Virus/malware infection! Please help

**Shaba** · 2010-07-13, 20:38

Sorry for delay but I never got email notification from this one.

Please post a fresh DDS log as well

**whitesosa** · 2010-07-13, 20:42

New dds:

dds (ver_10-03-17.01) - ntfsx86
run by m at 14:41:12.00 on tue 07/13/2010
internet explorer: 8.0.6001.18702 browserjavaversion: 1.6.0_20
microsoft windows xp professional 5.1.2600.2.1252.1.1033.18.3054.2277 [gmt -4:00]

============== running processes ===============

c:\windows\system32\svchost -k dcomlaunch
svchost.exe
c:\windows\system32\svchost.exe -k netsvcs
c:\windows\system32\svchost.exe -k wudfservicegroup
svchost.exe
c:\windows\system32\spoolsv.exe
c:\program files\creative\shared files\ctaudsvc.exe
svchost.exe
c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
c:\program files\bonjour\mdnsresponder.exe
c:\program files\citrix\gotomypc\g2svc.exe
c:\windows\system32\svchost.exe -k hpdevmgmt
c:\program files\citrix\gotomypc\g2comm.exe
c:\program files\java\jre6\bin\jqs.exe
c:\program files\common files\lightscribe\lssrvc.exe
c:\program files\common files\logishrd\lvmvfm\lvprcsrv.exe
c:\program files\stardock\thinkdesk\multiplicity\multisrv32.exe
c:\windows\system32\svchost.exe -k hpz12
c:\windows\system32\nvsvc32.exe
c:\windows\system32\svchost.exe -k hpz12
c:\program files\citrix\gotomypc\g2pre.exe
c:\program files\citrix\gotomypc\g2tray.exe
c:\windows\system32\svchost.exe -k imgsvc
c:\program files\viewpoint\common\viewpointservice.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\explorer.exe
c:\windows\system32\cthelper.exe
c:\windows\system32\ctxfihlp.exe
c:\program files\stardock\thinkdesk\multiplicity\multipl.exe
c:\program files\poweriso\pwrisovm.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\ctxfispi.exe
c:\program files\divx\divx update\divxupdate.exe
c:\program files\rocketdock\rocketdock.exe
c:\program files\windows desktop search\windowssearch.exe
c:\program files\yahoo!\widgets\yahoowidgets.exe
c:\program files\yahoo!\widgets\yahoowidgets.exe
c:\program files\mozilla firefox\firefox.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\hp\digital imaging\smart web printing\hpswp_clipbook.exe
c:\program files\mozilla firefox\plugin-container.exe
c:\program files\yahoo!\messenger\yahoomessenger.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\searchprotocolhost.exe
c:\documents and settings\m\desktop\dds.scr

============== pseudo hjt report ===============

ustart page = hxxp://www.yahoo.com/
msearch bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uinternet connection wizard,shellnext = hxxp://go.divx.com/divx/webplayerdemo/en?yrv=1&yoc=divx&ydt=divxdotcom&ybt=dfw&ybv=6.8&yo=iet
uinternet settings,proxyoverride = *.local
usearchurl,(default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
murlsearchhooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
bho: &yahoo! Toolbar helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
bho: Hp print enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
bho: Adobe pdf reader link helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll
bho: Realplayer download and record plugin for internet explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
bho: Yahoo! Ie services button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
bho: Java(tm) plug-in 2 ssv helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
bho: Jqsiestartdetectorimpl class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
bho: Tbsb05974 class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\search toolbar\tbcore3.dll
bho: Hp smart bho class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
tb: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
urun: [rocketdock] c:\program files\rocketdock\rocketdock.exe
mrun: [nvcpldaemon] rundll32.exe c:\windows\system32\nvcpl.dll,nvstartup
mrun: [nwiz] nwiz.exe /install
mrun: [cthelper] cthelper.exe
mrun: [ctxfihlp] ctxfihlp.exe
mrun: [multiplicity] c:\program files\stardock\thinkdesk\multiplicity\multipl.exe
mrun: [pwrisovm.exe] c:\program files\poweriso\pwrisovm.exe
mrun: [nvmediacenter] rundll32.exe c:\windows\system32\nvmctray.dll,nvtaskbarinit
mrun: [quicktime task] "c:\program files\quicktime\qttask.exe" -atboottime
mrun: [divxupdate] "c:\program files\divx\divx update\divxupdate.exe" /checknow
startupfolder: C:\docume~1\m\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\yahoowidgets.exe
startupfolder: C:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\windowssearch.exe
ie: E&xport to microsoft excel - c:\progra~1\micros~2\office10\excel.exe/3000
ie: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\network diagnostic\xpnetdiag.exe
ie: {fb5f1910-f110-11d2-bb9e-00c04f795683} - c:\program files\messenger\msmsgs.exe
ie: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
ie: {dde87865-83c5-48c4-8357-2f5b1aa84522} - {dde87865-83c5-48c4-8357-2f5b1aa84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
trusted zone: Facebook.com\login
dpf: {02bf25d5-8c17-4b23-bc80-d3488abddc6b} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/quicktime/qtactivex/qtplugin.cab
dpf: {166b1bca-3f9c-11cf-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
dpf: {17492023-c23a-453e-a040-c7c580bbf700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/legitcheckcontrol.cab
dpf: {1842b0ee-b597-11d4-8997-00104bd12d94} - hxxp://www.pcpitstop.com/internet/pcpconncheck.cab
dpf: {215b8138-a3cf-44c5-803f-8226143cfc0a} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcimpl.cab
dpf: {22945a69-1191-4dcf-9e6f-409bde94d101} - hxxp://heva.solidworks.com/htdocs/pdownload/edrawings/e2008sp03/cab/emodelsstandard.cab
dpf: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
dpf: {3ea4fa88-e0be-419a-a732-9b79b87a6ed0} - hxxp://dl.tvunetworks.com/tvuax.cab
dpf: {4871a87a-bfdd-4106-8153-ffde2bac2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
dpf: {4f1e5b1a-2a80-42ca-8532-2d05cb959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/msnpupld.cab
dpf: {6414512b-b978-451d-a0d8-fcfdf33e833c} - hxxp://www.update.microsoft.com/windowsupdate/v6/v5controls/en/x86/client/wuweb_site.cab?1196968106859
dpf: {7b297bfd-85e4-4092-b2af-16a91b2ea103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
dpf: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
dpf: {8feff364-6a5f-4966-a917-a3ac28411659} - hxxp://download.sopcast.cn/download/sopcore.cab
dpf: {8ffbe65d-2c9c-4669-84bd-5829dc0b603c} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
dpf: {9c23d886-43cb-43de-b2db-112a68d7e10a} - hxxp://lads.myspace.com/upload/myspaceuploader2.cab
dpf: {cafeefac-0016-0000-0020-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
dpf: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
dpf: {d27cdb6e-ae6d-11cf-96b8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
dpf: {e2883e8f-472f-4fb0-9522-ac9bf37916a7} - hxxp://platformdl.adobe.com/nos/getplusplus/1.6/gp.cab
dpf: {e6bb2089-163f-466b-812a-748096614dfd} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
tcp: {a4d6dd61-fe1d-420d-8f9b-47c13b531555} = 208.67.220.220,208.67.222.222
handler: Cdo - {cd00020a-8b95-11d1-82db-00c04fb1625d} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll
notify: Gotomypc - c:\program files\citrix\gotomypc\g2winlogon.dll
notify: Igfxcui - igfxdev.dll
notify: Multi - c:\program files\stardock\thinkdesk\multiplicity\multiwin32.dll
ssodl: Wpdshserviceobj - {aaa288ba-9a4c-45b0-95d7-94d524869db5} - c:\windows\system32\wpdshserviceobj.dll
seh: Windows desktop search namespace manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\msnlnamespacemgr.dll

================= firefox ===================

ff - profilepath - c:\docume~1\m\applic~1\mozilla\firefox\profiles\xokdn1kn.default\
ff - plugin: C:\documents and settings\m\application data\move networks\plugins\npqmp071503000010.dll
ff - plugin: C:\documents and settings\m\application data\move networks\plugins\npqmp071706000001.dll
ff - plugin: C:\documents and settings\m\local settings\application data\google\update\1.2.183.29\npgoogleoneclick8.dll
ff - plugin: C:\program files\common files\research in motion\bbwebsllauncher\npwebsllauncher.dll
ff - plugin: C:\program files\divx\divx plus web player\npdivx32.dll
ff - plugin: C:\program files\java\jre6\bin\new_plugin\npdeployjava1.dll
ff - plugin: C:\program files\viewpoint\viewpoint media player\npviewpoint.dll
ff - hiddenextension: Microsoft .net framework assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
ff - hiddenextension: Xulrunner: {a57767a7-fc3d-4597-96d9-8147496c1ac9} - c:\documents and settings\m\local settings\application data\{a57767a7-fc3d-4597-96d9-8147496c1ac9}
ff - hiddenextension: Java console: No registry reference - c:\program files\mozilla firefox\extensions\{cafeefac-0016-0000-0020-abcdeffedcba}

---- firefox policies ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.idn.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.idn.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.idn.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.idn.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.idn.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.idn.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.idn.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutsecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedweight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketsize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxtimegroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timegroupingsize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryweight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixweight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundinterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightthemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.alltabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyuser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= services / drivers ===============

r1 clbstor;instantburn storage helper driver;c:\windows\system32\drivers\clbstor.sys [2008-4-4 16048]
r2 clbudf;cyberlink instantburn udf filesystem;c:\windows\system32\drivers\clbudf.sys [2008-4-4 162096]
r2 multiplicity;stardock multiplicity;c:\program files\stardock\thinkdesk\multiplicity\multisrv32.exe [2008-4-5 208896]
r2 viewpoint manager service;viewpoint manager service;c:\program files\viewpoint\common\viewpointservice.exe [2009-7-28 24652]
s2 dualshock3;dualshock3 controller hid minidriver (usb) beta;c:\windows\system32\drivers\dualshock3.sys [2009-1-13 11392]
s3 nwusbcdfil;novatel wireless installation cd;c:\windows\system32\drivers\nwusbcdfil.sys [2008-7-7 20480]
s3 nwusbport2;novatel wireless usb status2 port driver;c:\windows\system32\drivers\nwusbser2.sys [2008-5-9 174336]

=============== created last 30 ================

2010-06-23 12:29:55 98816 ----a-w- c:\windows\sed.exe
2010-06-23 12:29:55 77312 ----a-w- c:\windows\mbr.exe
2010-06-23 12:29:55 256512 ----a-w- c:\windows\pev.exe
2010-06-23 12:29:55 161792 ----a-w- c:\windows\swreg.exe
2010-06-22 12:26:54 0 d-----w- c:\docume~1\alluse~1\applic~1\ca
2010-06-18 19:18:08 256 ----a-w- c:\windows\system32\pool.bin
2010-06-18 19:18:07 0 d-----w- c:\docume~1\m\applic~1\research in motion
2010-06-18 17:16:36 0 d-----w- c:\program files\common files\sonic shared
2010-06-18 17:16:35 0 d-----w- c:\program files\roxio
2010-06-18 17:13:34 27136 ----a-r- c:\windows\system32\drivers\rimserial.sys
2010-06-18 17:12:50 0 d-----w- c:\docume~1\alluse~1\applic~1\research in motion
2010-06-18 17:12:30 0 d-----w- c:\program files\research in motion
2010-06-18 17:12:30 0 d-----w- c:\program files\common files\research in motion
2010-06-14 14:37:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-14 14:37:42 411368 ----a-w- c:\windows\system32\deployjava1.dll
2010-06-14 14:33:22 20 ----a-w- c:\docume~1\m\applic~1\qcopjv.dat

==================== find3m ====================

2010-06-29 12:54:28 124984 ----a-w- c:\docume~1\m\applic~1\gdipfontcachev1.dat
2010-06-09 23:01:10 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-06-09 23:01:10 133616 ------w- c:\windows\system32\pxafs.dll
2010-06-09 23:01:10 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 00:47:44 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2008-04-05 00:54:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008040420080405\index.dat

============= finish: 14:41:42.48 ===============

**Shaba** · 2010-07-14, 05:43

Please go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

**whitesosa** · 2010-07-15, 20:11

I keep getting this error with IE and FF..

0[ERROR: java.lang.NullPointerException]

**Shaba** · 2010-07-17, 18:58

You can then try scan with for example Opera

**whitesosa** · 2010-07-19, 21:02

Opera produces this error:

Kaspersky Online Scanner 7.0 download and operation require Java framework version 1.5 or later.

I have installed the latest Java from Java.com and retried with no success.

**Shaba** · 2010-07-21, 05:49

Check the box next to "YES, I accept the Terms of Use."
Click "Start"
Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
Once installed, the scanner will be initialized.
Click "Start". Make sure that the options:
- Remove found threats is UNCHECKED
- Scan unwanted applications is CHECKED
Click "Scan"
Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
Use Notepad to open the log file located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste the contents of log.txt in your next reply.

**whitesosa** · 2010-07-21, 20:25

Ok this worked. Here's the log..

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=76e4e798a1de2d45a6cb3143654546dc
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-21 06:23:24
# local_time=2010-07-21 02:23:24 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 50016602 50016602 0 0
# compatibility_mode=1280 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=349059
# found=26
# cleaned=0
# scan_time=9494
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DropperMaximus.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor1.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch4.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\M\Application Data\Sun\Java\Deployment\cache\6.0\30\5e8c48de-4f73192c multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\M\Local Settings\Application Data\{A57767A7-FC3D-4597-96D9-8147496C1AC9}\chrome\content\overlay.xul probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ernel32.dll.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_qmfdyxr_.sys.zip Win32/Agent.OFB trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\E7aA1k.dll.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
C:\RECYCLER\S-1-5-21-198109447-1953730502-90051572-1005\Dc17\index.html HTML/ScrInject.B.Gen virus 00000000000000000000000000000000 I
C:\RECYCLER\S-1-5-21-198109447-1953730502-90051572-1005\Dc17\preview\index.html HTML/ScrInject.B.Gen virus 00000000000000000000000000000000 I
C:\RECYCLER\S-1-5-21-198109447-1953730502-90051572-1005\Dc17\preview\Scripts\AC_RunActiveContent.js JS/TrojanDownloader.HackLoad.AA trojan 00000000000000000000000000000000 I
C:\RECYCLER\S-1-5-21-198109447-1953730502-90051572-1005\Dc17\Scripts\AC_RunActiveContent.js JS/TrojanDownloader.HackLoad.AA trojan 00000000000000000000000000000000 I
C:\RECYCLER\S-1-5-21-198109447-1953730502-90051572-1005\Dc17\tweet\index.html HTML/ScrInject.B.Gen virus 00000000000000000000000000000000 I
F:\furniture\sql\80\Tools\HTML\sspat0.htm Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\ivnetent\index.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\diam\001\home.htm Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\01.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\02.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\03.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\04.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\05.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\06.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\07.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\08.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\09.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
G:\downloads\Apps\ADOBE_CS4_PGen_v1.02.rar probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I

**whitesosa** · 2010-07-23, 16:08

Hey any advice?

**Shaba** · 2010-07-23, 16:27

Sorry, I'm currently on vacation and not much on computer

Empty these folders:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
C:\Qoobox\Quarantine\

Delete this file:

G:\downloads\Apps\ADOBE_CS4_PGen_v1.02.rar

Empty Recycle Bin.

Do you recognize these files?

F:\furniture\sql\80\Tools\HTML\sspat0.htm Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\ivnetent\index.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\diam\001\home.htm Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\01.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\02.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\03.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\04.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\05.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\06.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\07.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\08.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I
F:\wilrod2\taco\hiphop\sugarhill\photos\09.html Win32/Allaple.Gen worm 00000000000000000000000000000000 I

Thread: Virus/malware infection! Please help

Thread Tools

Display

Posting Permissions