📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

help to completely remove virus please

Options
2

Comments

  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Did you fix those I posted in post #10? That bold one needs doing at least


    Anyways, your still infected

    Open notepad and copy/paste the text in RED below

    File::
    c:\windows\Kwajozoqocef.dat
    c:\windows\Pgabutunagec.bin



    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

    CFScript.gif


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

    .................................................


    Download and run the FREE version of DR WEB
    http://www.freedrweb.com/download+cureit/gr/
    Turn your anti virus OFF
    Click CANCEL to the 'Would you like to read purchase terms now?' message
    Click START click OK
    It will auto QUICK scan
    After that set to scan the WHOLE computer and press the 'play' icon
    ***DO NOT UPGRADE TO FULL VERSION***
    :idea:
  • janeys
    janeys Posts: 424 Forumite
    Part of the Furniture 100 Posts Name Dropper
    I did fix the post as sugested I removed them from the control panel apart from the epson tool bar which i removed with hijack. here is the report following your last instructions for combofix

    ComboFix 10-01-18.03 - Arthur 19/01/2010 15:06:46.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.895.503 [GMT 0:00]
    Running from: c:\documents and settings\Arthur\My Documents\ComboFix.exe
    Command switches used :: c:\documents and settings\Arthur\My Documents\cfscript.txt
    AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    .
    ((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
    .
    2010-01-19 12:41 . 2010-01-19 12:41 388096 ----a-r- c:\documents and settings\Arthur\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-01-19 12:41 . 2010-01-19 12:41
    d
    w- c:\program files\TrendMicro
    2010-01-19 11:23 . 2010-01-19 11:23
    d
    w- c:\documents and settings\Arthur\Application Data\Malwarebytes
    2010-01-19 11:22 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-19 11:22 . 2010-01-19 11:22
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-01-19 11:22 . 2010-01-19 11:23
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-19 11:22 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-18 17:54 . 2010-01-18 17:55
    d
    w- C:\CABS
    2010-01-18 17:54 . 2010-01-18 17:54
    d
    w- C:\OEMCUST
    2010-01-18 17:54 . 2010-01-18 17:54
    d
    w- C:\FACTONLY
    2010-01-16 12:41 . 2010-01-16 12:39 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-01-16 12:37 . 2010-01-16 12:37 152576 ----a-w- c:\documents and settings\Arthur\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2010-01-15 15:34 . 2010-01-15 15:34
    d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-01-15 12:25 . 2010-01-19 12:29 120 ----a-w- c:\windows\Kwajozoqocef.dat
    2010-01-15 12:25 . 2010-01-19 10:08 0 ----a-w- c:\windows\Pgabutunagec.bin
    2010-01-14 23:15 . 2010-01-16 12:36 79488 ----a-w- c:\documents and settings\Arthur\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-01-12 21:23 . 2009-07-28 11:13 303104 ----a-w- c:\windows\Uninstall_tkexe.exe
    2010-01-12 21:22 . 2010-01-13 18:43
    d
    w- c:\program files\TKexe
    2010-01-12 17:45 . 2010-01-12 17:45
    d
    w- c:\program files\Smilebox
    2010-01-02 13:32 . 2010-01-02 13:32 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
    2010-01-02 13:32 . 2010-01-02 13:32 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
    2010-01-02 13:32 . 2010-01-02 13:32 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
    2010-01-02 13:32 . 2010-01-02 13:32 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
    2010-01-02 13:32 . 2010-01-02 13:32 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
    2010-01-02 13:31 . 2010-01-02 13:31 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
    2010-01-02 13:31 . 2010-01-02 13:31 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
    2010-01-02 13:25 . 2010-01-02 13:25 108059 ----a-w- c:\windows\system32\drivers\klin.dat
    2010-01-02 13:25 . 2010-01-02 13:25 95259 ----a-w- c:\windows\system32\drivers\klick.dat
    2010-01-02 13:23 . 2010-01-19 14:49
    d
    w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2010-01-02 13:23 . 2010-01-02 13:23
    d
    w- c:\program files\Kaspersky Lab
    2010-01-02 13:20 . 2010-01-02 13:20
    d
    w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-19 14:49 . 2006-03-08 19:36
    d
    w- c:\program files\Yahoo!
    2010-01-19 14:33 . 2009-04-22 13:39
    d
    w- c:\program files\TuneUp Utilities 2009
    2010-01-19 14:30 . 2009-08-12 21:47
    d
    w- c:\documents and settings\All Users\Application Data\RegCure
    2010-01-19 14:30 . 2009-08-12 21:47
    d
    w- c:\program files\RegCure
    2010-01-18 22:30 . 2007-02-08 19:23
    d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-01-16 12:39 . 2006-06-06 20:38
    d
    w- c:\program files\Java
    2010-01-15 13:40 . 2008-05-30 07:54
    d
    w- c:\program files\CA Yahoo! Anti-Spy
    2010-01-13 21:32 . 2009-12-12 18:26
    d
    w- c:\documents and settings\Arthur\Application Data\MysteryStudio
    2010-01-04 23:58 . 2009-07-17 16:34 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2009-12-12 18:26 . 2009-08-27 21:25
    d
    w- c:\program files\Games
    2009-12-06 23:28 . 2009-12-06 23:28
    d
    w- c:\documents and settings\Arthur\Application Data\Serif
    2009-11-28 21:32 . 2009-11-28 21:32
    d
    w- c:\documents and settings\Arthur\Application Data\SerpentOfIsis
    2009-11-21 15:51 . 2004-08-10 15:37 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
    2009-10-29 07:45 . 2004-08-10 15:38 916480
    w- c:\windows\system32\wininet.dll
    2006-03-22 14:08 . 2006-03-22 14:08 774144 -c--a-w- c:\program files\RngInterstitial.dll
    .
    ((((((((((((((((((((((((((((( [EMAIL="SnapShot@2010-01-19_13.47.01"]SnapShot@2010-01-19_13.47.01[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-01-19 14:49 . 2010-01-19 14:49 16384 c:\windows\Temp\Perflib_Perfdata_88.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
    "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-16 149280]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "LDM"=c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    "LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" boot
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    "ctfmon.exe"=c:\windows\system32\ctfmon.exe
    "YSearchProtection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    "EPSON Stylus Photo RX420 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
    "LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
    "LogitechVideoTray"=c:\program files\Logitech\Video\LogiTray.exe
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    "ACTIVBOARD"=c:\apps\ABoard\ABoard.exe
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    "ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
    "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
    "ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    "ATIPTA"=c:\ati technologies\ATI Control Panel\atiptaxx.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%ProgramFiles%\\AOL 9.0\\aol.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 20:18 36880]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 13:42 32272]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 18:39 19472]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2009-03-08 03:32 128512 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    2010-01-19 c:\windows\Tasks\User_Feed_Synchronization-{08A4182A-EEE2-4F7E-AA6C-CE726000AEDB}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://uk.yahoo.com/?fr=fp-yie8
    mSearch Bar = hxxp://search.blueyonder.co.uk/search/search.jsp
    uInternet Settings,ProxyOverride = <local>;*.local
    uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
    IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    DPF: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
    DPF: {0A742471-6B4B-4419-A0B2-68E4A9FF5ACD} - [URL]file://c:\activlite_ecdlxp_e\btlocal3.cab[/URL]
    DPF: {46431044-1B22-4EF3-B333-863AAF310153} - hxxp://download.five.tv/Download/five_3_4_0_8.cab
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-01-19 15:13
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    LOCKED REGISTRY KEYS
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
    "OODEFRAG08.00.00.01WORKSTATION"="DD434AB253FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667C900C993C7A54B4E0DCC630FB1B867A57EA80EE954778F06E43A64243B0216C6BC1A804FA0FD18FD8C4C0A624B77C50CCE894D75FC19CC75E764E939752CC306A92F8A4EF8F2B2516DB82EE0F5C6A272B7DC871DAE90BD2C71DBE1EB7A8E08CBAC0B9F8592639D657B4E42D4748106D95569079E49D893319093908FEBDE5F42E56E1E007165BDA908BBDC9B4B39DF964BE93C50759D68DD59F4DB8DB2082867791006D8DCBDDD62E8203528C3B302513D8DB8161C41B55FDFDBD1E378A8A98E8D977BC3616AA8A67593AC816BE7A40656F7326EE9595BB8BF96A19E2D130B5E4FA14904CE18316289A0C14192025F0844BE86E5D32E1D3F986B9FE5834D58D1EC415B733AAC6DD487431D15CEE23279B76FB29F0E40A19C0D1242F0731202371B79C2FE7A3FB413D2EE0841F8A080D367065AD514BD74CD4334278A3851DCB212443429AC1A4784D50A6E992F810EE48B77C3D0A28E852564F48D14CF2CA1390C8D880631BDC3E47AEC6489518308CBE22A5A723DCAA749A166D8827E796B96C838BC3F2BDEB1C2B3E61F1005D57B7EAEF9ACAB29409233AC12915D4A44BCE88C18F1920362790375B9F8BE34DEDAC6B4346E04F071E1B0BA7263407FC9F7249F766CD06665E8DDB71CEEBA0BB67BBEBE9D7598E29295E288F79E5D2CFCE58E4C90175FC237B05E7836A3BF7B281A591AEC3C18900F0FC1540736F6240634426317FB374F5CE56438A85C1CB9B553D999CCE344CF811894DF77C2667F3D71AE37AFCD65818A83A3F90304B13F13AADA11DB2D75BBBDD97A729500979732939621F1608C962E67A447CC28F649298547DB2D8017B249E56457224E8A8B28F18FFB6C2EE08F6650422E7F7976D913AEE0D5C8E6A8D5DB2D99DACEB1554114C9072720522CAF87E4ACBC09CE4D3423D5BC622891BB8CE40AB1D245509DDB21BB3986800F4A7E982FE68A4CA3AE63DD0B43E5BC527A0084B59C93A278A1CAADCA3A81F7492EC8D59B4A2D1E92E0347AC5304B669E9D9E12501BF8F318B0B8CCDF7004E208DD20AC7D0144C8603EB66661157FFE14F599955D4360BFC4AF1DC548177D937AEED643070D6E8BF1B341419AD773CFEFE5E84CC37E2EFDB4952C11B33BE1CD70130570D43F5017CF46EBE095309E99956446A84F0AC79845EFE1DEB6C2284A5F0987BDE1C093122A0A944DD62B788D8BFE2E502FF81871F5607E9049614DB65F26FDEC918EE496D1A95C424A298053FCD1E41CF6B08DDBE91703BCC9A3D0B42E544D7028F57431BCE328B13EDEB68539926F9A9D6A9B216A60B7AF75E7B4582D111E714E1EF66605"
    .
    DLLs Loaded Under Running Processes
    - - - - - - - > 'winlogon.exe'(1792)
    c:\windows\system32\Ati2evxx.dll
    - - - - - - - > 'explorer.exe'(1340)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\mshtml.dll
    c:\windows\system32\msls31.dll
    c:\windows\IME\SPGRMR.DLL
    c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-01-19 15:16:07
    ComboFix-quarantined-files.txt 2010-01-19 15:15
    ComboFix2.txt 2010-01-19 13:52
    Pre-Run: 135,627,218,944 bytes free
    Post-Run: 135,573,925,888 bytes free
    - - End Of File - - 45C29F832104AC09DAB358E531389B7A
  • Claire6300
    Claire6300 Posts: 8 Forumite
    I have this virus also and the computer wont let me system restore, also PC guard virgin never picked it up help please, thanks claire
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    The files are still there

    try again but make sure you call it "CFScript" (With capitals) and make sure you COPY the text in red exactly as posted
    :idea:
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Claire6300 wrote: »
    I have this virus also and the computer wont let me system restore, also PC guard virgin never picked it up help please, thanks claire

    Please start a new thread Claire else it gets confusing


    Download MALWAREBYTES (Click 'DOWNLOAD LATEST VERSION')
    http://www.filehippo.com/download_malwarebytes_anti_malware/
    UPDATE and FULL scan
    Post the log in your new thread after its deleted everything

    Download HIJACK THIS (Click 'DOWNLOAD LATEST VERSION')
    http://www.filehippo.com/download_hijackthis/
    reboot
    SCAN and post the log in your new thread so we can see whats running :)

    Also give details of the exact problem you have and how you got it
    :idea:
  • janeys
    janeys Posts: 424 Forumite
    Part of the Furniture 100 Posts Name Dropper
    Hi im sorry for not doing it properly I did not realise the importance of capital letters here is the latest report hopefully done correctly.

    ComboFix 10-01-19.01 - Arthur 19/01/2010 20:55:20.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.895.423 [GMT 0:00]
    Running from: c:\documents and settings\Arthur\My Documents\ComboFix.exe
    Command switches used :: c:\documents and settings\Arthur\My Documents\CFScript.txt
    AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FILE ::
    "c:\windows\Kwajozoqocef.dat"
    "c:\windows\Pgabutunagec.bin"
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\windows\Kwajozoqocef.dat
    c:\windows\Pgabutunagec.bin
    .
    ((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
    .
    2010-01-19 15:27 . 2010-01-19 15:27
    d
    w- c:\documents and settings\Arthur\DoctorWeb
    2010-01-19 12:41 . 2010-01-19 12:41 388096 ----a-r- c:\documents and settings\Arthur\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-01-19 12:41 . 2010-01-19 12:41
    d
    w- c:\program files\TrendMicro
    2010-01-19 11:23 . 2010-01-19 11:23
    d
    w- c:\documents and settings\Arthur\Application Data\Malwarebytes
    2010-01-19 11:22 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-19 11:22 . 2010-01-19 11:22
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-01-19 11:22 . 2010-01-19 11:23
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-19 11:22 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-18 17:54 . 2010-01-18 17:55
    d
    w- C:\CABS
    2010-01-18 17:54 . 2010-01-18 17:54
    d
    w- C:\OEMCUST
    2010-01-18 17:54 . 2010-01-18 17:54
    d
    w- C:\FACTONLY
    2010-01-16 12:41 . 2010-01-16 12:39 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-01-16 12:37 . 2010-01-16 12:37 152576 ----a-w- c:\documents and settings\Arthur\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2010-01-15 15:34 . 2010-01-15 15:34
    d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-01-14 23:15 . 2010-01-16 12:36 79488 ----a-w- c:\documents and settings\Arthur\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-01-12 21:23 . 2009-07-28 11:13 303104 ----a-w- c:\windows\Uninstall_tkexe.exe
    2010-01-12 21:22 . 2010-01-13 18:43
    d
    w- c:\program files\TKexe
    2010-01-12 17:45 . 2010-01-12 17:45
    d
    w- c:\program files\Smilebox
    2010-01-02 13:32 . 2010-01-02 13:32 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
    2010-01-02 13:32 . 2010-01-02 13:32 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
    2010-01-02 13:32 . 2010-01-02 13:32 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
    2010-01-02 13:32 . 2010-01-02 13:32 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
    2010-01-02 13:32 . 2010-01-02 13:32 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
    2010-01-02 13:31 . 2010-01-02 13:31 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
    2010-01-02 13:31 . 2010-01-02 13:31 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
    2010-01-02 13:25 . 2010-01-02 13:25 108059 ----a-w- c:\windows\system32\drivers\klin.dat
    2010-01-02 13:25 . 2010-01-02 13:25 95259 ----a-w- c:\windows\system32\drivers\klick.dat
    2010-01-02 13:23 . 2010-01-19 16:34
    d
    w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2010-01-02 13:23 . 2010-01-02 13:23
    d
    w- c:\program files\Kaspersky Lab
    2010-01-02 13:20 . 2010-01-02 13:20
    d
    w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-19 14:49 . 2006-03-08 19:36
    d
    w- c:\program files\Yahoo!
    2010-01-19 14:33 . 2009-04-22 13:39
    d
    w- c:\program files\TuneUp Utilities 2009
    2010-01-19 14:30 . 2009-08-12 21:47
    d
    w- c:\documents and settings\All Users\Application Data\RegCure
    2010-01-19 14:30 . 2009-08-12 21:47
    d
    w- c:\program files\RegCure
    2010-01-18 22:30 . 2007-02-08 19:23
    d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-01-16 12:39 . 2006-06-06 20:38
    d
    w- c:\program files\Java
    2010-01-15 13:40 . 2008-05-30 07:54
    d
    w- c:\program files\CA Yahoo! Anti-Spy
    2010-01-13 21:32 . 2009-12-12 18:26
    d
    w- c:\documents and settings\Arthur\Application Data\MysteryStudio
    2010-01-04 23:58 . 2009-07-17 16:34 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2009-12-12 18:26 . 2009-08-27 21:25
    d
    w- c:\program files\Games
    2009-12-06 23:28 . 2009-12-06 23:28
    d
    w- c:\documents and settings\Arthur\Application Data\Serif
    2009-11-28 21:32 . 2009-11-28 21:32
    d
    w- c:\documents and settings\Arthur\Application Data\SerpentOfIsis
    2009-11-21 15:51 . 2004-08-10 15:37 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
    2009-10-29 07:45 . 2004-08-10 15:38 916480
    w- c:\windows\system32\wininet.dll
    2006-03-22 14:08 . 2006-03-22 14:08 774144 -c--a-w- c:\program files\RngInterstitial.dll
    .
    ((((((((((((((((((((((((((((( [EMAIL="SnapShot&#64;2010-01-19_13.47.01"]SnapShot@2010-01-19_13.47.01[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-01-19 16:22 . 2010-01-19 16:22 16384 c:\windows\Temp\Perflib_Perfdata_524.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
    "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-16 149280]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "LDM"=c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    "LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" boot
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    "ctfmon.exe"=c:\windows\system32\ctfmon.exe
    "YSearchProtection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    "EPSON Stylus Photo RX420 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
    "LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
    "LogitechVideoTray"=c:\program files\Logitech\Video\LogiTray.exe
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    "ACTIVBOARD"=c:\apps\ABoard\ABoard.exe
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    "ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
    "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
    "ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    "ATIPTA"=c:\ati technologies\ATI Control Panel\atiptaxx.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%ProgramFiles%\\AOL 9.0\\aol.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 20:18 36880]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 13:42 32272]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 18:39 19472]
    --- Other Services/Drivers In Memory ---
    *Deregistered* - DwShield000023B9
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2009-03-08 03:32 128512 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    2010-01-19 c:\windows\Tasks\User_Feed_Synchronization-{08A4182A-EEE2-4F7E-AA6C-CE726000AEDB}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://uk.yahoo.com/?fr=fp-yie8
    mSearch Bar = hxxp://search.blueyonder.co.uk/search/search.jsp
    uInternet Settings,ProxyOverride = <local>;*.local
    uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
    IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    DPF: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
    DPF: {0A742471-6B4B-4419-A0B2-68E4A9FF5ACD} - [URL]file://c:\activlite_ecdlxp_e\btlocal3.cab[/URL]
    DPF: {46431044-1B22-4EF3-B333-863AAF310153} - hxxp://download.five.tv/Download/five_3_4_0_8.cab
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-01-19 21:02
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    LOCKED REGISTRY KEYS
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
    "OODEFRAG08.00.00.01WORKSTATION"="DD434AB253FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667C900C993C7A54B4E0DCC630FB1B867A57EA80EE954778F06E43A64243B0216C6BC1A804FA0FD18FD8C4C0A624B77C50CCE894D75FC19CC75E764E939752CC306A92F8A4EF8F2B2516DB82EE0F5C6A272B7DC871DAE90BD2C71DBE1EB7A8E08CBAC0B9F8592639D657B4E42D4748106D95569079E49D893319093908FEBDE5F42E56E1E007165BDA908BBDC9B4B39DF964BE93C50759D68DD59F4DB8DB2082867791006D8DCBDDD62E8203528C3B302513D8DB8161C41B55FDFDBD1E378A8A98E8D977BC3616AA8A67593AC816BE7A40656F7326EE9595BB8BF96A19E2D130B5E4FA14904CE18316289A0C14192025F0844BE86E5D32E1D3F986B9FE5834D58D1EC415B733AAC6DD487431D15CEE23279B76FB29F0E40A19C0D1242F0731202371B79C2FE7A3FB413D2EE0841F8A080D367065AD514BD74CD4334278A3851DCB212443429AC1A4784D50A6E992F810EE48B77C3D0A28E852564F48D14CF2CA1390C8D880631BDC3E47AEC6489518308CBE22A5A723DCAA749A166D8827E796B96C838BC3F2BDEB1C2B3E61F1005D57B7EAEF9ACAB29409233AC12915D4A44BCE88C18F1920362790375B9F8BE34DEDAC6B4346E04F071E1B0BA7263407FC9F7249F766CD06665E8DDB71CEEBA0BB67BBEBE9D7598E29295E288F79E5D2CFCE58E4C90175FC237B05E7836A3BF7B281A591AEC3C18900F0FC1540736F6240634426317FB374F5CE56438A85C1CB9B553D999CCE344CF811894DF77C2667F3D71AE37AFCD65818A83A3F90304B13F13AADA11DB2D75BBBDD97A729500979732939621F1608C962E67A447CC28F649298547DB2D8017B249E56457224E8A8B28F18FFB6C2EE08F6650422E7F7976D913AEE0D5C8E6A8D5DB2D99DACEB1554114C9072720522CAF87E4ACBC09CE4D3423D5BC622891BB8CE40AB1D245509DDB21BB3986800F4A7E982FE68A4CA3AE63DD0B43E5BC527A0084B59C93A278A1CAADCA3A81F7492EC8D59B4A2D1E92E0347AC5304B669E9D9E12501BF8F318B0B8CCDF7004E208DD20AC7D0144C8603EB66661157FFE14F599955D4360BFC4AF1DC548177D937AEED643070D6E8BF1B341419AD773CFEFE5E84CC37E2EFDB4952C11B33BE1CD70130570D43F5017CF46EBE095309E99956446A84F0AC79845EFE1DEB6C2284A5F0987BDE1C093122A0A944DD62B788D8BFE2E502FF81871F5607E9049614DB65F26FDEC918EE496D1A95C424A298053FCD1E41CF6B08DDBE91703BCC9A3D0B42E544D7028F57431BCE328B13EDEB68539926F9A9D6A9B216A60B7AF75E7B4582D111E714E1EF66605"
    .
    DLLs Loaded Under Running Processes
    - - - - - - - > 'winlogon.exe'(232)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-01-19 21:05:09
    ComboFix-quarantined-files.txt 2010-01-19 21:04
    ComboFix2.txt 2010-01-19 15:16
    ComboFix3.txt 2010-01-19 13:52
    Pre-Run: 135,281,061,888 bytes free
    Post-Run: 135,297,122,304 bytes free
    - - End Of File - - 51415D73BA9992DE5C4E51335595CFBD
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    "im sorry for not doing it properly I did not realise the importance of capital letters here is the latest report hopefully done correctly." Dont worry bout it. I think I might add that into the text so people know in future though.

    Log looks clean, but youve had a seriously bad trojan infection so as a secondary precaution id advise as follows ~

    Download and run the FREE version of DR WEB
    http://www.freedrweb.com/download+cureit/gr/
    Turn your anti virus OFF
    Click CANCEL to the 'Would you like to read purchase terms now?' message
    Click START click OK
    It will auto QUICK scan
    After that set to scan the WHOLE computer and press the 'play' icon

    ***DO NOT UPGRADE TO FULL VERSION***
    :idea:
  • katiejones
    katiejones Posts: 696 Forumite
    janeys wrote: »
    Hi I hope someone can help me. At the weekend I foolishly opened a email from ups which was infected with a number of trojans:mad::mad::mad:. I scanned it prior to opening with kaspersky 2010 and it said no virus detected so I thought it would be ok to open. Once I tried to open it I realised that there was something wrong with the email and immediately deleted it and told my husband what I had done as he knows more about computers than me. I immediately run a full scan on kaspersky and it told us we had 6 trojans and 5 viruses. My husband has been running various programmes over the weekend opening up in safe mode and trying to 'talk' to the kaspersky people to get these viruses removed. He believes that they are now removed as they re no longer showing when he runs a security check on kaspersky.

    The problem is that we still have a small screen on the computer, a small box in black with large red writing saying

    your system is infected! (underneath this in smaller white letters)
    system has been stopped due to a serious malfunction spyware activity has been detected it is recomended to use spyware removal tool to prevent data loss do not use the computer before all spyware removed

    How do we get rid of this screen and how can I be sure the computer is free from viruses and safe to use with sensitve bank details when ordering online. Sorry for long post and thanks in advance for any help janeys


    OMG - this is exactly what has happened to me this morning - will follow the advice on this thread.
    Wins in 2013 - Jan - Heinz No Noise Ketchup.
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    katiejones wrote: »
    OMG - this is exactly what has happened to me this morning - will follow the advice on this thread.

    Please do as post #16
    :idea:
  • janeys
    janeys Posts: 424 Forumite
    Part of the Furniture 100 Posts Name Dropper
    Hi I have been trying to run freedrweb, as advised, with no success. I tried twice before and the computer would be closed down. I left it scanning while I took dog for a walk and computer was needing logged onwhen I returned. Have tried running it again and have watched the screen and moved my mouse now and then to see if this helps. I now know what happens to the computer though. After about an hour drweb disappears Screen goes black, white writing appears saying A problem has been detected and windows has been shut down, (there is more writing, about a page full finishing with something about dumping files) when I log in a window appears saying the system has recovered from a serious error click for more info
    next window
    a log of error has been created click for more info
    next window
    error signature BCCode 1000007f1 BCP1:00000008 there were more numbers about 5 I think then it said something about a log report on c/arthur something sorry to be so vague but if you need exact numbers and words given I can repeat what I have done today tomorrow and write it down exactly.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351K Banking & Borrowing
  • 253.1K Reduce Debt & Boost Income
  • 453.6K Spending & Discounts
  • 244K Work, Benefits & Business
  • 599K Mortgages, Homes & Bills
  • 177K Life & Family
  • 257.4K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture