Can someone check this for me?

LindseyandMatthew

I've spent all night tryint to get rid of the system tool virus, heres my malware log, thanks in advance

Malwarebytes' Anti-Malware 1.46
https://www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

28/02/2011 02:23:03
mbam-log-2011-02-28 (02-23-03).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 180861
Time elapsed: 56 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Lindsey\My Documents\downloads\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

d123

It looks ok, but did you log in using safe mode to run the scan? And while in safe mode it's a good idea to clear Internet cache and your temp folder in case the virus is hiding in there.

aliEnRIK

Its WAY out of date

UPDATE and run another FULL scan

LindseyandMatthew

here is my new scan run in safemode


Malwarebytes' Anti-Malware 1.50.1.1100
https://www.malwarebytes.org

Database version: 5900

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

28/02/2011 11:58:56
mbam-log-2011-02-28 (11-58-56).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 198313
Time elapsed: 1 hour(s), 23 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Lindsey\application data\Sun\Java\deployment\cache\6.0\25\582900d9-1f5782a1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-1029620712-1778521561-3295535292-1008\Dc168\bkfejhc06308.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


have removed the 2 trojans at the bottom, do I need to do anything else? thanks for all help.

aliEnRIK

Download HostsXpert (US MIRROR)
http://www.softpedia.com/progDownload/Hoster-Download-27041.html
and then follow the below steps.

* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click the Make Writeable? button.
* click Restore Microsoft's Hosts File and then click OK.
* Click the X to exit the program

....................................................................................


Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out

If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)

LindseyandMatthew

ComboFix 11-02-28.01 - Lindsey 28/02/2011 18:25:59.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.398 [GMT 0:00]
Running from: c:\documents and settings\Lindsey\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lindsey\Recent\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2011-01-28 to 2011-02-28 )))))))))))))))))))))))))))))))
.

2011-02-28 16:21 . 2011-02-28 16:22

---

d

---

w- c:\documents and settings\All Users\Application Data\MFAData
2011-02-28 12:04 . 2011-02-28 12:04

---

d

---

w- c:\windows\LastGood
2011-02-28 09:28 . 2011-02-28 09:28

---

d-sh--w- c:\documents and settings\Lindsey\IECompatCache
2011-02-28 09:22 . 2011-02-02 21:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-02-28 09:22 . 2011-02-02 21:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-28 09:20 . 2011-02-28 09:20

---

d

---

w- c:\documents and settings\All Users\Application Data\McAfee
2011-02-28 02:26 . 2011-02-28 02:26

---

d-sh--w- c:\documents and settings\Lindsey\IETldCache
2011-02-28 01:32 . 2011-02-28 01:38

---

dc-h--w- c:\windows\ie8
2011-02-28 01:21 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-02-28 01:21 . 2010-12-20 23:59 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-02-28 01:21 . 2010-12-20 23:59 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-02-28 01:21 . 2010-12-20 23:59 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-02-27 21:43 . 2011-02-27 21:43

---

d

---

w- c:\documents and settings\Administrator
2011-02-27 16:45 . 2011-02-23 14:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-23 15:04 . 2010-09-08 07:07 40648 ----a-w- c:\windows\avastSS.scr
2011-02-23 15:04 . 2010-03-25 10:34 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-23 14:56 . 2010-03-25 10:34 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2010-03-25 10:34 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2010-03-25 10:34 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2010-03-25 10:34 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2010-03-25 10:34 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2010-03-25 10:34 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2010-03-25 10:34 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-02 19:19 . 2009-11-21 22:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:44 . 2009-04-02 00:30 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2009-04-02 00:30 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2009-04-02 00:30 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2009-04-02 00:30 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2009-04-02 00:30 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2009-04-02 00:30 43520

---

w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2009-04-02 00:30 1469440

---

w- c:\windows\system32\inetcpl.cpl
2010-12-20 18:09 . 2010-03-23 21:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2010-03-23 21:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2009-04-02 00:30 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2009-04-02 00:30 385024

---

w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2009-04-02 00:30 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2009-04-02 00:30 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2009-04-02 00:30 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-11-04 2087424]
"SUPBackground"="c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe" [2010-04-20 300912]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [27/02/2011 16:45 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [25/03/2010 10:34 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [25/03/2010 10:34 19544]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [02/04/2009 01:54 4300]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [04/11/2008 03:39 14336]
R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [02/04/2009 00:30 14336]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [15/01/2008 03:01 30208]
R3 hspabus;SAMSUNG HSPA USB Composite Device driver (WDM);c:\windows\system32\drivers\hspabus.sys [21/05/2009 13:14 91776]
R3 hspamdfl;SAMSUNG HSPA Modem Filter;c:\windows\system32\drivers\hspamdfl.sys [21/05/2009 13:14 14976]
R3 hspamdm;SAMSUNG HSPA Modem Drivers;c:\windows\system32\drivers\hspamdm.sys [21/05/2009 13:14 119808]
R3 hspaserd;SAMSUNG HSPA Modem Diagnostic Serial Port (WDM);c:\windows\system32\drivers\hspaserd.sys [21/05/2009 13:14 98560]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [02/04/2009 01:58 238464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/03/2010 10:34 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
yksvcs REG_MULTI_SZ yksvc
.
Contents of the 'Scheduled Tasks' folder

2011-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2011-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 10:34]

2011-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 10:34]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.facebook.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Lindsey\Application Data\Mozilla\Firefox\Profiles\a17oi3ak.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-28 18:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

aliEnRIK

Looks clean to me

Does it seem ok now?

LindseyandMatthew

yeah I think so, the service tool pop up has gone now and its not got the symbol on the bottom bar anymore so I'm hoping its gone, thanks alot for helping