Click.giftload problem

Status
Not open for further replies.
step 3 :

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=f86c65659a625c4caf5bcb5a3567e80e
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-29 07:09:41
# local_time=2011-03-29 09:09:41 (+0100, Paris, Madrid (heure d'été))
# country="France"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=770 16774141 100 100 128665 78088408 0 0
# compatibility_mode=8192 67108863 100 0 140 140 0 0
# scanned=8698
# found=0
# cleaned=0
# scan_time=457
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=f86c65659a625c4caf5bcb5a3567e80e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-29 04:00:56
# local_time=2011-03-29 06:00:56 (+0100, Paris, Madrid (heure d'été))
# country="France"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=770 16774141 100 100 152644 78112387 0 0
# compatibility_mode=8192 67108863 100 0 24119 24119 0 0
# scanned=148827
# found=6
# cleaned=0
# scan_time=8354
C:\Qoobox\Quarantine\C\WINDOWS\msaptil.dll.vir a variant of Win32/Cimag.GJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DF0593A6-6EDC-406B-9729-E58A03DB95AD}\RP728\A0150353.dll Win32/Agent.OLR trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DF0593A6-6EDC-406B-9729-E58A03DB95AD}\RP728\A0150354.dll Win32/Agent.OLR trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DF0593A6-6EDC-406B-9729-E58A03DB95AD}\RP729\A0154353.exe a variant of Win32/Kryptik.LYM trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DF0593A6-6EDC-406B-9729-E58A03DB95AD}\RP729\A0154425.dll a variant of Win32/Cimag.GJ trojan (unable to clean) 00000000000000000000000000000000 I
M:\System Volume Information\_restore{DF0593A6-6EDC-406B-9729-E58A03DB95AD}\RP729\A0154423.EXE Win32/AutoRun.VB.EF worm (unable to clean) 00000000000000000000000000000000 I
 
Well done Kvitrafn, we are done :bigthumb:


Please follow this last procedure (this will also remove threats found by ESET):


Step 1 | Delete ComboFix and Clean Up

The following will implement some cleanup procedures as well as reset System Restore points. Click Start > Run and copy/paste the following underlined text into the Run box and click OK:

ComboFix /Uninstall

Please advise if this step is missed for any reason as it performs some important actions.


Step 2 | Please download OTC by OldTimer to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • Also, please delete manually the following files in your desktop (move the files to the bin or right-click the files and choose "Send to recycle bin"):
    • aswMBR.exe
    • MBRCheck.exe
    • aswMBR logfile
    • The logfile genereted by MBRCheck (MBRCheck_mm.dd.yy_hh.mm.ss.txt)

Step 3 | Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered.
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
  • If you are unsure of how to use Add or Remove Programs, the please see this tutorial: How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • Once the installation is finished, open Adobe Reader and accept the warranty if prompted.
  • Click on Help and select Check for Updates.
  • A window will open and Adobe will check for Updates. If any updates are found to be available click on Download.
  • Once the update is downloaded you will get a system notification telling you so. Click on the popup to restore the window.
  • In the window that opens click Install.
  • Once the update is done click Close.
  • Your Adobe Reader is updated now.


Step 4 | Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

  • Click on the following link to visit java website: Java Runtime Environment (JRE) 6
  • Scroll down to where it says "JDK 6 Update 24 (JDK or JRE)".
  • Click the "Download" button to the right column (JRE).
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the recently downloaded java installer icon to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and AppletsTrace and Log Files
    • Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.


Step 5 | I don't see any evidence of a 3rd Party Firewall installed on your computer. If you have one installed, make sure it's functioning properly. As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access from the outside world. Firewalls protect against hackers and malicious intruders.

If you do not have a firewall installed...
I strongly recommend you download a free (for personal use) firewall NOW that monitors traffic in both directions... from one of these vendors:

  • Comodo (Is now bundled with AV software, toolbar and search provider. Opt to install only the firewall software... uncheck the rest)
  • Online Armor Free (Free version at bottom of page (XP/Vista/W7 (32bit).) 64bit version not available yet. Some reported conflicts with Avira AntiVir.
  • ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
  • Ashampoo

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a very basic firewall. This (XP) firewall is NO replacement for a dedicated software solution. Remember to install and have active, only one firewall at the same time. If you install one of these firewalls, remember to turn off Windows' firewall.


Last Step | Now, in order to avoid future infections, please take time to read the following article:

So how did I get infected in the first place?

Thank you for your patience, and performing all of the procedures requested. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed :)
 
step 3 is now done. I reboot and try again, and there were no problem this time...

About step 5, seems that I don't have firewall, that's weird, I thought I had one !

Should/can I remove these files :

Attach.txt
log from ComboFix
GMER.exe
MBR.txt
MBR.dat

and unistall these softwares :
CCleaner
Malwarebytes' Anti-Malware

?
 
Yes, you can delete those files and uninstall those programs. You can also uninstall ESET Online Scanner, if present :bigthumb:
 
You are welcome :)

Since this issue appears to be resolved, this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
 
Hi.

Computer is working fine, but I did a spybot check, and I found - again - the click.giftload.
I did not try to delete it since I understand that sybot could not delete it.
Do you need any log/report ?
 
Hi Kvitrafn,


Don't try to remove it with Spybot S&D yet. Please do the following:


Step 1 | Please open SpyBot S&D


  • Check for problems.
  • When the scan completes, right click on the results list, select "Copy results to clipboard".
  • Paste (Ctrl+V) those results in your next reply.


Step 2 | Download DDS from any of the links below:

Link 1
Link 2
Link 2

--------------------------------------------------------------------
  • Save it to your desktop.
  • Please disable any anti-malware program that will block scripts from running before running DDS.
  • Double-Click on dds and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs.
  • Save the logs to a convenient place such as your desktop.
  • Post the contents of the DDS.txt report in your next reply.
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
 
Spybot report :

Click.GiftLoad: [SBI $89783858] Réglages utilisateur (Valeur du registre, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

Right Media: Cookie traceur (Internet Explorer: Tatiana) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-07-07 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-03-02 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-09-07 advcheck.dll (1.6.4.18)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-22 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-22 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-21 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
 
DDS :

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Tatiana at 22:20:46,30 on 04/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2046.1332 [GMT 2:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Tatiana\Bureau\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.fr/
uURLSearchHooks: Search Class: {08c06d61-f1f3-4799-86f8-be1a89362c85} - c:\program files\orange\connexion internet orange\searchurlhook\SearchPageURL.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\fichiers communs\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10n_ActiveX.exe -update activex
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [NeroFilterCheck] c:\program files\fichiers communs\ahead\lib\NeroCheck.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\dmarra~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {1062E4BC-2F27-4BDF-9FBB-F7A8150EBCAB} = 212.27.53.252,212.27.54.252
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\tatiana\applic~1\mozilla\firefox\profiles\3e9n8sru.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.fr
FF - prefs.js: keyword.URL - hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-1 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-4 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-4 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-13 42184]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-3-16 33792]
S2 AMService;AMService;c:\windows\temp\lryj\setup.exe run --> c:\windows\temp\lryj\setup.exe run [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2008-12-16 1527900]
S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\drivers\xpadfl02.sys --> c:\windows\system32\drivers\xpadfl02.sys [?]
.
=============== Created Last 30 ================
.
2011-04-04 13:24:05 -------- d-----w- C:\wamp
2011-04-01 07:48:27 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-29 21:12:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-29 06:31:57 -------- d-----w- c:\docume~1\tatiana\applic~1\Malwarebytes
2011-03-29 06:31:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-29 06:31:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-28 06:34:13 -------- d-sha-r- C:\cmdcons
2011-03-24 13:54:39 -------- d-----w- c:\docume~1\tatiana\locals~1\applic~1\Deployment
2011-03-14 21:47:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\PopCap Games
.
==================== Find3M ====================
.
2011-03-29 21:12:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-23 14:04:21 40648 ----a-w- c:\windows\avastSS.scr
2011-02-04 16:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 16:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:59:09 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:12 441344 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 22:22:35,10 ===============
 
Hi Kvitrafn,


Your log looks fine. In my opinion that registry key is the only remnant of the infection, and that's what Spybot flags. Please try to remove it with Spybot S&D. After that, perform a full scan and post the results here.
 
Status
Not open for further replies.
Back
Top