A tenacious bit of malware..

Status
Not open for further replies.
D

Dr.crispy

New member
Hi, I was wondering is you could help with a problem that i've been having with malware that has resisted Spybot, Malwarebyte's Antimalware and even Combofix (i know i know,I shouldn't have used it without supervision...)
The problem started with a persistantly red X in the system tray recommending that I install anti-spyware software. The computer also sometimes reset itself with no apparent cause. Initially Task manager was inaccessible as I "wasn't the administrator" (I am) & Spybot was also unresponsive.
I followed the general instructions of others on the forum who have had almost identical problems. I have downloaded HijackThis, RSIT, the latest Java JREs, Immunised with the latest Spybot updates (after editing the registry to allow me to open it), disabled TeaTimer, Updated windows with the latest updates, installed an extra firewall and used Combofix (in safemode, with the windows safety thing, as it was reseting during the Log write) which all seemed to fix the problem. However using Kaspersky's online scanner Brastk.exe still is persisting in the registry. and Malwarebyte's confiming the registry entry/Trojan.Fakealert

Could someone help?

As an aside, I think the culture of altruism shown by the volunteers on this and other fora is really heartwarming, and thanks in advance of any help you can give!

I have a load of logs and can post whichever ones you need!

Thanks
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

Sounds like you have done everything except read the directions? Look to the top of this forum, they are pinned (sticky) there and they are there for you. I also posted "Before you Post" instructions above.

This is just one of the important instructions you will find there:
Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806

Making no promises at this point in the operation, if you will read those directions and start me with the required HJT log mentioned in those directions, I will do all I can to help you resolve these issues.

Thanks
 
Many thanks for your assistance, I have pasted the HJT log below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:22:30, on 19/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\renamedhijack.exe.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.bham.ac.uk:8008
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [R-Firewall] C:\Program Files\R-TT\R-Firewall\R-Firewall.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ergo.co.uk
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: RTT CRC Service (RTT_CRC_Service) - Unknown owner - C:\Program Files\R-TT\R-Firewall\Service\RTT_CRC_Service.exe

--
End of file - 5476 bytes
 
Thanks for posting a HJT log, hold any logs you have for a bit longer, I may or may not want to see them?

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally post the contents of the Report.txt back on the forum with a new HijackThis log

3) I would also like a look at your uninstall list.
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)

Thanks
 
Hi, here are the logs you requested:


SDFix: Version 1.236
Run by Pippa on 21/10/2008 at 08:27

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Documents\tepyqilaro._sy - Deleted
C:\Program Files\Common Files\apimy.bin - Deleted
C:\Documents and Settings\Pippa\Application Data\civumuteze._sy - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 08:31:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Real\\RealPlayer\\trueplay.exe"="C:\\Program Files\\Real\\RealPlayer\\trueplay.exe:*:Enabled:RealPlayer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Wed 4 Jul 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 4 Nov 2007 289,280 ...H. --- "C:\Documents and Settings\Pippa\My Documents\Scheme stuff\Dissertation\Essay\~WRL3536.tmp"
Sat 3 Nov 2007 30,208 ...H. --- "C:\Documents and Settings\Pippa\My Documents\Scheme stuff\Dissertation\Essay\~WRL1587.tmp"
Sun 4 Nov 2007 42,496 ...H. --- "C:\Documents and Settings\Pippa\My Documents\Scheme stuff\Dissertation\Essay\~WRL1317.tmp"
Mon 15 Jan 2007 243,200 A..H. --- "C:\Documents and Settings\Pippa\My Documents\Scheme stuff\PCT\RUCP\~WRL1406.tmp"
Mon 5 Mar 2007 139,776 A..H. --- "C:\Documents and Settings\Pippa\My Documents\Scheme stuff\PCT\Palliative Care\~WRL1903.tmp"
Fri 2 Mar 2007 245,248 A..H. --- "C:\Documents and Settings\Pippa\My Documents\Scheme stuff\PCT\LDP\~WRL0164.tmp"

Finished!

The HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:34:48, on 21/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\R-TT\R-Firewall\R-Firewall.exe
C:\Program Files\R-TT\R-Firewall\Service\RTT_CRC_Service.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\renamedhijack.exe.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.bham.ac.uk:8008
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [R-Firewall] C:\Program Files\R-TT\R-Firewall\R-Firewall.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ergo.co.uk
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: RTT CRC Service (RTT_CRC_Service) - Unknown owner - C:\Program Files\R-TT\R-Firewall\Service\RTT_CRC_Service.exe

--
End of file - 5402 bytes

Uninstall list:

Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.1.0
Adobe Shockwave Player
ASUSDVD
ATK0100 ACPI UTILITY
Audacity 1.3.4 (Unicode)
Avira AntiVir Personal - Free Antivirus
BBC iPlayer Download Manager
BLM 2.6.5
BookSmart™ 1.9.5 1.9.5
CCleaner (remove only)
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen Vision M
Demand Five Player
EuroTalk Talk Now Plus!
Google Earth
HDAUDIO SoftV92 Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2

Intel(R) Graphics Media Accelerator Driver for Mobile
Java(TM) 6 Update 10
Malwarebytes' Anti-Malware
Maxtor Manager
Maxtor Manager
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 2000
Mozilla Firefox (2.0.0.16)
MSXML 6.0 Parser (KB933579)
PeerGuardian 2.0
Power4 Gear
QuickTime
RealPlayer
Realtek High Definition Audio Driver
R-Firewall 1.05.53
Screen Grab Pro

Spybot - Search & Destroy
Synaptics Pointing Device Driver
UltimateZip 2.5
Uninstall Entriq MediaSphere

VideoLAN VLC media player 0.8.2
Viewpoint Media Player
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin

WinPcap 4.0.2
Wireshark 1.0.3
XnView 1.91.5

Thanks!
 
Thanks for returning your information, please read and follow the directions carefully and in the numbered order.

Looking at the uninstall list first, I look for security issues and malware and will not know all of your programs, but you should.

*Hackers are using out of date programs to infect folks more and more, here is a small free tool that lets you know when something needs an update if you are interested:
https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 7.1.0 <<< out of date and being exploited
http://www.filehippo.com/download_adobe_reader/

Viewpoint Media Player << I would uninstall this unless you use it
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

The rest look OK as far as I can see.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

How is the computer running now?

Thanks...Phil
 
Hi Phil,
Thanks a lot for your help thus far. I followed your instructions and got rid of the AOL spyware and updated Adobe Reader. I also ran ATF as well as the HJT fix for O16. The computer is running well and malwarebyte's scan is clear of infection!
Malwarebytes' Anti-Malware 1.29
Database version: 1303
Windows 5.1.2600 Service Pack 2

21/10/2008 23:12:04
mbam-log-2008-10-21 (23-12-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 94996
Time elapsed: 1 hour(s), 9 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**The final HJT ( I hope) is below:**

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:16:48, on 21/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\R-TT\R-Firewall\R-Firewall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\R-TT\R-Firewall\Service\RTT_CRC_Service.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\renamedhijack.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.bham.ac.uk:8008
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [R-Firewall] C:\Program Files\R-TT\R-Firewall\R-Firewall.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ergo.co.uk
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: RTT CRC Service (RTT_CRC_Service) - Unknown owner - C:\Program Files\R-TT\R-Firewall\Service\RTT_CRC_Service.exe

--
End of file - 5550 bytes

Many thanks, I hope we have sorted it!

Chris
 
Thanks for returning your information and the feedback. Let's remove SDFix from the computer, it does not update so there is no reason to keep it.

C:\SDFix\ <<< delete that folder and the contents.

Update AntiVir PersonalEdition Classic and scan the system, if all is well at that point, let me know and I will close your topic.


Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
 
Oh dear, its all gone a bit wrong. I updated the AntiVir with todays virus definitions and did a full scan which found the following....
(although ogically loads were found in old systems restore points, and in the old Combofix files that I ran before seeking proper help but a few new ones notheless)


Avira AntiVir Personal
Report file date: 22 October 2008 21:24

Scanning for 1704573 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: PIPPA

Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 12/08/2008 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 26/06/2008 09:57:54
AVSCAN.DLL : 8.1.4.0 40705 Bytes 26/05/2008 08:56:42
LUKE.DLL : 8.1.4.5 164097 Bytes 12/06/2008 13:44:20
LUKERES.DLL : 8.1.4.0 12033 Bytes 26/05/2008 08:58:54
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 11:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 24/06/2008 14:54:16
ANTIVIR2.VDF : 7.0.7.59 4366336 Bytes 19/10/2008 20:24:38
ANTIVIR3.VDF : 7.0.7.75 148480 Bytes 22/10/2008 20:21:38
Engineversion : 8.2.0.5
AEVDF.DLL : 8.1.0.6 102772 Bytes 15/10/2008 20:20:46
AESCRIPT.DLL : 8.1.1.9 319867 Bytes 16/10/2008 20:18:56
AESCN.DLL : 8.1.1.3 123252 Bytes 15/10/2008 20:20:20
AERDL.DLL : 8.1.1.2 438644 Bytes 19/09/2008 10:23:44
AEPACK.DLL : 8.1.2.4 369014 Bytes 15/10/2008 20:20:00
AEOFFICE.DLL : 8.1.0.28 196987 Bytes 15/10/2008 20:19:42
AEHEUR.DLL : 8.1.0.59 1438071 Bytes 19/09/2008 10:23:42
AEHELP.DLL : 8.1.1.2 115062 Bytes 15/10/2008 20:19:36
AEGEN.DLL : 8.1.0.41 319861 Bytes 15/10/2008 20:19:32
AEEMU.DLL : 8.1.0.9 393588 Bytes 15/10/2008 20:19:30
AECORE.DLL : 8.1.2.6 172406 Bytes 15/10/2008 20:19:24
AEBB.DLL : 8.1.0.3 53618 Bytes 15/10/2008 20:19:04
AVWINLL.DLL : 1.0.0.12 15105 Bytes 09/07/2008 09:40:06
AVPREF.DLL : 8.0.2.0 38657 Bytes 16/05/2008 10:28:02
AVREP.DLL : 8.0.0.2 98344 Bytes 08/09/2008 21:14:40
AVREG.DLL : 8.0.0.1 33537 Bytes 09/05/2008 12:26:42
AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 09:29:24
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12/06/2008 13:27:50
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 18:28:04
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12/06/2008 13:49:42
NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 13:05:12
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12/06/2008 14:48:08
RCTEXT.DLL : 8.0.52.0 86273 Bytes 27/06/2008 14:34:38

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 22 October 2008 21:24

The scan of running processes will be started
Scan process 'avwsc.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'FIREFOX.EXE' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'ATKOSD.exe' - '1' Module(s) have been scanned
Scan process 'PG2.EXE' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'RTT_CRC_Service.exe' - '1' Module(s) have been scanned
Scan process 'R-Firewall.exe' - '1' Module(s) have been scanned
Scan process 'JUSCHED.EXE' - '1' Module(s) have been scanned
Scan process 'AVGNT.EXE' - '1' Module(s) have been scanned
Scan process 'MaxMenuMgr.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'HControl.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'SQLSERVR.EXE' - '1' Module(s) have been scanned
Scan process 'SyncServices.exe' - '1' Module(s) have been scanned
Scan process 'JQS.EXE' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'AVGUARD.EXE' - '1' Module(s) have been scanned
Scan process 'SCHED.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
38 processes with 38 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '55' files ).


Starting the file scan:

Begin scan in 'C:\' <ERGO>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Pippa\Local Settings\Application Data\Mozilla\Firefox\Profiles\eolxpdo0.default\Cache\E3937B94d01
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49388c91.qua'!
C:\WINDOWS\system32\zedqnwrg.exe
[DETECTION] Is the TR/Obfuscated.GX.2750 Trojan
[NOTE] The file was moved to '496392f9.qua'!
C:\WINDOWS\system32\fqbgrkje.exe
[DETECTION] Is the TR/Obfuscated.vip Trojan
[NOTE] The file was moved to '4961930a.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP474\A0116060.exe
[DETECTION] Is the TR/Agent.aiej.1 Trojan
[NOTE] The file was moved to '49309a09.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP474\A0116174.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49309a0f.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116267.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49309a41.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116268.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49309a44.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116270.SYS
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49309a47.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116337.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vcuf Trojan
[NOTE] The file was moved to '49309a4c.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116352.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vcuf Trojan
[NOTE] The file was moved to '49309a4e.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116353.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vcuf Trojan
[NOTE] The file was moved to '49309a51.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116394.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49309a54.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116395.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49309a5a.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116396.exe
[DETECTION] Is the TR/Fakealert.QE Trojan
[NOTE] The file was moved to '49309a5c.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116398.SYS
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49309a5e.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116473.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vcuf Trojan
[NOTE] The file was moved to '49309a62.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116474.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49309a64.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116482.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vcuf Trojan
[NOTE] The file was moved to '49309a66.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116485.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vcuf Trojan
[NOTE] The file was moved to '49309a68.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116486.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vcuf Trojan
[NOTE] The file was moved to '49309a6a.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116495.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49309a6c.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116496.exe
[DETECTION] Is the TR/Fakealert.QE Trojan
[NOTE] The file was moved to '49309a6e.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116498.SYS
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49309a70.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116556.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49309a73.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116562.exe
[DETECTION] Is the TR/Obfuscated.GX.2750 Trojan
[NOTE] The file was moved to '49309a75.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116563.exe
[DETECTION] Is the TR/Obfuscated.vip Trojan
[NOTE] The file was moved to '49309a77.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116564.exe
[DETECTION] Is the TR/Obfuscated.vip Trojan
[NOTE] The file was moved to '49309a79.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116565.exe
[DETECTION] Is the TR/Dldr.Obfuscated.dzr Trojan
[NOTE] The file was moved to '49309a7a.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116566.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49309a7c.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP476\A0116567.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49309a7e.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP481\A0118932.exe
[DETECTION] Is the TR/Obfuscated.GX.2750 Trojan
[NOTE] The file was moved to '49309bc1.qua'!
C:\System Volume Information\_restore{70152F12-882E-4638-BD19-2D83AC67BF97}\RP481\A0118933.exe
[DETECTION] Is the TR/Obfuscated.vip Trojan
[NOTE] The file was moved to '49309bc3.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\brastk.exe.vir
[DETECTION] Is the TR/Dldr.FraudLoad.vcuf Trojan
[NOTE] The file was moved to '49609c28.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\brastk.exe.vir
[DETECTION] Is the TR/Dldr.FraudLoad.vcuf Trojan
[NOTE] The file was moved to '49609c2a.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\wini104552663.exe.vir
[DETECTION] Is the TR/Fakealert.QE Trojan
[NOTE] The file was moved to '496d9c23.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\figaro.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49669c25.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\beep.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49649c22.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49649c25.qua'!


End of the scan: 22 October 2008 22:32
Used time: 1:08:45 Hour(s)

The scan has been done completely.

5286 Scanning directories
201759 Files were scanned
38 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
38 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
201719 Files not concerned
1243 Archives were scanned
2 Warnings
38 Notes

Er what should I do now??
Thanks again

Chris
 
If you have combofix installed still, use these instructions:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


If you do not have combofix still installed, then:

C:\Qoobox\Quarantine\ <<< delete the folder in red and the contents which will delete the quarantine folder and it's contents.

Right click the Recycle Bin on the Desktop and click Empty Recycle Bin and YES

Follow these instructions to clean infected System Restore files, please note I posted these instructions for you here also:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Just to be sure, post the results of the next antivirus scan.
(unless it is clean)

Thanks
 
Hey thanks alot (again!) for your help, did as you suggested and updated AntiVir detects no junk in the system. Looks like its clear now. Thanks for the info re: keeping the machine clean.

Thanks!

Chris
 
Status
Not open for further replies.
Back
Top