:19:11
Engineversion : 8.2.0.138
AEVDF.DLL : 8.1.1.0 106868 Bytes 27/01/2009 16:36:42
AESCRIPT.DLL : 8.1.1.73 373114 Bytes 12/04/2009 12:19:21
AESCN.DLL : 8.1.1.10 127348 Bytes 12/04/2009 12:19:20
AERDL.DLL : 8.1.1.3 438645 Bytes 29/10/2008 17:24:41
AEPACK.DLL : 8.1.3.12 397687 Bytes 12/04/2009 12:19:19
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 26/02/2009 19:01:56
AEHEUR.DLL : 8.1.0.114 1700214 Bytes 12/04/2009 12:19:18
AEHELP.DLL : 8.1.2.2 119158 Bytes 26/02/2009 19:01:56
AEGEN.DLL : 8.1.1.33 340340 Bytes 12/04/2009 12:19:13
AEEMU.DLL : 8.1.0.9 393588 Bytes 09/10/2008 13:32:40
AECORE.DLL : 8.1.6.7 176502 Bytes 12/04/2009 12:19:12
AEBB.DLL : 8.1.0.3 53618 Bytes 09/10/2008 13:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 07:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 05/12/2008 09:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 13:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 09:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 09/02/2009 06:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 09:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 14:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 07:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 09:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 09/02/2009 10:45:45
RCTEXT.DLL : 9.0.35.0 87297 Bytes 11/03/2009 14:55:12
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,
Start of the scan: 12 April 2009 13:20
Starting search for hidden objects.
'47891' objects were checked, '0' hidden objects were found.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'OdTray.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'WButton.exe' - '1' Module(s) have been scanned
Scan process 'OSDCtrl.exe' - '1' Module(s) have been scanned
Scan process 'OSD.exe' - '1' Module(s) have been scanned
Scan process 'HotkeyApp.exe' - '1' Module(s) have been scanned
Scan process 'LaunchAp.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'odClientService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
42 processes with 42 modules were scanned
Starting master boot sector scan:
Start scanning boot sectors:
Starting to scan executable files (registry).
The registry was scanned ( '72' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Will\Desktop\ComboFix.exe
[0] Archive type: RAR SFX (self extracting)
--> 32788R22FWJFW\psexec.cfexe
[1] Archive type: RSRC
--> Object
[DETECTION] Contains recognition pattern of the APPL/PsExec.E application
C:\Documents and Settings\Will\My Documents\Personal\carradiodecoders.zip
[0] Archive type: ZIP
--> decoders/BPcalc v1[1].0 .exe
[DETECTION] Is the TR/Drop.Small.GN.1 Trojan
--> decoders/DAEWOO Serials Calculator 1.00.exe
[DETECTION] Is the TR/Agent.blfs Trojan
--> decoders/FORD SOUND 2000 Series Code Decrypter 2.00.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Delf.nut back-door program
C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A91000000001}\Data1.cab
[0] Archive type: CAB (Microsoft)
--> usa03.ths
[WARNING] The file could not be written!
--> MinionPro_Bold.otf
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\chrome\chrome\content\browser.js.vir
[DETECTION] Is the TR/Agent.DX.1 Trojan
C:\System Volume Information\_restore{22A5DE9F-39E1-4A11-B8EB-6C502338F862}\RP521\A0044433.el
[DETECTION] Is the TR/Dropper.Gen Trojan
Beginning disinfection:
C:\Documents and Settings\Will\Desktop\ComboFix.exe
[NOTE] The file was moved to '4a4ee6cc.qua'!
C:\Documents and Settings\Will\My Documents\Personal\carradiodecoders.zip
[NOTE] The file was moved to '4a53e6be.qua'!
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\chrome\chrome\content\browser.js.vir
[DETECTION] Is the TR/Agent.DX.1 Trojan
[NOTE] The file was moved to '4a50e6d0.qua'!
C:\System Volume Information\_restore{22A5DE9F-39E1-4A11-B8EB-6C502338F862}\RP521\A0044433.el
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a11e68e.qua'!
End of the scan: 12 April 2009 14:02
Used time: 41:04 Minute(s)
The scan has been done completely.
7238 Scanned directories
291087 Files were scanned
6 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
4 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
291080 Files not concerned
925 Archives were scanned
4 Warnings
5 Notes
47891 Objects were scanned with rootkit scan
0 Hidden objects were found
I did click "repair all" at the end...
0 -
Did it 'repair' them ok?
Download CCLEANER (Make sure you click 'DOWNLOAD LATEST VERSION' ~ make sure YAHOO TOOLBAR is unticked on installation)
http://www.filehippo.com/download_ccleaner/
Run the CLEANER scan (UNTICK 'cookies')
Then run the REGISTRY scan (Backup the registry when it asks)
and your good to go
:idea:0 -
OK, so ive done this and how do i know that everything's been removed? what program shall i sue to confirm? Cheers0
-
Run another full scan with avira if you want to double check everythings fine:idea:0
-
OK, so used ARIVA second time round to confirm no threats etc. came up this time with 1 infection (as opposed to 6 last time!!).
Infection Name:
APPL/PsExec.E
Then clicked Repair All, so hopefully its sorted that out (???) heres the log...
Avira AntiVir Personal
Report file date: 12 April 2009 19:49
Scanning for 1347111 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : WILL-AMILOA1650
Version information:
BUILD.DAT : 9.0.0.387 17962 Bytes 24/03/2009 11:04:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 24/02/2009 11:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 09:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 10:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 09:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 11:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 11/02/2009 19:33:26
ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 01/04/2009 12:19:10
ANTIVIR3.VDF : 7.1.3.42 169984 Bytes 11/04/2009 12:19:11
Engineversion : 8.2.0.138
AEVDF.DLL : 8.1.1.0 106868 Bytes 27/01/2009 16:36:42
AESCRIPT.DLL : 8.1.1.73 373114 Bytes 12/04/2009 12:19:21
AESCN.DLL : 8.1.1.10 127348 Bytes 12/04/2009 12:19:20
AERDL.DLL : 8.1.1.3 438645 Bytes 29/10/2008 17:24:41
AEPACK.DLL : 8.1.3.12 397687 Bytes 12/04/2009 12:19:19
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 26/02/2009 19:01:56
AEHEUR.DLL : 8.1.0.114 1700214 Bytes 12/04/2009 12:19:18
AEHELP.DLL : 8.1.2.2 119158 Bytes 26/02/2009 19:01:56
AEGEN.DLL : 8.1.1.33 340340 Bytes 12/04/2009 12:19:13
AEEMU.DLL : 8.1.0.9 393588 Bytes 09/10/2008 13:32:40
AECORE.DLL : 8.1.6.7 176502 Bytes 12/04/2009 12:19:12
AEBB.DLL : 8.1.0.3 53618 Bytes 09/10/2008 13:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 07:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 05/12/2008 09:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 13:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 09:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 09/02/2009 06:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 09:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 14:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 07:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 09:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 09/02/2009 10:45:45
RCTEXT.DLL : 9.0.35.0 87297 Bytes 11/03/2009 14:55:12
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,
Start of the scan: 12 April 2009 19:49
Starting search for hidden objects.
'45266' objects were checked, '0' hidden objects were found.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wlcomm.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'OdTray.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'WButton.exe' - '1' Module(s) have been scanned
Scan process 'OSDCtrl.exe' - '1' Module(s) have been scanned
Scan process 'OSD.exe' - '1' Module(s) have been scanned
Scan process 'HotkeyApp.exe' - '1' Module(s) have been scanned
Scan process 'LaunchAp.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'odClientService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
43 processes with 43 modules were scanned
Starting master boot sector scan:
Start scanning boot sectors:
Starting to scan executable files (registry).
The registry was scanned ( '72' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A91000000001}\Data1.cab
[0] Archive type: CAB (Microsoft)
--> usa03.ths
[WARNING] The file could not be written!
--> MinionPro_Bold.otf
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{22A5DE9F-39E1-4A11-B8EB-6C502338F862}\RP535\A0060082.exe
[0] Archive type: RAR SFX (self extracting)
--> 32788R22FWJFW\psexec.cfexe
[1] Archive type: RSRC
--> Object
[DETECTION] Contains recognition pattern of the APPL/PsExec.E application
Beginning disinfection:
C:\System Volume Information\_restore{22A5DE9F-39E1-4A11-B8EB-6C502338F862}\RP535\A0060082.exe
[NOTE] The file was moved to '4a124181.qua'!
End of the scan: 12 April 2009 20:30
Used time: 40:52 Minute(s)
The scan has been done completely.
6365 Scanned directories
282997 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
282995 Files not concerned
875 Archives were scanned
4 Warnings
2 Notes
45266 Objects were scanned with rootkit scan
0 Hidden objects were found0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.5K Banking & Borrowing
- 253.7K Reduce Debt & Boost Income
- 454.5K Spending & Discounts
- 245.5K Work, Benefits & Business
- 601.5K Mortgages, Homes & Bills
- 177.6K Life & Family
- 259.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards