Support Forum for TrojanHunter anti-malware remover and other products, including freeware

Welcome, Guest. Please Login or Register.

Search

Members

Login

Register

   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   need help

« Previous topic | Next topic »

Pages: 1 2 3

Notify of replies

Send Topic

Author

Topic: need help (Read 3599 times)

Thomas
Full Member

Gender:

Posts: 233

need help
« on: Apr 9^th, 2009, 9:11am »

Quote

Modify

i got a virus in my pc everytime i run combofix my pc restart it self

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10, on 2009-04-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US& amp;c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?rs=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US& amp;c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US& amp;c=Q405&bd=presario&pf=desktop&parm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\regmech.exe /H
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4082 bytes

IP Logged

Windows 7 Home Premium (64 Bit)
Yahoo! Messenger Version 11.0.0 Build 2014
Y!TunnelPro Version 2.6 Build 736
YTK Enhanced Version 2.6 Build 108
Mozilla Firefox Version 8.0 (Beta)
Internet Explorer Version 9.0.8112.16421
TrojanHunter Version 5.3 Build 994
HijackThis Version 2.0 Build 4
Wireless
avast! Free Antivirus
Malwarebytes' Anti-Malware
SUPERAntiSpyware Professional

Thomas
Full Member

Gender:

Posts: 233

Re: need help
« Reply #1 on: Apr 9^th, 2009, 9:13am »

Quote

Modify

Malwarebytes' Anti-Malware 1.36
Database version: 1958
Windows 5.1.2600 Service Pack 2

4/9/2009 9:52:25 AM
mbam-log-2009-04-09 (09-52-25).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 101899
Time elapsed: 24 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: need help
« Reply #2 on: Apr 9^th, 2009, 9:38am »

Quote

Modify

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/09/2009 at 10:33 AM

Application Version : 4.26.1000

Core Rules Database Version : 3836
Trace Rules Database Version: 1792

Scan type : Complete Scan
Total Scan Time : 00:12:27

Memory items scanned : 309
Memory threats detected : 0
Registry items scanned : 3901
Registry threats detected : 0
File items scanned : 12114
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adrevolver[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media.adrevolver[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@specificmedia[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@zedo[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@specificclick[2].txt

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: need help
« Reply #3 on: Apr 9^th, 2009, 10:18am »

Quote

Modify

ok this will not get out of my pc

Malwarebytes' Anti-Malware 1.36
Database version: 1958
Windows 5.1.2600 Service Pack 2

2009-04-09 11:15:36
mbam-log-2009-04-09 (11-15-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 102589
Time elapsed: 25 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: need help
« Reply #4 on: Apr 9^th, 2009, 11:09am »

Quote

Modify

i downloading a file i thought to be clean and when i open it i starting to get spyware trojan virus and alot more so i reformatting it 13 times hope toget the virus out and it still in my pc and like i said combofix will not work it restart my pc so im geussing there a virus in my pc that causeing it

« Last Edit: Apr 9^th, 2009, 11:09am by Thomas »

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: need help
« Reply #5 on: Apr 9^th, 2009, 11:38am »

Quote

Modify

TrojanHunter Scan Report - Saved 2009-04-09 12:34

Found trojan file: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe/hidec.exe (RiskTool.Hidec.100)
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe/catchme.cfexe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe/ERDNT.e_e
Found trojan file: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe/Upx.mpgbaant/hidec.exe (RiskTool.Hidec.100)
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe/Upx.mpgbaant/catchme.cfexe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe/Upx.mpgbaant/ERDNT.e_e
Warning: Unable to unpack UPX-packed file C:\Program Files\uTorrent\uTorrent.exe
Warning: Unable to unpack UPX-packed file C:\RECYCLER\S-1-5-21-2804305642-3032790-279461358-1009\Dc2\catchme.cfexe
Warning: Unable to unpack UPX-packed file C:\RECYCLER\S-1-5-21-2804305642-3032790-279461358-1009\Dc2\ERDNT.e_e
Found trojan file: C:\RECYCLER\S-1-5-21-2804305642-3032790-279461358-1009\Dc2\hidec.exe (RiskTool.Hidec.100)
Warning: Unable to unpack UPX-packed file C:\RECYCLER\S-1-5-21-2804305642-3032790-279461358-1009\Dc9.exe
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11 d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Micro soft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.X ML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5 c561934e089_b7e97e18\System.Xml.dll
Warning: Unable to unpack UPX-packed file C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.d ll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
Warning: Unable to unpack UPX-packed file D:\cmdcons\usbuhci.sy_/usbuhci.sys
Warning: Unable to unpack UPX-packed file D:\I386\SYSTEM32\drivers\USBUHCI.SYS
Warning: Unable to unpack UPX-packed file D:\MiniNT\system32\drivers\USBUHCI.SYS
Quarantined file C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Unable to quarantine file C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe: Scheduling file to be quarantined when computer is restarted
Quarantined file C:\RECYCLER\S-1-5-21-2804305642-3032790-279461358-1009\Dc2\hidec.exe

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7357

Re: need help
« Reply #6 on: Apr 9^th, 2009, 12:54pm »

Quote

Modify

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Please go to the link below. �
http://forums.cnet.com/5208-6132_102-0.html?threadID=337149

5. �Combofix typically reboots your computer as it is performing its detection/cleaning. �

- �Did you download and run the latest version of Combofix?

- �Please post the Combofix log after it completes. �

6. Did Avira find any infections to be removed?

« Last Edit: Apr 9^th, 2009, 12:57pm by siliconman01 »

IP Logged

______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7357

Re: need help
« Reply #7 on: Apr 9^th, 2009, 12:58pm »

Quote

Modify

Can't you just post the Summary report of the Avira scan? I also posted amist the Avira data you are posting.

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: need help
« Reply #8 on: Apr 9^th, 2009, 1:00pm »

Quote

Modify

Beginning disinfection:
C:\hp\bin\
�KillIt.exe
� �[DETECTION] Contains recognition pattern of the APPL/KillApp.A application
� �[NOTE] � � �The file was moved to '4a4a2ed4.qua'!
C:\hp\bin\
�KillWind.exe
� �[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application
� �[NOTE] � � �The file was moved to '4a4a2ed5.qua'!
C:\RECYCLER\S-1-5-21-2804305642-3032790-279461358-1009\Dc2\
�psexec.cfexe
� �[NOTE] � � �The file was moved to '4a432edf.qua'!
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP18\
�A0003059.exe
� �[DETECTION] Contains recognition pattern of the APPL/MyWay.A application
� �[NOTE] � � �The file was moved to '4a0e2e9c.qua'!
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP19\
�A0003686.exe
� �[DETECTION] Contains recognition pattern of the DIAL/90112 dialer
� �[NOTE] � � �The file was moved to '4cb8c25d.qua'!
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP21\
�A0006023.exe
� �[NOTE] � � �The file was moved to '4cb42a85.qua'!
D:\I386\Apps\APP07397\src\
�HPSummer2005.exe
� �[DETECTION] Contains recognition pattern of the APPL/MyWay.A application
� �[NOTE] � � �The file was moved to '4a312ebd.qua'!

End of the scan: 2009-04-09 �13:20
Used time: 24:27 Minute(s)

The scan has been done completely.

� 2416 Scanned directories
213479 Files were scanned
7 Viruses and/or unwanted programs were found
� � �0 Files were classified as suspicious
� � �0 files were deleted
� � �0 Viruses and unwanted programs were repaired
� � �7 Files were moved to quarantine
� � �0 Files were renamed
� � 29 Files cannot be scanned
213443 Files not concerned
�12462 Archives were scanned
� � 38 Warnings
� � 50 Notes
�26623 Objects were scanned with rootkit scan
� � �0 Hidden objects were found

« Last Edit: Apr 9^th, 2009, 1:03pm by Thomas »

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7357

Re: need help
« Reply #9 on: Apr 9^th, 2009, 1:00pm »

Quote

Modify

Why are you posting all of the Avira scan detailed data? �Did Avira find any infections?

Scroll back up and see my two posts. �It looks Avira found and quarantined items.

« Last Edit: Apr 9^th, 2009, 1:02pm by siliconman01 »

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: need help
« Reply #10 on: Apr 9^th, 2009, 1:07pm »

Quote

Modify

i just want find this virus and get it out

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7357

Re: need help
« Reply #11 on: Apr 9^th, 2009, 1:13pm »

Quote

Modify

So how is your computer running now?

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: need help
« Reply #12 on: Apr 9^th, 2009, 1:14pm »

Quote

Modify

on Apr 9^th, 2009, 12:54pm, siliconman01 wrote:

1. �Your Hijackthis log is not showing any infections.

2. �SuperAntispyware only found tracking cookies which is no big deal. �

3. �TrojanHunter is finding Combofix.exe stuff which is normal. �You need to remove Combofix.exe before scanning with TrojanHunter. �

- �You can remove Combofix and all of its stored info by going to START>RUN and typing in Combofix /u and then clicking on OK. �Let Combofix fully remove itself. �It's icon on the desktop should disappear when the removal is completed.

4. �Concerning MBAM finding:

Please go to the link below. �
http://forums.cnet.com/5208-6132_102-0.html?threadID=337149

5. �Combofix typically reboots your computer as it is performing its detection/cleaning. �

- �Did you download and run the latest version of Combofix?

- �Please post the Combofix log after it completes. �

6. �Did Avira find any infections to be removed?

i can not post the combofix log

it say it scanning for bad files then after that my pc shut it self off without combofix completeing itself

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7357

Re: need help
« Reply #13 on: Apr 9^th, 2009, 1:20pm »

Quote

Modify

Okay, uninstall Combofix as I explained how to earlier.. Sometimes Combofix has problems running on various computer hardware/software combinations

It looks like Avira found various infections and quarantined them.

Did you understand the link concerning MBAM?

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: need help
« Reply #14 on: Apr 9^th, 2009, 1:20pm »

Quote

Modify

on Apr 9^th, 2009, 1:13pm, siliconman01 wrote:

So how is your computer running now?

i don't think you want know what my reply to that is

IP Logged

Pages: 1 2 3

Notify of replies

Send Topic


« Previous topic \| Next topic »