Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: Virus Removal Help  (Read 6433 times)

0 Members and 1 Guest are viewing this topic.

Jack999

    Topic Starter


    Greenhorn

    Virus Removal Help
    « on: September 04, 2010, 07:04:24 AM »
    Hello, need some help from the experts on this forum to remove some viruses from my pc.  I am running Windows XP on a Dell Dimension pc. 

    I have followed closely the post of what to do first before posting a new thread.  Specifically, AV is up to date, firewall is on, updated and ran CCleaner Slim, updated and ran SuperAntispyware, updated and ran Malwarebytes Anti-malware, updated my Java and finally ran Hijack This.  The SuperAntispyware log is posted below.  Will post the Malware bytes log and HiJack this in the next post.

    Any help you can give me would very much be appreciated.  I am still seeing odd behavior by my IE browser, so I am guessing my pc is still infected.

    SuperAnti Spyware log:
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 09/03/2010 at 10:25 PM

    Application Version : 4.41.1000

    Core Rules Database Version : 5454
    Trace Rules Database Version: 3266

    Scan type       : Complete Scan
    Total Scan Time : 01:14:55

    Memory items scanned      : 379
    Memory threats detected   : 0
    Registry items scanned    : 5356
    Registry threats detected : 25
    File items scanned        : 60593
    File threats detected     : 84

    Adware.Tracking Cookie
       C:\Documents and Settings\Mary Lewis\Cookies\[email protected][1].txt
       C:\Documents and Settings\Mary Lewis\Cookies\mary_lewis@realmedia[1].txt
       C:\Documents and Settings\Mary Lewis\Cookies\[email protected][1].txt
       C:\Documents and Settings\Mary Lewis\Cookies\mary_lewis@overture[1].txt
       C:\Documents and Settings\Mary Lewis\Cookies\[email protected][1].txt
       C:\Documents and Settings\Mary Lewis\Cookies\[email protected][2].txt
       C:\Documents and Settings\Mary Lewis\Cookies\[email protected][2].txt
       C:\Documents and Settings\Mary Lewis\Cookies\[email protected][2].txt
       C:\Documents and Settings\Mary Lewis\Cookies\mary_lewis@advertising[2].txt
       C:\Documents and Settings\Mary Lewis\Cookies\mary_lewis@tribalfusion[1].txt
       C:\Documents and Settings\Mary Lewis\Cookies\mary_lewis@mediaplex[1].txt
       C:\Documents and Settings\Mary Lewis\Cookies\[email protected][1].txt
       C:\Documents and Settings\Mary Lewis\Cookies\mary_lewis@tacoda[2].txt
       C:\Documents and Settings\Mary Lewis\Cookies\[email protected][2].txt
       C:\Documents and Settings\Mary Lewis\Cookies\mary_lewis@serving-sys[2].txt
       cdn4.specificclick.net [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\P7GELVUX ]
       media.scanscout.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\P7GELVUX ]
       media1.break.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\P7GELVUX ]
       s0.2mdn.net [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\P7GELVUX ]
       secure-us.imrworldwide.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\P7GELVUX ]
       C:\Documents and Settings\LocalService\Cookies\system@247realmedia[1].txt
       C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
       C:\Documents and Settings\LocalService\Cookies\system@adbrite[2].txt
       C:\Documents and Settings\LocalService\Cookies\system@adecn[1].txt
       C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
       C:\Documents and Settings\LocalService\Cookies\system@advertise[1].txt
       C:\Documents and Settings\LocalService\Cookies\system@advertising[2].txt
       C:\Documents and Settings\LocalService\Cookies\system@apmebf[1].txt
       C:\Documents and Settings\LocalService\Cookies\system@atdmt[1].txt
       C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
       C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
       C:\Documents and Settings\LocalService\Cookies\system@burstbeacon[1].txt
       C:\Documents and Settings\LocalService\Cookies\system@burstnet[2].txt
       C:\Documents and Settings\LocalService\Cookies\system@casalemedia[2].txt
       C:\Documents and Settings\LocalService\Cookies\system@collective-media[1].txt
       C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
       C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
       C:\Documents and Settings\LocalService\Cookies\system@doubleclick[2].txt
       C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
       C:\Documents and Settings\LocalService\Cookies\system@invitemedia[1].txt
       C:\Documents and Settings\LocalService\Cookies\system@mediaplex[2].txt
       C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
       C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
       C:\Documents and Settings\LocalService\Cookies\system@realmedia[2].txt
       C:\Documents and Settings\LocalService\Cookies\system@revsci[1].txt
       C:\Documents and Settings\LocalService\Cookies\system@ru4[2].txt
       C:\Documents and Settings\LocalService\Cookies\system@serving-sys[1].txt
       C:\Documents and Settings\LocalService\Cookies\system@serving-sys[2].txt
       C:\Documents and Settings\LocalService\Cookies\system@statcounter[2].txt
       C:\Documents and Settings\LocalService\Cookies\system@tribalfusion[2].txt
       C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
       C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
       C:\Documents and Settings\LocalService\Cookies\system@yieldmanager[1].txt
       C:\Documents and Settings\LocalService\Cookies\system@zedo[2].txt
       cdn4.specificclick.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\XK5YWVLH ]
       core.insightexpressai.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\XK5YWVLH ]
       media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\XK5YWVLH ]
       media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\XK5YWVLH ]
       media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\XK5YWVLH ]
       objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\XK5YWVLH ]
       secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\XK5YWVLH ]
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@adcloudmedia[1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@burstnet[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[3].txt
       C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt

    Trojan.DNS-Changer (Hi-Jacked DNS)
       HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{B12C908C-7625-4A94-875B-A0552B209CBB}#NAMESERVER
       HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS\INTERFACES\{B12C908C-7625-4A94-875B-A0552B209CBB}#NAMESERVER
       HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{B12C908C-7625-4A94-875B-A0552B209CBB}#NAMESERVER
       HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS#NAMESERVER
       HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS#NAMESERVER
       HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS#NAMESERVER

    Malware.Trace
       C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
       HKU\.DEFAULT\SOFTWARE\XML
       HKU\S-1-5-18\SOFTWARE\XML

    Adware.AdRotator
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$#DisplayName
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$#UninstallString
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$#NoModify
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$#NoRepair
       HKLM\SOFTWARE\Classes\AppID\{38061EDC-40BB-4618-A8DA-E56353347E6D}
       HKLM\SOFTWARE\Classes\AppID\{38061EDC-40BB-4618-A8DA-E56353347E6D}\instl
       HKLM\SOFTWARE\Classes\AppID\{38061EDC-40BB-4618-A8DA-E56353347E6D}\instl\data
       HKLM\SOFTWARE\Classes\AppID\{38061EDC-40BB-4618-A8DA-E56353347E6D}\instl\data#afltId
       HKLM\SOFTWARE\Classes\AppID\{7B6A2552-E65B-4a9e-ADD4-C45577FFD8FD}
       HKLM\SOFTWARE\Classes\AppID\{7B6A2552-E65B-4a9e-ADD4-C45577FFD8FD}\instl
       HKLM\SOFTWARE\Classes\AppID\{7B6A2552-E65B-4a9e-ADD4-C45577FFD8FD}\instl\data
       HKLM\SOFTWARE\Classes\AppID\{7B6A2552-E65B-4a9e-ADD4-C45577FFD8FD}\instl\data#afltId
       HKLM\SOFTWARE\Classes\AppID\{84C3C236-F588-4c93-84F4-147B2ABBE67B}
       HKLM\SOFTWARE\Classes\AppID\{84C3C236-F588-4c93-84F4-147B2ABBE67B}\apps
       HKLM\SOFTWARE\Classes\AppID\{84C3C236-F588-4c93-84F4-147B2ABBE67B}\apps\{38061EDC-40BB-4618-A8DA-E56353347E6D}
       HKLM\SOFTWARE\Classes\AppID\{84C3C236-F588-4c93-84F4-147B2ABBE67B}\apps\{7B6A2552-E65B-4a9e-ADD4-C45577FFD8FD}
       C:\WINDOWS\$NTUNINSTALLMTF1011$\zrpt.xml
       C:\WINDOWS\$NTUNINSTALLMTF1011$

    Trojan.Agent/Gen-Exploit
       C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\UPDATE\SEUPD.EXE

    Mal



    Logged

    Jack999

      Topic Starter


      Greenhorn

      Re: Virus Removal Help
      « Reply #1 on: September 04, 2010, 07:06:14 AM »
      Here is the Malware Bytes log

      Malware Bytes log
      Malwarebytes' Anti-Malware 1.46
      www.malwarebytes.org

      Database version: 4540

      Windows 5.1.2600 Service Pack 3
      Internet Explorer 8.0.6001.18702

      9/3/2010 11:53:20 PM
      mbam-log-2010-09-03 (23-53-20).txt

      Scan type: Quick scan
      Objects scanned: 143632
      Time elapsed: 9 minute(s), 3 second(s)

      Memory Processes Infected: 0
      Memory Modules Infected: 0
      Registry Keys Infected: 5
      Registry Values Infected: 2
      Registry Data Items Infected: 0
      Folders Infected: 0
      Files Infected: 4

      Memory Processes Infected:
      (No malicious items detected)

      Memory Modules Infected:
      (No malicious items detected)

      Registry Keys Infected:
      HKEY_CLASSES_ROOT\CLSID\{7922062a-bfdc-4708-9211-f91aab7d60c7} (Password.Stealer) -> Quarantined and deleted successfully.
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{fe4c2c37-edc8-4c00-b864-3c38cf3ba834} (Adware.Adshot) -> Quarantined and deleted successfully.
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7922062a-bfdc-4708-9211-f91aab7d60c7} (Password.Stealer) -> Quarantined and deleted successfully.
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7922062a-bfdc-4708-9211-f91aab7d60c7} (Password.Stealer) -> Quarantined and deleted successfully.
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7922062a-bfdc-4708-9211-f91aab7d60c7} (Password.Stealer) -> Quarantined and deleted successfully.

      Registry Values Infected:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cakwacfe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sta (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

      Registry Data Items Infected:
      (No malicious items detected)

      Folders Infected:
      (No malicious items detected)

      Files Infected:
      C:\WINDOWS\SYSTEM32\DRIVERS\mraunu.sys (Rootkit.Agent) -> Delete on reboot.
      C:\WINDOWS\SYSTEM32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\WINDOWS\SYSTEM32\pb.sys (Malware.Trace) -> Quarantined and deleted successfully.
      C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
      Logged

      Jack999

        Topic Starter


        Greenhorn

        Re: Virus Removal Help
        « Reply #2 on: September 04, 2010, 07:48:22 AM »
        Well, this is very strange.  I am unable to paste the hijack this log into the message box on this topic.  Every time I do, the Internet Explorer can't display this page screen comes up.  I can post normal messages as you can see from this post, but can't post the HJT log.  As you can see in my previous post, I was able to add the SuperAntispyware and Malware Bytes logs...Odd

        Any ideas or options to get this posted?  Thanks..

        Jack
        Logged

        Jack999

          Topic Starter


          Greenhorn

          Re: Virus Removal Help
          « Reply #3 on: September 04, 2010, 09:12:46 AM »
          Ok figured out how to post the log.  See below.  Jack

          Logfile of Trend Micro HijackThis v2.0.4
          Scan saved at 7:52:56 AM, on 9/4/2010
          Platform: Windows XP SP3 (WinNT 5.01.2600)
          MSIE: Internet Explorer v8.00 (8.00.6001.18702)
          Boot mode: Normal

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\system32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\Program Files\AVG\AVG9\avgchsvx.exe
          C:\Program Files\AVG\AVG9\avgrsx.exe
          C:\Program Files\AVG\AVG9\avgcsrvx.exe
          C:\WINDOWS\system32\LEXBCES.EXE
          C:\WINDOWS\system32\spoolsv.exe
          C:\WINDOWS\system32\LEXPPS.EXE
          C:\Program Files\AVG\AVG9\avgwdsvc.exe
          C:\WINDOWS\System32\svchost.exe
          C:\WINDOWS\wanmpsvc.exe
          C:\Program Files\AVG\AVG9\avgnsx.exe
          C:\WINDOWS\Explorer.EXE
          C:\WINDOWS\system32\ctfmon.exe
          C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
          C:\WINDOWS\system32\msiexec.exe
          C:\Program Files\Java\jre6\bin\jqs.exe
          C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
          C:\Program Files\Trend Micro\HiJackThis\sniper.exe

          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
          R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
          R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
          O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
          O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
          O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
          O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
          O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
          O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
          O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
          O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
          O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
          O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
          O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
          O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
          O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
          O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
          O4 - HKUS\S-1-5-18\..\Run: [Hkaqodurex] rundll32.exe "C:\WINDOWS\vctiaft.dll",Startup (User 'SYSTEM')
          O4 - HKUS\.DEFAULT\..\Run: [Hkaqodurex] rundll32.exe "C:\WINDOWS\vctiaft.dll",Startup (User 'Default user')
          O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
          O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
          O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
          O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
          O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
          O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
          O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
          O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O15 - Trusted Zone: http://*.att.net
          O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
          O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://secure.ccf.org/icawebclient/wficac.cab
          O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131037793937
          O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154647697041
          O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
          O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
          O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
          O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
          O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
          O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
          O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
          O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
          O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
          O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
          O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
          O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
          O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

          --
          End of file - 7018 bytes
          Logged

          SuperDave

          • Malware Removal Specialist


            • Genius
            • Thanked: 1020
          • Certifications: List
          • Experience: Expert
          • OS: Windows 10
          Re: Virus Removal Help
          « Reply #4 on: September 06, 2010, 06:23:54 PM »
          Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

          1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
          2. The fixes are specific to your problem and should only be used for this issue on this machine.
          3. If you don't know or understand something, please don't hesitate to ask.
          4. Please DO NOT run any other tools or scans while I am helping you.
          5. It is important that you reply to this thread. Do not start a new topic.
          6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
          7. Absence of symptoms does not mean that everything is clear.

          Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

          Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

          Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

          Exit out of MessengerDisable then delete the two files that were put on the desktop.

          ***************************************

          Open HijackThis and select Do a system scan only

          Place a check mark next to the following entries: (if there)

          O4 - HKUS\S-1-5-18\..\Run: [Hkaqodurex] rundll32.exe "C:\WINDOWS\vctiaft.dll",Startup (User 'SYSTEM')
          O4 - HKUS\.DEFAULT\..\Run: [Hkaqodurex] rundll32.exe "C:\WINDOWS\vctiaft.dll",Startup (User 'Default user')
          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone. Therefore, I recommend that nothing be allowed in the trusted zone. If you agree, please do the following.Please place a check mark next to this/these line/lines.
          O15 - Trusted Zone: http://*.att.net

          Important: Close all open windows except for HijackThis and then click Fix checked.

          Once completed, exit HijackThis.
          *************************************

          Download ComboFix by sUBs from one of the below links. 

          Important! You MUST save ComboFix to your desktop

          link # 1
          Link # 2

          Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

          Double click on ComboFix.exe & follow the prompts.

          Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

          Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

          When the scan completes it will open a text window.
           
          Post the contents of that log in your next reply.

          Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.
          Logged
          Windows 8 and Windows 10 dual boot with two SSD's
          Pages: [1]   Go Up
          « previous next »