Software > Computer viruses and spyware
could you please check the hjt log
evilfantasy:
Never mind Harry I was reading the date wrong. ::)
But you did run it multiple times. Was there any errors the first 2 times it ran?
harry 48:
kevin , i only ran it once , this pc is very very slow anything else i can do , harry
evilfantasy:
Wait for SuperDave to continue. He will either have you run more scans or clear you in this forum and send you to the Windows forum.
SuperDave:
Hello Harry. Sorry for the delay. We had a large snow storm last night and today. What makes you think that you have the Virus:Win32/Induc.A ?
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
--- Code: ---KillAll::
SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}
File::
c:\windows\popcinfo.dat
--- End code ---
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
=================================
ESET Online Scan
Scan your computer with the ESET FREE Online Virus Scan
* Click the ESET Online Scanner button.
* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.
* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.
In your next reply please include the ESET Online Scan Log
harry 48:
dave , after this combo scan the pc is 100% faster and add and remove is working again and windows doe's not stall , any more checks i'll do any you want to make sure it's clear i feel it could still be a bit faster
but there are a lot of files and left overs from web sites /downloads from way back i thought i took them out i searched for them and cannot find them , any ideas
ComboFix 10-02-27.04 - harold mullan 28/02/2010 14:01:10.4.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1247.792 [GMT 0:00]
Running from: c:\documents and settings\harold mullan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\harold mullan\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FILE ::
"c:\windows\popcinfo.dat"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\popcinfo.dat
.
((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.
2010-02-28 12:24 . 2010-02-28 12:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-02-27 19:30 . 2010-02-27 19:30 -------- d-----w- c:\program files\Escape from Lost Island
2010-02-27 19:23 . 2010-02-27 19:23 -------- d-----w- c:\program files\Pathfinders - Lost at Sea
2010-02-26 11:09 . 2010-02-24 09:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-26 10:58 . 2010-02-26 10:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology
2010-02-26 10:52 . 2010-02-26 10:52 -------- d-----w- c:\documents and settings\harold mullan\Local Settings\Application Data\PCHealth
2010-02-26 10:52 . 2010-02-26 10:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-02-26 10:52 . 2010-02-26 10:52 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-23 23:50 . 2010-02-23 23:50 16312832 ----a-w- c:\documents and settings\harold mullan\Application Data\Folding@home-x86\FahCore_b4.exe
2010-02-20 14:29 . 2010-02-20 14:29 -------- d-----w- c:\program files\Romancing the Seven Wonders - Taj Mahal
2010-02-19 19:00 . 2010-02-19 19:00 -------- d-----w- c:\program files\The Tarot's Misfortune
2010-02-18 22:49 . 2010-02-18 22:49 -------- d-----w- c:\documents and settings\harold mullan\Application Data\BigFishGames
2010-02-18 16:15 . 2010-02-18 16:15 -------- d-----w- c:\documents and settings\harold mullan\Application Data\GameMill
2010-02-18 16:15 . 2010-02-18 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\GameMill
2010-02-17 23:57 . 2010-02-17 23:57 -------- d-----w- c:\documents and settings\harold mullan\Application Data\LaJangada
2010-02-04 16:09 . 2010-02-04 16:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-02-01 23:37 . 2010-02-01 23:37 -------- d-----w- c:\documents and settings\harold mullan\Application Data\Gestalt Games
2010-02-01 23:30 . 2010-02-01 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Million
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-26 23:23 . 2009-08-06 21:16 117760 ----a-w- c:\documents and settings\harold mullan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-25 23:55 . 2010-01-25 23:55 -------- d-----w- c:\documents and settings\harold mullan\Application Data\SevenSails
2010-01-24 23:25 . 2010-01-24 23:25 -------- d-----w- c:\documents and settings\harold mullan\Application Data\Valusoft
2010-01-24 23:25 . 2010-01-24 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Valusoft
2010-01-24 23:22 . 2010-01-24 23:22 -------- d-----w- c:\documents and settings\harold mullan\Application Data\Green Clover Games
2010-01-24 23:22 . 2010-01-24 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Green Clover Games
2010-01-24 19:59 . 2010-01-24 19:59 -------- d-----w- c:\program files\World Poker Championship
2010-01-23 21:26 . 2010-01-23 21:26 -------- d-----w- c:\documents and settings\harold mullan\Application Data\WhatPulse
2010-01-18 20:07 . 2008-04-22 21:52 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-17 22:34 . 2010-01-17 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-17 22:33 . 2010-01-17 22:33 -------- d-----w- c:\program files\Bonjour
2010-01-17 22:32 . 2010-01-17 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-17 22:31 . 2010-01-17 22:31 -------- d-----w- c:\program files\Apple Software Update
2010-01-17 22:30 . 2010-01-17 22:30 -------- d-----w- c:\program files\Common Files\Apple
2010-01-17 22:30 . 2010-01-17 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-17 18:48 . 2009-12-31 19:29 52224 ----a-w- c:\documents and settings\harold mullan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-15 23:22 . 2010-01-15 23:22 -------- d-----w- c:\documents and settings\harold mullan\Application Data\Gold Casual Games
2010-01-14 19:36 . 2010-01-14 19:36 -------- d-----w- c:\program files\SpongeBob SquarePants Diner Dash
2010-01-14 19:12 . 2010-01-14 19:12 1245321 ----a-w- c:\documents and settings\All Users\Application Data\NeoEdge Networks\Yahoo_DinerDash\IAF.dll
2010-01-14 19:12 . 2010-01-14 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NeoEdge Networks
2010-01-14 19:12 . 2010-01-14 19:12 -------- d-----w- c:\program files\Yahoo! Games
2010-01-12 23:08 . 2010-01-12 23:08 -------- d-----w- c:\program files\Microsoft DirectX SDK (August 2009)
2010-01-12 23:07 . 2010-01-12 23:07 93512 ----a-w- c:\windows\dxsdkuninst.exe
2010-01-10 00:11 . 2010-01-10 00:11 -------- d-----w- c:\documents and settings\harold mullan\Application Data\BrokenHearts
2010-01-10 00:10 . 2010-01-10 00:10 -------- d-----w- c:\documents and settings\harold mullan\Application Data\Dragon Altar Games
2010-01-07 16:07 . 2008-07-24 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2008-05-08 23:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 20:07 . 2010-01-06 20:07 143264 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\pathfinders-lost-at-sea_s1_l1_gF5511T1L1_d806392778[1].exe
2010-01-06 20:07 . 2010-01-06 20:07 143264 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\escape-from-lost-island_s1_l1_gF5415T1L1_d806394967[1].exe
2010-01-05 10:00 . 2006-06-23 11:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-06-14 15:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2002-09-23 09:02 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-03 18:43 . 2010-01-03 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\IncrediMail
2010-01-02 23:07 . 2010-01-02 23:07 -------- d-----w- c:\documents and settings\harold mullan\Application Data\Virtual City
2010-01-01 23:21 . 2010-01-01 23:20 -------- d-----w- c:\documents and settings\harold mullan\Application Data\Friday's games
2009-12-31 16:50 . 2002-09-23 09:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-17 17:14 . 2008-10-30 19:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2004-08-30 14:29 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-09-23 09:02 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-09-23 09:03 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 21:08 . 2009-05-12 23:28 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-04 18:22 . 2002-09-23 09:03 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"EPSON Stylus Photo RX520 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE" [2005-04-07 98304]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2009-11-24 2156816]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\harold mullan\Start Menu\Programs\Startup\
[email protected] - c:\documents and settings\harold mullan\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe [2009-5-7 98477]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPASTATUS]
2003-02-26 16:18 620032 ------w- c:\program files\Internet Explorer\Connection Wizard\status.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-08-07 18:49 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\dpnsvr.exe"=
"c:\\WINDOWS\\System32\\dxdiag.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil_.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28/07/2009 10:53 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/07/2009 10:53 74480]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [17/02/2009 20:08 55152]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\SPAMfighter\sfus.exe [12/03/2009 10:44 184968]
S2 gupdate1c99aa9e4bae958;Google Update Service (gupdate1c99aa9e4bae958);c:\program files\Google\Update\GoogleUpdate.exe [01/03/2009 20:11 133104]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 18:08 533360]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys --> c:\windows\system32\DRIVERS\ewusbfake.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/07/2009 10:53 7408]
S3 Vsp;Vsp;\??\c:\windows\System32\drivers\Vsp.sys --> c:\windows\System32\drivers\Vsp.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-02-28 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-11-26 13:48]
2010-02-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 17:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-btbb_McciTrayApp - c:\program files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
AddRemove-Belarc Advisor - c:\progra~1\BELARC\ADVISOR\Uninstall.exe
AddRemove-FileHippo.com - c:\program files\FileHippo.com\uninstall.exe
AddRemove-Popims Animator - c:\program files\Popims\Popims Animator\Uninstall.exe
AddRemove-SeaMonkey (2.0.1) - c:\program files\SeaMonkey\uninstall\helper.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 14:10
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2485982703-2457388570-1893012673-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3688)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Folding@home\Folding@home-x86\[email protected]
c:\documents and settings\harold mullan\Application Data\Folding@home-x86\FahCore_b4.exe
.
**************************************************************************
.
Completion time: 2010-02-28 14:15:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-28 14:15
Pre-Run: 52,976,222,208 bytes free
Post-Run: 52,965,736,448 bytes free
- - End Of File - - 5D0FFFEF5FCCAF67F5B48D2ED74AFABC
=========================================================
eset log
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe a variant of Win32/Adware.ADON application deleted - quarantined
C:\System Volume Information\_restore{FEBF2BE2-A46D-4646-946A-2838EA56B6CA}\RP881\A0197225.exe a variant of Win32/Adware.ADON application deleted - quarantined
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version