I messed up...

M

Montec

New member
I recently have been infected with a malware program that has hijacked my browser (IE7). The search links redirect me to other sites. This program has also disabled Norton Internet Security, FireFox and NotePad and some antispyware programs. I cannot access Symantecs site at all.

I found this forum too late. I had read that I should purge my System Restore because the program was infecting that as too...Now I do not have a clean restore point. Not good I know.

I am running a Vista Home Premium system and I have downloaded SpyBot and Hijack this. How do I proceed? Is there hope?

I appreciate any assistance. Thanks
 
Hi Montec

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
 
Man, this thing is nasty. Norton, IE7, NotePad, FireFox, Adobe Reader all will not open. I get and error popup saying that they have stopped working. All of the error summaries say that it is BEX.

The only way I could get HT to create an error log is to change the default txt program to WordPad.

I also get an error pop up when I reboot that says winself.exe has stopped working.

HT log below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:44 PM, on 28/05/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Windows\system32\wermgr.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FAMTAIA.EXE
C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FARNAIA.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - (no file)
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\Windows\winself.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8653 bytes
 
I just wanted to include that IE7 just stopped working..it worked fine before last night but the Google search links were redirected.

I actually got Norton to do a complete system scan in SafeMode and it never found anything. SpyBot did remove two problems.
 
Hi

Yes, there is something:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
 
This Malware has disabled NotePad somehow so when DSS tries to create the log files it fails. I get an error message saying NotePad has stopped working.

Is there any way that DSS can create the log file in another format?
 
Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
 
ComboFix will not launch.

I get a dialog box telling me the program could not be verified and asks if I should run it. I choose YES and nothing happens.

Should I run it in SafeMode?
 
Same thing...will not run in SafeMode either.

DSS has dissapeared from my system. I did not uninstall or delete it.
 
Hi

Let's try this then:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

CF_download_FF.gif



CF_download_rename.gif

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
 
Renaming Combo-fix worked

After running the program Windows rebooted but I have several instances the following error with different filenames

filename bad image

c:\windows\system32\clbdll is not designed to run on windows or contains an error.

Combofix seems to be hung up preparing a Log report
 
Hi

Please take a look if C:\ComboFix.txt is present.

If so, please post it.

If not, please re-run combofix.
 
results of combofix.txt

ComboFix 08-05-29.1 - Monte 2008-05-29 10:36:54.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1304 [GMT -7:00]
Running from: C:\Users\Monte\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\d.exe
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Users\Monte\AppData\Roaming\AntispywareBot
C:\Users\Monte\g2mdlhlpx.exe
C:\Windows\megavid.cdt
C:\Windows\muotr.so
C:\Windows\stem32~1
C:\Windows\stem32~1\??stem32\
C:\Windows\system32\clbdll.dll
C:\Windows\system32\clbinit.dll
C:\Windows\system32\drivers\clbdriver.sys
C:\Windows\system32\prsgrc.dll
C:\Windows\system32\vfolx32n.dll
C:\Windows\system32\zpt7gxp.dll
C:\Windows\winself.exe

----- BITS: Possible infected sites -----

hxxp://theinstalls.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 17:07 --------- d-----w C:\Program Files\Windows Mail
2008-05-29 17:07 --------- d-----w C:\Program Files\Spyware Doctor
2008-05-29 05:49 --------- d---a-w C:\ProgramData\TEMP
2008-05-28 07:10 --------- d-----w C:\Users\Monte\AppData\Roaming\uTorrent
2008-05-28 07:10 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-28 07:10 --------- d-----w C:\ProgramData\FLEXnet
2008-05-28 07:10 --------- d-----w C:\Program Files\Microsoft Works
2008-05-28 07:10 --------- d-----w C:\Program Files\Google
2008-05-28 06:39 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-05-28 06:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-28 05:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-28 05:00 --------- d-----w C:\Program Files\3D Home Architect
2008-05-27 19:23 --------- d-----w C:\Users\Monte\AppData\Roaming\Pantone
2008-05-27 19:18 --------- d-----w C:\Program Files\Pantone
2008-05-26 22:24 25,773 ----a-w C:\Windows\system32\drivers\regguard.sys
2008-05-26 22:18 --------- d-----w C:\Users\Monte\AppData\Roaming\System Tweaker
2008-05-26 22:18 --------- d-----w C:\Program Files\Uniblue
2008-05-26 15:12 --------- d-----w C:\Program Files\BitTorrent_DNA
2008-05-25 23:55 --------- d-----w C:\Program Files\IEPro
2008-05-25 16:13 --------- d-----w C:\Users\Monte\AppData\Roaming\Uniblue
2008-05-25 06:54 --------- d-----w C:\Program Files\Common Files\PC Tools
2008-05-25 06:53 --------- d-----w C:\Users\Monte\AppData\Roaming\PC Tools
2008-05-25 06:53 --------- d-----w C:\ProgramData\PC Tools
2008-05-25 04:13 --------- d-----w C:\Program Files\Greatis
2008-05-25 02:03 --------- d-----w C:\Users\Monte\AppData\Roaming\WinPatrol
2008-05-25 02:03 --------- d-----w C:\Program Files\BillP Studios
2008-05-24 23:43 --------- d-----w C:\Program Files\Trend Micro
2008-05-24 23:00 --------- d-----w C:\Program Files\Citrix
2008-05-24 22:45 --------- d-----w C:\Program Files\Enigma Software Group
2008-05-24 04:35 7,168 ----a-w C:\Windows\system32\drivers\beep.sys
2008-05-24 04:35 130,048 ----a-w C:\Windows\System32\apirclj.exe
2008-05-24 04:34 80,384 ----a-w C:\lrohjo.exe
2008-05-24 04:34 73,728 ----a-w C:\tqkyec.exe
2008-05-24 04:34 7,168 ----a-w C:\Windows\System32\beep.sys
2008-05-24 04:34 40,960 ----a-w C:\qnruns.exe
2008-05-24 04:34 35,328 ----a-w C:\vwir.exe
2008-05-24 04:33 --------- d-----w C:\Program Files\TwistingPixels
2008-05-23 23:55 --------- d-----w C:\Program Files\Bibble Labs
2008-05-23 15:11 --------- d-----w C:\Users\Monte\AppData\Roaming\bibble
2008-05-09 15:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-01 22:50 --------- d-----w C:\Program Files\IDT
2008-05-01 22:40 356 ----a-r C:\Windows\system32\drivers\stwrte.log
2008-04-28 16:46 --------- d-----w C:\Program Files\CushyStock
2008-04-28 16:03 --------- d-----w C:\Users\Monte\AppData\Roaming\CushyStock
2008-04-27 03:41 20 ---h--w C:\Users\All Users\PKP_DLbz.DAT
2008-04-27 03:41 20 ---h--w C:\ProgramData\PKP_DLbz.DAT
2008-04-23 23:24 --------- d-----w C:\Program Files\Easy Digital
2008-04-23 21:27 --------- d-----w C:\ProgramData\NVIDIA
2008-04-18 18:40 --------- d-----w C:\Users\Monte\AppData\Roaming\TotalTrain
2008-04-18 01:06 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-04-18 01:06 --------- d-----w C:\Program Files\Microsoft Expression
2008-04-14 18:29 --------- d-----w C:\Program Files\Payworks
2008-04-14 18:23 286,720 ----a-w C:\Windows\iun506.exe
2008-04-14 17:31 --------- d-----w C:\Program Files\Opanda
2008-04-10 22:14 159,880 ----a-w C:\Windows\system32\drivers\pctfw2.sys
2008-04-07 15:06 --------- d-----w C:\Program Files\Common Files\Nikon
2008-04-06 18:05 20 ---h--w C:\Users\All Users\PKP_DLdw.DAT
2008-04-06 18:05 20 ---h--w C:\ProgramData\PKP_DLdw.DAT
2008-03-30 04:21 --------- d-----w C:\Users\Monte\AppData\Roaming\EBookSys
2008-03-30 04:11 --------- d-----w C:\Program Files\E-Book Systems
2008-03-29 02:03 43,872 ----a-w C:\Windows\system32\drivers\pxhelp20.sys
2008-03-24 06:23 20 ---h--w C:\Users\All Users\PKP_DLdu.DAT
2008-03-24 06:23 20 ---h--w C:\ProgramData\PKP_DLdu.DAT
2008-03-24 05:46 106,496 ----a-w C:\Windows\System32\ATL71.DLL
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-01-07 00:48 20 ---h--w C:\Users\All Users\PKP_DLdy.DAT
2008-01-07 00:48 20 ---h--w C:\ProgramData\PKP_DLdy.DAT
2007-11-20 01:16 104,240 ----a-w C:\Users\Monte\AppData\Roaming\GDIPFONTCACHEV1.DAT
2007-10-31 15:19 194 ----a-w C:\Users\Monte\AppData\Roaming\wklnhst.dat
2007-10-30 00:56 174 --sha-w C:\Program Files\desktop.ini
.
 
My computer appears to be fixed :)

The only problem is the error message I get each time I launch a program. I click OK and the program launches fine.

Any suggestions on how to get rid of this error message?

I owe you a huge thank you.
 
Hi

Not so fast :)

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\Windows\system32\drivers\beep.sys
C:\Windows\System32\beep.sys

Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
 
Results from C:\Windows\system32\drivers\beep.sys

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Results from C:\Windows\System32\beep.sys


File: beep.sys
Status: INFECTED/MALWARE
MD5: d1ce494b6bad5d4dd9fb54757457bbd0
Packers detected: -

Scanner results
Scan taken on 30 May 2008 16:37:03 (GMT)
A-Squared Found nothing
AntiVir Found RKIT/Agent.aol
ArcaVir Found Trojan.Rootkit.Agent.Aol
Avast Found Win32:DNSChanger-VJ
AVG Antivirus Found BackDoor.Generic9.APSY
BitDefender Found Rootkit.1265
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.NtRootKit.1158
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Rootkit.Win32.Agent.aol
Fortinet Found nothing
Ikarus Found Virus.Rootkit.Win32.Agent.aol
Kaspersky Anti-Virus Found Rootkit.Win32.Agent.aol
NOD32 Found a variant of Win32/Rootkit.Agent.AII
Norman Virus Control Found W32/Rootkit.IRU
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Rootkit.Win32.Agent.aol

Scanner Malware name
A-Squared X
AntiVir PCK/YodaCrypt
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus Trojan-Spy.Win32.Zbot.xf
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus Mal/Dorf-A
VirusBuster X
VBA32 X
 
Hi

Thanks for those.

Please do a search:
  • Go "Start">"Search">"All Files and Folders"
  • Enter beep.sys in "All or part of file name"
  • Select "More advanced options"
  • Check-mark "Search System Folders", "Search hidden files and folders", and "Search subfolders".
  • Click "Search".

Post back all locations of beep.sys, please.
 
You must log in or register to reply here.
Back
Top