We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Help Avira found 2 virus BOO/Sinowal.F & cant quarantine or delete
Comments
-
Have you lost all your pics? -
c:\documents and settings\David\My Documents\Egypt Aug 2010 Pat & Jen \P1020577.JPG
Not sure about user accounts. Give it a run on the other if you wish.
On the plus side, no rootkits on your main drive
As for malwarebytes, id attempt to uninstall and reinstall (or install over the top):idea:0 -
Thanks, what a relief, at least I dont have to reformat anything!
As far as the photos are concerned not sure, my husband doesnt know either but unfortunately isnt too good at remembering the order we have chosen to save photos and under what folder, so occasionally they end up in odd places. Fortunately I have the same photos on my laptop so no worry!
Being essentially bone idle will try & install over the top.
Many thanks once again youve saved me a lot of hassle.0 -
Just tried to run Combofix on husbands account and it wont let me can only run thru the administrator, not sure how to do this from another account, online research suggests using 'run as' (no option as on vista for run as administrator) but tried that, it it all starts to load, but then get message that it cant as it needs administrator rights to run, same with malwarebytes!
Just uploaded malwarebytes over the top on Administrator all it does update the current settings, the update button on the User Accounts is still greyed out.0 -
Whilst pressing the SHIFT key, RIGHT CLICK and 'run as' should be there as an option:idea:0
-
l managed to get Hubby's account scanned with Combofix
the scan results are below
ComboFix 11-02-10.01 - dave 11/02/2011 14:21:23.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.2114 [GMT 0:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((( Files Created from 2011-01-11 to 2011-02-11 )))))))))))))))))))))))))))))))
.
2011-02-07 20:20 . 2011-02-07 20:20
d
w- c:\documents and settings\LocalService\Application Data\Avira
2011-02-07 15:56 . 2011-02-07 15:56
d
w- c:\documents and settings\Guest\Application Data\Malwarebytes
2011-02-07 15:25 . 2011-02-07 15:25
d-sh--w- c:\documents and settings\dave\IECompatCache
2011-02-07 13:40 . 2011-02-07 13:40 388096 ----a-r- c:\documents and settings\David\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-07 13:37 . 2011-02-07 13:37 388096 ----a-r- c:\documents and settings\dave\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-07 13:37 . 2011-02-07 13:37
d
w- c:\program files\Trend Micro
2011-01-21 14:44 . 2011-01-21 14:44 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2002-08-29 20:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2002-08-29 20:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2002-08-29 20:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2002-08-29 20:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2002-08-29 20:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2002-08-29 20:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2002-08-29 20:00 1469440
w- c:\windows\system32\inetcpl.cpl
2010-12-20 18:09 . 2010-06-05 18:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2010-06-05 18:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2002-08-29 20:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 14:08 . 2010-06-05 19:11 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-20 12:55 . 2010-05-01 11:08 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2002-08-29 20:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2002-08-29 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2002-08-29 20:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2002-08-29 01:04 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-23 17:09 . 2010-06-05 19:11 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-18 18:12 . 2010-04-28 13:15 81920 ----a-w- c:\windows\system32\isign32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-07 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-5-9 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-4-28 24576]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [05/06/2010 19:11 135336]
R2 MSSQL$EONENERGYFIT;SQL Server (EONENERGYFIT);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [27/05/2009 03:27 29262680]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/05/2010 08:51 135664]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [30/07/2006 20:44 580992]
.
Contents of the 'Scheduled Tasks' folder
2011-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-07 08:51]
2011-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-07 08:51]
2011-02-11 c:\windows\Tasks\User_Feed_Synchronization-{641B0FA3-0B2D-47FD-8A6C-9EC92677A571}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
Supplementary Scan
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - [URL]file://c:\windows\Java\classes\dajava.cab[/URL]
DPF: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-11 14:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\Ótжþ* ]
"DisplayName"=""
"DeviceDesc"=""
"ProviderName"=""
"MFG"="?????"
"ReinstallString"="??\01"
"DeviceInstanceIds"=multi:"n\\download\\install\\driver\\2kxp_inf\\cx_19641.inf\00"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(1508)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
- - - - - - - > 'explorer.exe'(888)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-02-11 14:27:19
ComboFix-quarantined-files.txt 2011-02-11 14:27
ComboFix2.txt 2011-02-09 13:48
Pre-Run: 134,419,148,800 bytes free
Post-Run: 134,547,562,496 bytes free
- - End Of File - - B3518B04376556DAC508FE8ECF631DF1
Not sure if its the same as the one on Administrator, quick glance it looks different, will await your check with fingers xxx!
Also updated Malwarebytes over the one on Husband's desktop, update worked ok, but the update button is still greyed out, so guess its uninstall & re-install.0 -
Right-click on the Malwarebytes' Anti-Malware shortcut and select Run as administrator, then you'll be able to use the Check for Updates button.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.4K Banking & Borrowing
- 252.9K Reduce Debt & Boost Income
- 453.3K Spending & Discounts
- 243.4K Work, Benefits & Business
- 598K Mortgages, Homes & Bills
- 176.6K Life & Family
- 256.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards