[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5479
  • Last Modified:

How to Remove this Virus....packed.Win32.Krap.f

I have this virus so far and I cannot see how to remove it as my antivirus did not detect it but Kaspersky free scan did..

mejiyolo.dll.tmp

also known as  

packed.Win32.Krap.f
0
4ubest
Asked:
4ubest
  • 12
  • 8
  • 4
  • +2
1 Solution
 
dmwynneCommented:
Use malwarebytes.org scanner.
0
 
jdcompCommented:
Do an scan with Malwarebytes as dmwynne suggest but also do a scan with spybot

Try to make 2 sacns each since probably everything will not be remove the first time
0
 
rpggamergirlCommented:
Why didn't anyone give him the link of the suggested tool?????

4ubest,

You can use either MalwareBytes or Combofix and show us the logfile.

1. Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php

If you can't access the above link then use this link and rename the file before saving to your desktop.
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button


2. Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
4ubestAuthor Commented:
Malwarebytes..  
Malwarebytes' Anti-Malware 1.34
Database version: 1797
Windows 5.1.2600 Service Pack 2
 
2/23/2009 7:15:08 PM
mbam-log-2009-02-23 (19-15-08).txt
 
Scan type: Full Scan (C:\|G:\|Y:\|)
Objects scanned: 395090
Time elapsed: 35 minute(s), 7 second(s)
 
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
 
Memory Processes Infected:
(No malicious items detected)
 
Memory Modules Infected:
(No malicious items detected)
 
Registry Keys Infected:
(No malicious items detected)
 
Registry Values Infected:
(No malicious items detected)
 
Registry Data Items Infected:
(No malicious items detected)
 
Folders Infected:
(No malicious items detected)
 
Files Infected:
Y:\010109PerfectOptimizer.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Open in new window

0
 
4ubestAuthor Commented:
Combofix log
ComboFix 09-02-21.01 - PPKent 2009-02-23 20:25:31.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.3583.2986 [GMT -5:00]
Running from: c:\documents and settings\PPKent\Desktop\ComboFix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated)
FW: ActiveArmor Firewall *enabled*
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\wiaserviv.log
O:\D.COM
R:\D.COM
 
----- BITS: Possible infected sites -----
 
hxxp://www.hhdsoftware.com
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
-------\Service_seneka
 
 
(((((((((((((((((((((((((   Files Created from 2009-01-24 to 2009-02-24  )))))))))))))))))))))))))))))))
.
 
2009-02-23 20:04 . 2009-02-23 20:04	<DIR>	d--------	C:\!!hijackthis
2009-02-23 09:17 . 2009-02-23 09:17	<DIR>	d--------	c:\windows\[u]0[/u]E6ED660498C42F79EF4FB0C96DFC01A.TMP
2009-02-20 08:36 . 2009-02-20 08:42	6,790,436,864	--a------	C:\[u]0[/u]22009eudoraDrive G and MCI Flat Drive Y newer.bkf
2009-02-16 11:28 . 2009-02-18 09:05	<DIR>	d--------	c:\program files\K-Lite Codec Pack
2009-02-16 11:28 . 2002-07-07 17:14	1,294,336	--a------	c:\windows\system32\vorbis.acm
2009-02-16 11:28 . 2008-09-24 13:41	839,680	--a------	c:\windows\system32\lameACM.acm
2009-02-16 11:28 . 2001-02-24 20:19	287,744	--a------	c:\windows\system32\divxa32.acm
2009-02-16 11:28 . 2006-10-18 13:05	232,448	--a------	c:\windows\system32\mp3fhg.acm
2009-02-16 11:28 . 2007-09-20 19:52	118,784	--a------	c:\windows\system32\ac3acm.acm
2009-02-16 11:28 . 2008-10-03 07:30	414	--a------	c:\windows\system32\lame_acm.xml
2009-02-16 10:59 . 2009-02-16 10:59	<DIR>	d--------	c:\program files\AVS4YOU
2009-02-16 10:59 . 2009-02-16 10:59	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\AVS4YOU
2009-02-16 10:59 . 2009-02-16 10:59	<DIR>	d--------	c:\documents and settings\All Users\Application Data\AVS4YOU
2009-02-16 10:58 . 2009-02-16 10:59	<DIR>	d--------	c:\program files\Common Files\AVSMedia
2009-02-16 10:58 . 2002-01-05 15:48	974,848	--a------	c:\windows\system32\mfc70.dll
2009-02-16 10:58 . 2002-01-05 14:40	487,424	--a------	c:\windows\system32\msvcp70.dll
2009-02-16 10:58 . 2002-01-05 02:37	344,064	--a------	c:\windows\system32\msvcr70.dll
2009-02-16 10:58 . 2003-05-21 12:50	24,576	--a------	c:\windows\system32\msxml3a.dll
2009-02-13 17:47 . 2009-02-13 17:47	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\InstallShield Installation Information
2009-02-13 17:08 . 2009-02-13 17:08	<DIR>	d--------	c:\windows\system32\AGEIA
2009-02-13 17:08 . 2009-02-13 17:08	<DIR>	d--------	c:\program files\AGEIA Technologies
2009-02-13 14:44 . 2009-02-13 14:45	<DIR>	d--------	C:\[u]0[/u]21309apyramdair
2009-02-13 13:00 . 2009-02-13 13:00	<DIR>	d--------	c:\program files\DIFX
2009-02-13 12:50 . 2009-02-13 12:50	<DIR>	d--------	c:\documents and settings\All Users\Application Data\nView_Profiles
2009-02-13 12:49 . 2009-02-13 12:49	<DIR>	d--------	c:\documents and settings\All Users\Application Data\NVIDIA
2009-02-10 09:44 . 2009-02-10 09:44	<DIR>	d--------	c:\program files\AskSearch
2009-02-03 14:59 . 2009-02-03 14:59	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\Scooter Software
2009-02-03 09:31 . 2009-02-03 09:31	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\Ulead Systems
2009-02-03 09:29 . 2009-02-03 09:30	<DIR>	d--------	c:\program files\Common Files\Ulead Systems
2009-02-03 09:29 . 2009-02-03 09:30	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Ulead Systems
2009-02-03 09:25 . 2009-02-03 09:25	<DIR>	d--------	c:\windows\Downloaded Installations
2009-02-02 07:24 . 2009-02-08 07:48	3,452	--ahs----	c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-02-02 07:24 . 2009-02-08 07:48	88	-r-hs----	c:\documents and settings\All Users\Application Data\1F80204B4F.sys
2009-02-02 07:23 . 2009-02-02 07:23	<DIR>	d--------	c:\program files\Common Files\Protexis
2009-02-02 07:23 . 2009-02-02 07:23	<DIR>	d--------	c:\program files\Common Files\Corel
2009-02-02 07:23 . 2009-02-02 07:24	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\Corel
2009-02-02 07:23 . 2009-02-02 07:23	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Corel
2009-02-02 07:21 . 2009-02-02 07:21	<DIR>	d--------	c:\program files\Corel
2009-02-02 07:11 . 2009-02-02 07:11	51,124	--ah-----	c:\windows\system32\mlfcache.dat
2009-02-01 14:14 . 2009-02-01 14:14	<DIR>	d--------	c:\program files\Apple Software Update
2009-02-01 14:14 . 2009-02-01 14:14	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Apple
2009-01-30 09:55 . 2009-01-30 09:55	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\DeskView
2009-01-29 11:11 . 2009-01-29 11:11	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\NCH Software
2009-01-29 11:09 . 2009-01-29 11:11	<DIR>	d--------	c:\program files\NCH Software
2009-01-29 11:09 . 2009-01-29 11:09	<DIR>	d--------	c:\documents and settings\All Users\Application Data\NCH Software
2009-01-27 11:46 . 2009-01-28 05:39	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\Nvu
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 14:02	---------	d-----w	c:\program files\Common Files\Wise Installation Wizard
2009-02-11 15:19	38,496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19	15,504	----a-w	c:\windows\system32\drivers\mbam.sys
2009-02-10 01:28	---------	d-----w	c:\program files\TC Web Conferencing
2009-02-05 14:13	---------	d-----w	c:\documents and settings\PPKent\Application Data\Key Metric Software
2009-02-03 14:30	---------	d--h--w	c:\program files\InstallShield Installation Information
2009-02-01 19:14	---------	d-----w	c:\documents and settings\PPKent\Application Data\Apple Computer
2009-01-25 01:32	---------	d-----w	c:\documents and settings\PPKent\Application Data\ZoomBrowser EX
2009-01-20 18:04	---------	d-----w	c:\program files\Raxco
2009-01-20 18:04	---------	d-----w	c:\documents and settings\All Users\Application Data\Raxco
2009-01-18 13:10	---------	d-----w	c:\documents and settings\PPKent\Application Data\Desktopicon
2009-01-17 00:12	---------	d-----w	c:\program files\Hunting Unlimited 2009
2009-01-17 00:12	---------	d-----w	c:\documents and settings\All Users\Application Data\Trymedia
2009-01-17 00:03	---------	d-----w	c:\program files\Gigabyte
2009-01-15 12:42	516,096	----a-w	c:\windows\iwexec.exe
2009-01-15 01:11	---------	d-----w	c:\program files\Opera
2009-01-13 00:14	---------	d-----w	c:\program files\TechSmith
2009-01-13 00:14	---------	d-----w	c:\program files\Common Files\TechSmith Shared
2009-01-13 00:14	---------	d-----w	c:\documents and settings\All Users\Application Data\TechSmith
2009-01-09 20:02	---------	d-----w	c:\documents and settings\PPKent\Application Data\Media Player Classic
2009-01-09 19:52	---------	d-----w	c:\program files\Ashampoo
2009-01-09 15:49	71,184	----a-w	c:\windows\system32\drivers\DefragFs.sys
2009-01-09 01:27	---------	d-----w	c:\program files\Mythicsoft
2009-01-08 22:42	---------	d-----w	c:\documents and settings\PPKent\Application Data\Canon
2009-01-07 18:42	---------	dc-h--w	c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-01-07 18:42	---------	d-----w	c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-07 18:41	---------	dc-h--w	c:\documents and settings\All Users\Application Data\{752EA1EF-1744-4EC4-BC85-85F7632FCEFB}
2009-01-07 18:41	---------	d-----w	c:\program files\Common Files\Key Metric Software
2009-01-07 18:41	---------	d-----w	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-07 18:41	---------	d-----w	c:\documents and settings\All Users\Application Data\PCPitstop
2009-01-07 18:36	---------	d-----w	c:\program files\Common Files\ArcSoft
2009-01-05 20:17	4,501	----a-w	c:\windows\gdrv.sys
2009-01-05 03:37	---------	d-----w	c:\program files\NVIDIA Corporation
2009-01-03 14:29	---------	d-----w	c:\documents and settings\PPKent\Application Data\Panasonic
2009-01-03 14:01	---------	d-----w	c:\program files\ISL
2009-01-03 13:59	---------	d-----w	c:\program files\Panasonic
2009-01-03 13:30	---------	d-----w	c:\documents and settings\PPKent\Application Data\SCATE
2009-01-03 13:30	---------	d-----w	c:\documents and settings\All Users\Application Data\SCATE
2009-01-03 11:27	---------	d-----w	c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-12-31 23:17	---------	d-----w	c:\documents and settings\PPKent\Application Data\Any Video Converter
2008-12-31 20:25	---------	d-----w	c:\documents and settings\PPKent\Application Data\Ashampoo
2008-12-28 19:56	---------	d-----w	c:\documents and settings\PPKent\Application Data\Systweak
2008-12-28 01:34	---------	d-----w	c:\documents and settings\PPKent\Application Data\SUPERAntiSpyware.com
2008-12-27 20:06	---------	d-----w	c:\program files\Java
2008-12-27 14:25	---------	d-----w	c:\documents and settings\PPKent\Application Data\Malwarebytes
2008-12-27 14:25	---------	d-----w	c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 03:45	---------	d-----w	c:\documents and settings\PPKent\Application Data\iolo
2008-12-27 03:45	---------	d-----w	c:\documents and settings\All Users\Application Data\iolo
2008-12-27 03:16	---------	d-----w	c:\program files\Common Files\Download Manager
2008-12-27 02:43	---------	d-----w	c:\program files\SpyZooka
2008-12-27 02:28	---------	d-----w	c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-27 00:38	---------	d-----w	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-26 19:17	---------	dc----w	c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2008-12-24 01:39	---------	d-----w	c:\documents and settings\PPKent\Application Data\Uniblue
2008-12-24 00:41	---------	d-----w	c:\documents and settings\All Users\Application Data\PIXELA
2008-12-24 00:34	---------	d-----w	c:\program files\Canon
2008-12-24 00:32	---------	d-----w	c:\program files\Common Files\Canon
2008-12-24 00:22	---------	d-----w	c:\documents and settings\PPKent\Application Data\ArcSoft
2008-12-24 00:15	---------	d-----w	c:\program files\Common Files\ScanSoft Shared
2008-12-24 00:15	---------	d-----w	c:\documents and settings\PPKent\Application Data\ScanSoft
2008-12-24 00:15	---------	d-----w	c:\documents and settings\All Users\Application Data\SSScanWizard
2008-12-24 00:15	---------	d-----w	c:\documents and settings\All Users\Application Data\SSScanAppDataDir
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="y:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-20 1830128]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2009-01-06 2495752]
"Advanced Uninstaller PRO Installation Monitor"="y:\program files\Innovative Solutions\Advanced Uninstaller PRO - Version 9\monitor.exe" [2008-10-31 1153936]
"Uniblue RegistryBooster 2"="y:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 1885464]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2008-10-28 955688]
"QuickTime Task"="y:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-06-06 64256]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
 
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "g:\eudorapro 3.0\EuShlExt.dll" [2005-11-14 86016]
"{D468BCE5-D18E-49A4-8EA7-34BD583659D5}"= "c:\progra~1\SpyZooka\spyguard.dll" [2005-05-07 173568]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "y:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-31 05:07 356352 y:\program files\SUPERAntiSpyware\SASWINLO.DLL
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"= wdmaud.sys
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	PDBoot.exe\[u]0[/u]autocheck autochk *
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor for SD.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer 3 SE Camera Monitor for SD.lnk
backup=c:\windows\pss\ImageMixer 3 SE Camera Monitor for SD.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk
backup=c:\windows\pss\LUMIX Simple Viewer.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Snagit 9.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Snagit 9.lnk
backup=c:\windows\pss\Snagit 9.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^PPKent^Start Menu^Programs^Startup^Product Registration.lnk]
backup=c:\windows\pss\Product Registration.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBB36X Configure]
-r------- 2006-06-02 03:46 385024 c:\windows\system32\JMRaidTool.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]
--a------ 2006-04-07 10:37 135168 c:\windows\system32\nvraidservice.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
-ra------ 2003-07-07 10:29 729088 f:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 f:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyZooka]
--a------ 2008-08-15 19:20 60408 c:\program files\SpyZooka\SpyZookaLdr.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2007-10-22 08:58 1885464 y:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
--a------ 2008-08-26 11:48 2019624 f:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=
"H:8\\Program Files\\Raxco\\PerfectDisk2008\\PD91Agent.exe"=
"c:\\Program Files\\Common Files\\Logitech\\KhalShared\\KHALMNPR.exe"=
"H:8\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"q:\\Program Files\\Unreal Tournament 3 Demo\\Binaries\\UT3Demo.exe"=
 
R1 SASDIFSV;SASDIFSV;y:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;y:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-12-27 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-12-27 202928]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-12-27 69168]
R3 hhdusbh;USB Monitor Filter Driver;c:\windows\system32\drivers\hhdusbh.sys [2008-12-30 35968]
R3 SASENUM;SASENUM;y:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2008-10-28 886056]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25f721b3-dcf7-11dd-a0ea-0016e6858a5a}]
\Shell\AutoRun\command - S:\LaunchU3.exe
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25f721b4-dcf7-11dd-a0ea-0016e6858a5a}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\m.exe /s
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d61d736-cb77-11dd-a066-0016e6858a5a}]
\Shell\AutoRun\command - B:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder
 
2009-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
 
2009-02-24 c:\windows\Tasks\GlaryInitialize.job
- c:\local disk (y)\Glary Utilities\initialize.exe [2009-01-10 17:02]
 
2009-02-24 c:\windows\Tasks\XoftSpySE 2.job
- y:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 14:44]
.
- - - - ORPHANS REMOVED - - - -
 
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
MSConfigStartUp-dotNetInstallerBoot - c:\docume~1\PPKent\LOCALS~1\Temp\RarSFX0\Ignite_Home.exe
 
 
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://yahoo.com
mStart Page = hxxp://yahoo.com
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - f:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.cab
FF - ProfilePath - c:\documents and settings\PPKent\Application Data\Mozilla\Firefox\Profiles\fiytr45r.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - plugin: y:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: y:\program files\Mozilla Firefox\plugins\nppsynth.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin7.dll
 
---- FIREFOX POLICIES ----
├┐FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: content.notify.backoffcount - 5
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.cache.memory.capacity - 65536.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 20:29:58
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
 
[HKEY_USERS\S-1-5-21-839522115-152049171-2147200963-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
- - - - - - - > 'winlogon.exe'(940)
y:\program files\SUPERAntiSpyware\SASWINLO.DLL
 
- - - - - - - > 'lsass.exe'(996)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Raxco\PerfectDisk10\PDAgent.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-23 20:30:52 - machine was rebooted [PPKent]
ComboFix-quarantined-files.txt  2009-02-24 01:30:50
ComboFix2.txt  2008-12-27 19:39:17
 
Pre-Run: 346,827,358,208 bytes free
Post-Run: 347,080,310,784 bytes free
 
320	--- E O F ---	2008-12-12 19:15:11

Open in new window

0
 
4ubestAuthor Commented:
checked system restore and all the points were deleted..  turned it off and then turned it back on this morning.???  
0
 
4ubestAuthor Commented:
Here is what I see.

http://screencast.com/t/zG7r8Ylsz


frustrating ...
0
 
jdcompCommented:
Did you run spybot?
0
 
4ubestAuthor Commented:
Spybot showed nothing but some cookies however it  "immunized" many items..
0
 
jdcompCommented:
Did you try installing avast and  runing it at the start up before windows loads up, I'm not sure if Kaspersky has that option
0
 
4ubestAuthor Commented:
jdcomp... what do you mean   "installing avast" ?
0
 
JonveeCommented:
4ubest, i suspect jdcomp meant installing Avast and running it at startup, to ensure your system works correctly after the disinfection:
http://www.avast.com/eng/avast-virus-cleaner.html
0
 
4ubestAuthor Commented:
I see... what makes Avast better than  VIPRE which I have which this weekend was enhanced with anti virtumonde efficacy ?
0
 
JonveeCommented:
A good question  .. lol  !

'No one virus scanner that can guarantee detecting & removing every known infection' as was stated in your other thread, is about the best i can come up with.
0
 
4ubestAuthor Commented:
Right I agree and that is why I run  VIPRE,   and the free scans of  Kaspersky,  Trend Micro, and Bit Defender as well as Malwarebytes, SuperAntiSpyware and Spybot,  and I seem to have gotten most malware now..   I will see how computer responds..
0
 
JonveeCommented:
Ok, thanks ... let us know if there are further problems and between us all we'll think of something else to try  ..
0
 
4ubestAuthor Commented:
Right  I am waiting to see if my restore files are lost again and if so since I seem  (according to 4 AV applications and 3 anti-spyware) to be dealing with some sort of hardware issue such as bad ram.???

0
 
4ubestAuthor Commented:
So far 3 days now and the restore files are all there.  I believe running the  BitDefender free scan that I decided to do was a help as well as Trend Micro and Kaspersky.  Of course VIPRE had a new virtumonde engine added on 17 Feb so that also helped  but  Combofix  seemed to be the difference.
0
 
JonveeCommented:
Sounds good.

Have to logoff now for the night ... will drop by late tomorrow ..
0
 
jdcompCommented:
Sorry I was out of town and could keep helping, but yes what I ment was for you to install avast and then to run a scan at start up.

Keep in mind also sometimes viruses could infect your restore files
Good luck
0
 
JonveeCommented:
4ubest, thank you.

You may wish to uninstall ComboFix, as follows >
Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
Then hit enter.  This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.
0
 
4ubestAuthor Commented:
Jonvee.. well once again  my restore points are gone so.. back to starting spot.. :-(
0
 
JonveeCommented:
Well, thought we'd nailed that one, but guess you can't win 'em all .. first time!   : )

Presume it was not a result of you using System Restore & releasing an infection that's just been waiting ?     .. although if Combo had reset SR, this shouldn't have happened.

Hmm .. what about trying to 'repair' System Restore ...
http://windowsxp.mvps.org/repairsr.htm

Reinstalling the System Restore program should not delete existing restore points which are
stored in a hidden folder (but your restore points are not available anyway).
[Probably in C:\System Volume Information].

"How to gain access to the System Volume Information folder":
http://support.microsoft.com/kb/309531

To reduce possibility of losing the restore points (if they were present) you could backup the folder.
If you get an access denied error, run this command>
cacls "C:\System Volume Information" /E /G %username%:F


Surely it cannot be this?   >>
"The System Restore Utility May Be Suspended on a System Drive Even Though There Is Enough Disk Space":
http://support.microsoft.com/kb/299904/

Can't really see how it's still an infection when you've scanned the system so thoroughly.

Don't yet wish to suggest this move, & hope we will not need to, it's a bit like using a sledge hammer to crack a nut > 
How to Perform a Windows XP Repair Install:
http://www.michaelstevenstech.com/XPrepairinstall.htm

Will ponder some more & get back to you later.

0
 
JonveeCommented:
Incidently if it's any consolation, i have an XP here since Jan 2003 and never had to use System Restore in anger!
0
 
4ubestAuthor Commented:
I would not use restore as an anger relief mechanism but as a recovery from bad installation or ...   I was told by my AV support that they do not remove Restore files on a deep scan.  
0
 
JonveeCommented:
>never had to use System Restore in anger<      
<grin>     Sorry, that's just a Brit (English) way of saying>>    
>never had to use System Restore to restore the system<

... i'll be around periodically, monitoring should you post.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 12
  • 8
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now