Then you most likely haven't clicked the User Files section icon on the left as you can't Add to the Infected Files section, that is the preserve of the avast scanner for files it detected as infected.
also this item looks strange:
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\xxxvvw.dll",forkonce
also this item looks strange:
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\xxxvvw.dll",forkonce
Yea, it is 1 of the threat. It make me headaches because i follow Tech™'s step it harm my system and avast. Now i also want to fix it or take no action. And my pc still infected by the win32 dialer
The one/s which you say are detected as infected file and you wanted to email, I though you knew what they were from your previous posts.Then you most likely haven't clicked the User Files section icon on the left as you can't Add to the Infected Files section, that is the preserve of the avast scanner for files it detected as infected.
after that i nid to add what file??
thx for ur help. I wan to send the infected files to avast but dont know how to setting the outlook, so it cant b send. Can know how to setting the mail setting when wan to send those files??
erm... I try but cant add. Add cant b choosen
The one/s which you say are detected as infected file and you wanted to email, I though you knew what they were from your previous posts.Then you most likely haven't clicked the User Files section icon on the left as you can't Add to the Infected Files section, that is the preserve of the avast scanner for files it detected as infected.
after that i nid to add what file??thx for ur help. I wan to send the infected files to avast but dont know how to setting the outlook, so it cant b send. Can know how to setting the mail setting when wan to send those files??erm... I try but cant add. Add cant b choosen
In theory there should be no need to send files to avast that are already detected by avast unless you feel that the detection isn't correct.
So no need to take any action other than leave them in the chest foe a few weeks, scan the file again inside the chest (right click on the file) and if it is still detected then delete it from within the chest.
The only reason for giving the information was because you expressed you wanted to email the files to avast and were trying to find out how to do this in outlook. So I said they could be sent from the chest.
If you have already sent the files to the chest when they were detected there is no need to add them as they would be in the Infected Files section and could be sent from there.
But that virus still attacking my pcI generally suggest that will be good if you download, install, update and run AVG Antispyware (http://www.ewido.net/en/). Some users recommend SUPERantispyware (http://www.superantispyware.com), Spyware Terminator (http://www.spywareterminator.com/) and/or a-squared (http://www.emsisoft.com/en/software/free/) (take care about false positives).
I wan to send the infected files to avast but dont know how to setting the outlook, so it cant b send. Can know how to setting the mail setting when wan to send those files??
"O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\xxxvvw.dll", i dont dare to fix it. This is because i have use SuperAntiSpyware quarrentine this file and my pc could'nt work properly.What went wrong when you did this?
I see no reason for reformatting (yet).
Why don't you test antispyware tools?
AVG Antispyware (http://www.ewido.net/en/)
SUPERantispyware (http://www.superantispyware.com)
Spyware Terminator (http://www.spywareterminator.com/)
a-squared (http://www.emsisoft.com/en/software/free/) (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
Did you investigate bumping up the security level in comodo firewall as there are new suspect entries from your previous HJT log ?
We have got to try and stop what is on your system connecting to download more malware.
Zero hits on google, Upload to VirusTotal, add to user files section of avast chest, submit to avast and fix
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\U040YIUQ.dll
This is very similar to a previous O2 - BHO entry but with a different file name at the end.
This was on your last HJT but you haven't fixed it or it is back ?
O20 - AppInit_DLLs: jzgpri.dll
See this link - http://fileinfo.prevx.com/spyware/qq2607102335366-JZGP43370664/JZGPRI.DLL.html (http://fileinfo.prevx.com/spyware/qq2607102335366-JZGP43370664/JZGPRI.DLL.html)
Is this your ISP tm.net.my (Malaysia) as that is where this entry points it may be an indication of Wareout infection?
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AC7128B-89DD-482E-9BAB-F1114D458B8F}: NameServer = 202.188.0.133 202.188.1.5
Did you install this as it appears to be in a different location to what is usual.?
C:\Program Files\TM Net\tmnet streamyx dialer\fts.exe
When the dialer infect, comodo firewall did'nt bumping the warning as new suspect entry. That web assist i hv fix it, i think it come back already. And that 1 O17 i dont know wat is that. fts.exe it show at C:\Program Files\TM Net\tmnet streamyx dialer\fts.exe only.
my ISP is TM net, in malaysia. And then the fts.exe i nvr install it but may b it is come with the installer pack.
Patience - I have you logs but will not be able to review them until a little later. Combofix removed much but possibly not all.
How is the computer running at the moment?
upside this files i will upload to scan after i come back from schoolSeems all infected...
I hv running the spyware terminator and scan but look like those files showing safe when scan. If i scan at virus total got unsafe, wat should i do??Post the virus total results here and we can analyze. I really doubt they're clean files, but, safer is asking before doing more harm to your computer.
Contents of the 'Scheduled Tasks' folder
"2007-09-12 16:00:00 C:\WINDOWS\Tasks\At1.job"
"2007-09-08 01:00:00 C:\WINDOWS\Tasks\At10.job"
"2007-08-31 19:00:00 C:\WINDOWS\Tasks\At100.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-31 20:00:00 C:\WINDOWS\Tasks\At101.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-30 04:15:12 C:\WINDOWS\Tasks\At102.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-30 04:15:12 C:\WINDOWS\Tasks\At103.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-30 04:15:12 C:\WINDOWS\Tasks\At104.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-30 04:15:12 C:\WINDOWS\Tasks\At105.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-08 01:00:00 C:\WINDOWS\Tasks\At106.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-13 02:00:00 C:\WINDOWS\Tasks\At107.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 03:00:00 C:\WINDOWS\Tasks\At108.job"
"2007-09-12 04:00:00 C:\WINDOWS\Tasks\At109.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-13 02:00:00 C:\WINDOWS\Tasks\At11.job"
"2007-09-02 05:00:00 C:\WINDOWS\Tasks\At110.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-10 06:00:00 C:\WINDOWS\Tasks\At111.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 07:00:00 C:\WINDOWS\Tasks\At112.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 08:00:00 C:\WINDOWS\Tasks\At113.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 09:00:00 C:\WINDOWS\Tasks\At114.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 10:00:00 C:\WINDOWS\Tasks\At115.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-09 11:00:00 C:\WINDOWS\Tasks\At116.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 12:00:00 C:\WINDOWS\Tasks\At117.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 13:00:00 C:\WINDOWS\Tasks\At118.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 14:00:00 C:\WINDOWS\Tasks\At119.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 03:00:01 C:\WINDOWS\Tasks\At12.job"
"2007-09-12 15:00:00 C:\WINDOWS\Tasks\At120.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 04:00:00 C:\WINDOWS\Tasks\At13.job"
"2007-09-02 05:00:00 C:\WINDOWS\Tasks\At14.job"
"2007-09-10 06:00:00 C:\WINDOWS\Tasks\At15.job"
"2007-09-12 07:00:00 C:\WINDOWS\Tasks\At16.job"
"2007-09-12 08:00:00 C:\WINDOWS\Tasks\At17.job"
"2007-09-12 09:00:00 C:\WINDOWS\Tasks\At18.job"
"2007-09-12 10:00:00 C:\WINDOWS\Tasks\At19.job"
"2007-09-12 17:00:00 C:\WINDOWS\Tasks\At2.job"
"2007-09-09 11:00:00 C:\WINDOWS\Tasks\At20.job"
"2007-09-12 12:00:00 C:\WINDOWS\Tasks\At21.job"
"2007-09-12 13:00:00 C:\WINDOWS\Tasks\At22.job"
"2007-09-12 14:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-09-12 15:00:00 C:\WINDOWS\Tasks\At24.job"
"2007-09-12 18:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-31 19:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-31 20:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-01 06:40:41 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-01 06:40:41 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-09-12 16:01:00 C:\WINDOWS\Tasks\At73.job"
"2007-09-12 17:01:00 C:\WINDOWS\Tasks\At74.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 18:01:00 C:\WINDOWS\Tasks\At75.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-31 19:01:00 C:\WINDOWS\Tasks\At76.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-31 20:01:00 C:\WINDOWS\Tasks\At77.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-11 13:35:52 C:\WINDOWS\Tasks\At78.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-11 13:35:52 C:\WINDOWS\Tasks\At79.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-01 06:40:41 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-11 13:35:52 C:\WINDOWS\Tasks\At80.job"
"2007-08-11 13:35:52 C:\WINDOWS\Tasks\At81.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-08 01:02:02 C:\WINDOWS\Tasks\At82.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-13 02:02:10 C:\WINDOWS\Tasks\At83.job"
"2007-09-12 03:02:06 C:\WINDOWS\Tasks\At84.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 04:02:08 C:\WINDOWS\Tasks\At85.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-02 05:03:00 C:\WINDOWS\Tasks\At86.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-10 06:02:09 C:\WINDOWS\Tasks\At87.job"
"2007-09-12 07:02:03 C:\WINDOWS\Tasks\At88.job"
"2007-09-12 08:01:00 C:\WINDOWS\Tasks\At89.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-09 00:00:30 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-09-12 09:01:00 C:\WINDOWS\Tasks\At90.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 10:01:00 C:\WINDOWS\Tasks\At91.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-09 11:03:00 C:\WINDOWS\Tasks\At92.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 12:01:54 C:\WINDOWS\Tasks\At93.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 13:01:00 C:\WINDOWS\Tasks\At94.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 14:02:04 C:\WINDOWS\Tasks\At95.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 15:01:00 C:\WINDOWS\Tasks\At96.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 16:00:00 C:\WINDOWS\Tasks\At97.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 17:00:00 C:\WINDOWS\Tasks\At98.job"
"2007-09-12 18:00:00 C:\WINDOWS\Tasks\At99.job"
- C:\WINDOWS\system32\010M3X7k.exe
Contents of the 'Scheduled Tasks' folder
"2007-09-12 16:00:00 C:\WINDOWS\Tasks\At1.job"
"2007-09-08 01:00:00 C:\WINDOWS\Tasks\At10.job"
"2007-08-31 19:00:00 C:\WINDOWS\Tasks\At100.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-31 20:00:00 C:\WINDOWS\Tasks\At101.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-30 04:15:12 C:\WINDOWS\Tasks\At102.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-30 04:15:12 C:\WINDOWS\Tasks\At103.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-30 04:15:12 C:\WINDOWS\Tasks\At104.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-30 04:15:12 C:\WINDOWS\Tasks\At105.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-08 01:00:00 C:\WINDOWS\Tasks\At106.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-13 02:00:00 C:\WINDOWS\Tasks\At107.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 03:00:00 C:\WINDOWS\Tasks\At108.job"
"2007-09-12 04:00:00 C:\WINDOWS\Tasks\At109.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-13 02:00:00 C:\WINDOWS\Tasks\At11.job"
"2007-09-02 05:00:00 C:\WINDOWS\Tasks\At110.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-10 06:00:00 C:\WINDOWS\Tasks\At111.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 07:00:00 C:\WINDOWS\Tasks\At112.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 08:00:00 C:\WINDOWS\Tasks\At113.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 09:00:00 C:\WINDOWS\Tasks\At114.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 10:00:00 C:\WINDOWS\Tasks\At115.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-09 11:00:00 C:\WINDOWS\Tasks\At116.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 12:00:00 C:\WINDOWS\Tasks\At117.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 13:00:00 C:\WINDOWS\Tasks\At118.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 14:00:00 C:\WINDOWS\Tasks\At119.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 03:00:01 C:\WINDOWS\Tasks\At12.job"
"2007-09-12 15:00:00 C:\WINDOWS\Tasks\At120.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 04:00:00 C:\WINDOWS\Tasks\At13.job"
"2007-09-02 05:00:00 C:\WINDOWS\Tasks\At14.job"
"2007-09-10 06:00:00 C:\WINDOWS\Tasks\At15.job"
"2007-09-12 07:00:00 C:\WINDOWS\Tasks\At16.job"
"2007-09-12 08:00:00 C:\WINDOWS\Tasks\At17.job"
"2007-09-12 09:00:00 C:\WINDOWS\Tasks\At18.job"
"2007-09-12 10:00:00 C:\WINDOWS\Tasks\At19.job"
"2007-09-12 17:00:00 C:\WINDOWS\Tasks\At2.job"
"2007-09-09 11:00:00 C:\WINDOWS\Tasks\At20.job"
"2007-09-12 12:00:00 C:\WINDOWS\Tasks\At21.job"
"2007-09-12 13:00:00 C:\WINDOWS\Tasks\At22.job"
"2007-09-12 14:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-09-12 15:00:00 C:\WINDOWS\Tasks\At24.job"
"2007-09-12 18:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-31 19:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-31 20:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-01 06:40:41 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-01 06:40:41 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-09-12 16:01:00 C:\WINDOWS\Tasks\At73.job"
"2007-09-12 17:01:00 C:\WINDOWS\Tasks\At74.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 18:01:00 C:\WINDOWS\Tasks\At75.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-31 19:01:00 C:\WINDOWS\Tasks\At76.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-31 20:01:00 C:\WINDOWS\Tasks\At77.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-11 13:35:52 C:\WINDOWS\Tasks\At78.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-11 13:35:52 C:\WINDOWS\Tasks\At79.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-01 06:40:41 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-11 13:35:52 C:\WINDOWS\Tasks\At80.job"
"2007-08-11 13:35:52 C:\WINDOWS\Tasks\At81.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-08 01:02:02 C:\WINDOWS\Tasks\At82.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-13 02:02:10 C:\WINDOWS\Tasks\At83.job"
"2007-09-12 03:02:06 C:\WINDOWS\Tasks\At84.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 04:02:08 C:\WINDOWS\Tasks\At85.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-02 05:03:00 C:\WINDOWS\Tasks\At86.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-10 06:02:09 C:\WINDOWS\Tasks\At87.job"
"2007-09-12 07:02:03 C:\WINDOWS\Tasks\At88.job"
"2007-09-12 08:01:00 C:\WINDOWS\Tasks\At89.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-09 00:00:30 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-09-12 09:01:00 C:\WINDOWS\Tasks\At90.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 10:01:00 C:\WINDOWS\Tasks\At91.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-09 11:03:00 C:\WINDOWS\Tasks\At92.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 12:01:54 C:\WINDOWS\Tasks\At93.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 13:01:00 C:\WINDOWS\Tasks\At94.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 14:02:04 C:\WINDOWS\Tasks\At95.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 15:01:00 C:\WINDOWS\Tasks\At96.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 16:00:00 C:\WINDOWS\Tasks\At97.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 17:00:00 C:\WINDOWS\Tasks\At98.job"
"2007-09-12 18:00:00 C:\WINDOWS\Tasks\At99.job"
- C:\WINDOWS\system32\010M3X7k.exe
Review this list of scheduled tasks - have you put these there?QuoteContents of the 'Scheduled Tasks' folderwhat is this means??
<snip>
"2007-09-09 11:03:00 C:\WINDOWS\Tasks\At92.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 12:01:54 C:\WINDOWS\Tasks\At93.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 13:01:00 C:\WINDOWS\Tasks\At94.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 14:02:04 C:\WINDOWS\Tasks\At95.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 15:01:00 C:\WINDOWS\Tasks\At96.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 16:00:00 C:\WINDOWS\Tasks\At97.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 17:00:00 C:\WINDOWS\Tasks\At98.job"
"2007-09-12 18:00:00 C:\WINDOWS\Tasks\At99.job"
- C:\WINDOWS\system32\010M3X7k.exe
i never create the task.This is why WinPatrol could protect you against this malware behavior (creation of tasks).
i never create the task.This is why WinPatrol could protect you against this malware behavior (creation of tasks).
www.winpatrol.com
And i find a very strange folder, name catroot and catroot2.I think those are OK but I'll check further. For now let's go after the known malware.
Location is at C:\WINDOWS\system32\CatRoot2 and C:\WINDOWS\system32\CatRoot.
[Files/Folders - Created Within 30 days]
NY -> At100.job -> %SystemRoot%\tasks\At100.job
NY -> At101.job -> %SystemRoot%\tasks\At101.job
NY -> At102.job -> %SystemRoot%\tasks\At102.job
NY -> At103.job -> %SystemRoot%\tasks\At103.job
NY -> At104.job -> %SystemRoot%\tasks\At104.job
NY -> At105.job -> %SystemRoot%\tasks\At105.job
NY -> At106.job -> %SystemRoot%\tasks\At106.job
NY -> At107.job -> %SystemRoot%\tasks\At107.job
NY -> At108.job -> %SystemRoot%\tasks\At108.job
NY -> At109.job -> %SystemRoot%\tasks\At109.job
NY -> At110.job -> %SystemRoot%\tasks\At110.job
NY -> At111.job -> %SystemRoot%\tasks\At111.job
NY -> At112.job -> %SystemRoot%\tasks\At112.job
NY -> At113.job -> %SystemRoot%\tasks\At113.job
NY -> At114.job -> %SystemRoot%\tasks\At114.job
NY -> At115.job -> %SystemRoot%\tasks\At115.job
NY -> At116.job -> %SystemRoot%\tasks\At116.job
NY -> At117.job -> %SystemRoot%\tasks\At117.job
NY -> At118.job -> %SystemRoot%\tasks\At118.job
NY -> At119.job -> %SystemRoot%\tasks\At119.job
NY -> At120.job -> %SystemRoot%\tasks\At120.job
NY -> At97.job -> %SystemRoot%\tasks\At97.job
NY -> At98.job -> %SystemRoot%\tasks\At98.job
NY -> At99.job -> %SystemRoot%\tasks\At99.job
[Files/Folders - Modified Within 30 days]
NY -> 1.ini -> %SystemRoot%\1.ini
NY -> IFinst27.exe -> %SystemRoot%\IFinst27.exe
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> popcinfo.dat -> %SystemRoot%\popcinfo.dat
NY -> At10.job -> %SystemRoot%\tasks\At10.job
NY -> At11.job -> %SystemRoot%\tasks\At11.job
NY -> At12.job -> %SystemRoot%\tasks\At12.job
NY -> At13.job -> %SystemRoot%\tasks\At13.job
NY -> At14.job -> %SystemRoot%\tasks\At14.job
NY -> At15.job -> %SystemRoot%\tasks\At15.job
NY -> At16.job -> %SystemRoot%\tasks\At16.job
NY -> At17.job -> %SystemRoot%\tasks\At17.job
NY -> At18.job -> %SystemRoot%\tasks\At18.job
NY -> At19.job -> %SystemRoot%\tasks\At19.job
NY -> At2.job -> %SystemRoot%\tasks\At2.job
NY -> At20.job -> %SystemRoot%\tasks\At20.job
NY -> At21.job -> %SystemRoot%\tasks\At21.job
NY -> At22.job -> %SystemRoot%\tasks\At22.job
NY -> At23.job -> %SystemRoot%\tasks\At23.job
NY -> At24.job -> %SystemRoot%\tasks\At24.job
NY -> At3.job -> %SystemRoot%\tasks\At3.job
NY -> At4.job -> %SystemRoot%\tasks\At4.job
NY -> At5.job -> %SystemRoot%\tasks\At5.job
NY -> At73.job -> %SystemRoot%\tasks\At73.job
NY -> At74.job -> %SystemRoot%\tasks\At74.job
NY -> At75.job -> %SystemRoot%\tasks\At75.job
NY -> At76.job -> %SystemRoot%\tasks\At76.job
NY -> At77.job -> %SystemRoot%\tasks\At77.job
NY -> At82.job -> %SystemRoot%\tasks\At82.job
NY -> At83.job -> %SystemRoot%\tasks\At83.job
NY -> At84.job -> %SystemRoot%\tasks\At84.job
NY -> At85.job -> %SystemRoot%\tasks\At85.job
NY -> At86.job -> %SystemRoot%\tasks\At86.job
NY -> At87.job -> %SystemRoot%\tasks\At87.job
NY -> At88.job -> %SystemRoot%\tasks\At88.job
NY -> At89.job -> %SystemRoot%\tasks\At89.job
NY -> At90.job -> %SystemRoot%\tasks\At90.job
NY -> At91.job -> %SystemRoot%\tasks\At91.job
NY -> At92.job -> %SystemRoot%\tasks\At92.job
NY -> At93.job -> %SystemRoot%\tasks\At93.job
NY -> At94.job -> %SystemRoot%\tasks\At94.job
NY -> At95.job -> %SystemRoot%\tasks\At95.job
NY -> At96.job -> %SystemRoot%\tasks\At96.job
[File String Scan - Non-Microsoft Only]
NY -> UPX! , UPX0 , -> %SystemRoot%\IFinst27.exe
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{86AAC8D7-BA19-48AC-9269-3C76A52642EC}"=-
the moved files for OTmoveit should i delete or just leave it??You can leave it for now - we wll clean things up later on.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
{86AAC8D7-BA19-48AC-9269-3C76A52642EC}=-
REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bed513d0-4c67-11dc-9f0a-5050506f4531}]
[Registry - Non-Microsoft Only]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {86AAC8D7-BA19-48AC-9269-3C76A52642EC} [HKLM] -> %System32%\msavpw1.dll [Extr rising hook MS]
[Files/Folders - Modified Within 30 days]
NY -> msavpw1.dll -> %System32%\msavpw1.dll
Yeah, my E: is usb stick. If my usb stick bring it, wat should i do?? Format usb??If there is nothing you need to keep on that drive reformatting it would be easiest. Otherwise we can clean it.
I wan to ask, everytime run combofix, avast must detect a malware name dabora[trj]. What is that?? This is new logComboFix is safe - its a false positive. As far as I know avast! is the only AV detecting this.
Files to delete:
C:\WINDOWS\system32\msavpw1.dll
C:\WINDOWS\system32\msavpw1.dll, dun care how many time we fix it, it still root at the same place.I know, but its not that it won't delete. The file creation time stamps indicate it is being recreated each time we delete it. But I think we finally found the rootkits.
I think i bring it from my school pc. Coz i nid usb stick to bring school work come back but it infected my pc
RavMonE.exe,AUTORUN.INF,msvcr71.dll
mauserme, did we clean those malwares away already?? Did u suggest me repair my own windows?? ;DDo you mean a repair install?
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exeThere is a vulnerability in WinPCap versions prior to 4.0.1. I looks like you have Beta v0. The vulnerability allows attackers to execute code on your computer
It was fat and ntfs only, so i cant format it. And i cannot open that usb stick now.I don't think this is related to the repair install. Do you have a format utility from the USB stick manufacturer or are you using Windows'?
And i using spybot search and destroy scan my pc, the result is my pc clean, did it really clean now??The only thing left, that I was aware of, was C:\WINDOWS\system32\msavpw1.dll and whatever was bring it back. If that's gone for good now I would say you are clean.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFind"=-
"NoFolderOptions"=-
"DisableCMD"=-
"DisableTaskMgr"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" =0
"ShowSuperHidden" =1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
@Echo off
attrib -s -r -h "C:\Windows\SYSTEM32\Flash.10.exe"
del /q "C:\Windows\SYSTEM32\Flash.10.exe"
attrib -s -r -h "C:\Windows\SYSTEM32\JambanMu.com"
del /q "C:\Windows\SYSTEM32\JambanMu.com"
quit
Hoho~ If i can i will do for it ;D. Sake for all at here. But dewild1, the site u gv me i really not very understand how to use it.LOL. The guy who did our web site it too smart. Does not know how to do things simple! We are working on it.
Files to delete:
C:\WINDOWS\system32\msavpw1.dll
Yup, it still on C:\WINDOWS\system32 but at other location. Spend long time and eyes almost spoilt to get it out. I hv try remove with OTMoveit, result same. After delete then come back.Monday, dang, I feel for ya, you could have built a new computer and, rebuilt the NY twin towers by now.... Monday, let me give it a try.
@dewild1
Is there something you can do within the avast! forum. I think we would all like to learn from your abilities.
dewild1, i cant extract file to pc and it get error. Sorry about that.That only happeneds if you run it twice. Try running help.exe just once, wait 5 sec then you should get a box that says "Connect"
The remote software we use made by http://www.gidsoftware.com/remotehelpdesk.htm and I can end this guys frustration, 14 pages of it, I feel sorry for him.Well "hands on" is always better than trying to fix by proxy, so if you can safely tunnel in maybe it would be better. I can't say for sure. But 14 pages to produce only a 99% cure is frustrating.
Confirmed! Spammers, if they can get a hold of good hi speed or a non blacklisted IP, they will fight like hell to keep them. They love computers that are on all the time and will fight to keep it. I have dealt with it before and trust me, I may know my stuff and most are a breeze, but as a business who has a flat rate and a guarantee, I have lost days for just one client and a determaned hacker.The remote software we use made by http://www.gidsoftware.com/remotehelpdesk.htm and I can end this guys frustration, 14 pages of it, I feel sorry for him.Well "hands on" is always better than trying to fix by proxy, so if you can safely tunnel in maybe it would be better. I can't say for sure. But 14 pages to produce only a 99% cure is frustrating.
I will say this. I have had a feeling for many pages now that there might be a hacker controlling this box. Its just a guess and I obviously haven't identified the vulnerability, but the dissappearing batch file seems to indicate it too. If it or a similar file is found we might see some ftp commands ...
But again, its just a feeling right now.
dewild1, i cant extract file to pc and it get error. Sorry about that.That only happeneds if you run it twice. Try running help.exe just once, wait 5 sec then you should get a box that says "Connect"
Dont worry, I am a nice, honest, good guy, normally it is not good to run things off the internet, but if you are worried, watch these TV spots about me.
http://cbs13.com/video/?id=6560@kovr.dayport.com
http://www.cbs13.com/video/?id=15413@kovr.dayport.com
http://www.cbs13.com/video/?id=15410@kovr.dayport.com
It is the virus.. Try Safe Mode with Networking.
Not really understand... virus block it or??I think he refers to scanning in SafeMode (http://support.microsoft.com/default.aspx?scid=kb;en-us;315222) (repeatedly press F8 while booting). You can choose Safe Mode with Networking option.
It is the virus.. Try Safe Mode with Networking.
It is the virus.. Try Safe Mode with Networking.
dewild1, would u let me try 1 more time?? I make some setting on the pc setting, i think this time can run it. 1 more time we do it. I cant download the help.exe at now, it say the invoise expired. And it will took how long the time for your check??
calciver, what type of network(s) does this computer connect to? Any unsecure wireless - non-password protected private lan or public wifi?
If I do most work in Safe Mode With Networking, 15 - 40 min.
If you reboot, then start pressing F8 Start up every one second, before windows loads, then use the arrow keys to select Safe Mode With Networking, press Enter twice. Log in, go to the link above through IE, (not firefox), run help.exe, I will be right there with you.
If it is half way clean, like I think it is, I could do it all in regulure mode, but sometimes the really bad ones need to be cleaned with safemode with networking. Even worse, some are such a B%$@& that we send them an www.UBCD4WIN.com with our remote software on it and fix it that way.
I do not think you are that bad. But if I can not end the process with pskill or other utils we use, nor delete the B^$#* from the reg, then, ya, I will send you a cd with the XP OS and our utils on it.
I know how valuable all the settings and data are, etc, etc.. We will not loose anything. It's what we do. 8)
No problem, just to reg mode..
You have dial up? WTF, ouch, don't you have a wifi next door you can "borrow" from or something? ;D
It is going to take forever to help you now. Please tell me it is some strang PPOE or something.. :-\ :'( ???
Is non password protected private lan.If its wireless you should secure it with a password. An open wireless lan could easily be the source of infection if an unknown user is using your connection. This could happen if the unknown has malicious intent or even just an infected computer. The same as dewild1 mentions about "borrowing" a connection ...
i still cant find out C:\xuwffoua.batIf my feeling about that batch file downloading files by ftp is correct (its still a guess) then its likely self-deleting.
Is non password protected private lan.If its wireless you should secure it with a password. An open wireless lan could easily be the source of infection if an unknown user is using your connection. This could happen if the unknown has malicious intent or even just an infected computer. The same as dewild1 mentions about "borrowing" a connection ...i still cant find out C:\xuwffoua.batIf my feeling about that batch file downloading files by ftp is correct (its still a guess) then its likely self-deleting.
我想,楼主一定是中国人,我看了个大概,下面是我给你的建议:
检查这几项:
O4 - HKLM\..\Run: [commomds] C:\WINDOWS\system32\win32.exe
O4 - HKLM\..\Run: [RAVGJMON] C:\Program Files\Internet Explorer\RAVGJMON.exe
O4 - HKLM\..\Run: [RAVDTHXMON] C:\Program Files\Internet Explorer\RAVDTHXMON.exe
O4 - HKLM\..\Run: [RAVCHDMON] C:\Program Files\Internet Explorer\RAVCHDMON.exe
O4 - HKLM\..\Run: [win32] C:\WINDOWS\system32\win32.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\xxxvvw.dll",forkonce
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
从你这个文件我看出了,你几乎装了所有最垃圾的国产软件,暴风,YAHOO上网助手,NERO,建议你全删了,用别的,启动项里能不加载的就别加载,这样你的电脑会清静很多。你的电脑应该还有ROOTKIT,比较麻烦,AVAST不一定能解决,如果你懂autoruns的使用方法可以试试。有什么问题再问。
REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16b74252-6b65-11dc-a035-5050506f4531}]
When the dialer infect, comodo firewall did'nt bumping the warning as new suspect entry. That web assist i hv fix it, i think it come back already. And that 1 O17 i dont know wat is that. fts.exe it show at C:\Program Files\TM Net\tmnet streamyx dialer\fts.exe only.
Well the O2 BHO Web Assist doesn't appear in your latest log so hopefully that is gone.
The O17 entry normally would be associated with your ISP now if your ISP isn't in Malaysia then this is more likely to be malicious and possibly a wareout infection. What is your ISP ?
The question about fts.exe was not so much is it in another location, but did you install it (I can only assume it is something to do with your connection ?
If it was fat32 before you could try reformatting again with this option instead of ntfs. Can you see what files are on it?QuoteO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exeThere is a vulnerability in WinPCap versions prior to 4.0.1. I looks like you have Beta v0. The vulnerability allows attackers to execute code on your computer
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=550
Is WinPCap something you installed? Do you need it? I suggest you either remove it or update to the current version.
I know, I know, my "saying" says "you can sleep when your dead" but it is 11:30pm and I am a morning person. I am getting OLD OK >:( ;D
Log in tomorrow, I do not have any contact info for you because I set up his account to save you some steps, but I posted here and sent a personal message.... Goodnight :-[
... I had you logged in, saw many problems still active ...
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)I just noticed I hadn't answered this question. That's just a stray line referring to a browser helper object for Windows Live Messenger. You don't need to worry about it right now, but we'll probably fix it when we're ready to finish up.
Also this 1, show be fix or not??
I don't recognize this nor do i recall seeing it running on your computer in any prior logs
C:\Setup\Antivirus\help.exe
I'm assuming its something to do with dewild1's program. If that's accurate then I see nothing of concern in either of your most recent logs.
How is the computer running? Symptom free or still with problems?
Now is symptom free ...Clean after only 18 short, fun-filled pages ;D
... i will format the pc. Half years or 1 years format 1 time, friend suggestion :PPlease, there's no need for that now.
I don't recognize this nor do i recall seeing it running on your computer in any prior logsyep, the SC is here, http://forum.avast.com/index.php?topic=30139.msg253114#msg253114
C:\Setup\Antivirus\help.exe
I'm assuming its something to do with dewild1's program. If that's accurate then I see nothing of concern in either of your most recent logs.
How is the computer running? Symptom free or still with problems?
Comodo firewall compair with the ZoneAlarm, which 1 better??Well... there are tons of reviews available.
And what are they pros and cons
Even though the guys and gals on the forum got you very clean, once you are infected, it is easy to become re-infected, that is unless you got my stuff.So at this point you're just trying to install your software as a replacement (?) for other security soft?
I saw your posts on the firewall, please trust my experience; if malware can not run, NOR install, you do not need an OUTGOING firewall, only one for INCOMING. "Experts" may disagree, but with my CPULOCK an outgoing firewall is just an annoyance.I am happier with outbound protection as well as inbound. I have Zone Alarm on a single computer and PC Tools Firewall on another just to keep up to date on them.
I will paste this email to give an update on the forum.
Earlier today, I had no mouse, tonight, no keyboard so I could not tell you what to do after I came back from the store!
Grrrrrrrrrr. Dam Keyboard, Mouse, Video switch is on the blink!
I hope IE 7 went ok and installed ok.
If you leave your computer on, it will lock and update to the latest version of my software. After that, it will be OK.
HOWEVER, I am truly worried about Avast blocking my programs because they are compiled with UPX. I saw it blocking several of them, the older ones, if it blocks the ones that are needed to lock things down and protect you, I fear the worst, for, I do not want you to get reinfected. :-)
Even though the guys and gals on the forum got you very clean, once you are infected, it is easy to become re-infected, that is unless you got my stuff.
I tried to exclude the actual directory and files from being scanned in Avast as well as the folder higher up.
I saw your posts on the firewall, please trust my experience; if malware can not run, NOR install, you do not need an OUTGOING firewall, only one for INCOMING. "Experts" may disagree, but with my CPULOCK an outgoing firewall is just an annoyance.
I will paste this email to give an update on the forum.
I would say comodo even though I don't use it, ZA free has become bloated with lots of trialware and its outbound protection is crippled to promote ZA Pro upgrade.