help me about Win32:Trojan-gen{other} and some virus

Viruses and worms
21

Lets try this shall we

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

22

here is the report
there contain some chinese word
sry for that because i set my pc to have chinese word input but dunno why some setup file word because chinese instead of english
if u dunno which chinese word u can ask me
basically all the chinese word inside the report is not very important :stuck_out_tongue:

ComboFix 09-04-25.A3 - Sean88 4/2009 Mon 11:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.2046.1484 [GMT 8:00]
执行位置: c:\documents and settings\Sean88\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090426-0] On-access scanning disabled (Updated)

  • 成功创造新还原点
    .

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Sean88\LOCALS~1\Temp\CmdLineExt03.dll
c:\documents and settings\Sean88\Local Settings\Temp\CmdLineExt03.dll

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32
-------\Service_RESSDT

((((((((((((((((((((((((( 2009-05-27 至 2009-4-27 的新的档案 )))))))))))))))))))))))))))))))
.

2009-04-26 19:04 . 2009-04-26 19:04 -------- d-----w c:\documents and settings\Sean88\Application Data\abelhadigital.com
2009-04-26 19:04 . 2009-04-26 19:04 -------- d-----w c:\documents and settings\All Users\Application Data\abelhadigital.com
2009-04-25 21:29 . 2009-04-25 21:29 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-25 21:29 . 2009-04-25 21:29 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-25 21:29 . 2009-04-25 21:29 -------- d-----w c:\documents and settings\Sean88\Application Data\SUPERAntiSpyware.com
2009-04-25 21:29 . 2009-04-25 21:29 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-25 21:29 . 2009-04-25 21:29 -------- d-----w c:\program files\Trend Micro
2009-04-25 21:27 . 2009-04-25 21:27 -------- d-----w c:\documents and settings\Sean88\Application Data\Malwarebytes
2009-04-25 21:27 . 2009-04-06 07:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-25 21:27 . 2009-04-06 07:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-25 21:27 . 2009-04-25 21:27 -------- d-----w c:\program files\Malwarebytes’ Anti-Malware
2009-04-25 21:27 . 2009-04-25 21:27 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-25 21:11 . 2009-04-25 21:11 8123 ----a-w c:\windows\system32\rrt_vf.wav
2009-04-25 21:11 . 2009-04-25 21:11 8093 ----a-w c:\windows\system32\rrt_tv.wav
2009-04-25 21:11 . 2009-04-25 21:11 7162 ----a-w c:\windows\system32\rrt_tn.wav
2009-04-25 21:11 . 2009-04-25 21:11 19177 ----a-w c:\windows\system32\rrt_is.wav
2009-04-25 19:45 . 2009-03-16 16:26 2771933 ----a-w c:\windows\system32\GameMon.des
2009-04-25 19:45 . 2005-01-01 09:43 4682 ----a-w c:\windows\system32\npptNT2.sys
2009-04-25 19:45 . 2003-07-17 18:17 5174 ----a-w c:\windows\system32\nppt9x.vxd
2009-04-25 19:44 . 2009-04-25 19:44 -------- d-----w c:\program files\Common Files\INCA Shared
2009-04-24 13:49 . 2009-04-24 13:49 244 —ha-w C:\sqmnoopt01.sqm
2009-04-24 13:49 . 2009-04-24 13:49 244 —ha-w C:\sqmdata01.sqm
2009-04-19 11:01 . 2009-04-19 11:01 -------- d-----w c:\documents and settings\Sean88\Application Data\Kingsoft
2009-04-14 17:26 . 2009-04-14 17:26 -------- d-----w c:\documents and settings\Sean88\Local Settings\Application Data\Thunder Network
2009-04-11 10:53 . 2009-04-11 10:53 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-11 07:55 . 2004-08-03 14:58 14848 -c–a-w c:\windows\system32\dllcache\kbdhid.sys
2009-04-11 07:55 . 2004-08-03 14:58 14848 ----a-w c:\windows\system32\drivers\kbdhid.sys
2009-04-09 19:58 . 2009-04-09 19:58 249856 ------w c:\windows\Setup1.exe
2009-04-09 19:58 . 2009-04-09 19:58 73216 ----a-w c:\windows\ST6UNST.EXE
2009-04-09 19:41 . 2009-04-09 19:41 -------- d-----w c:\program files\Alwil Software
2009-04-09 14:40 . 2009-04-09 14:48 21840 ----atw c:\windows\system32\SIntfNT.dll
2009-04-09 14:40 . 2009-04-09 14:48 17212 ----atw c:\windows\system32\SIntf32.dll
2009-04-09 14:40 . 2009-04-09 14:48 12067 ----atw c:\windows\system32\SIntf16.dll
2009-04-09 14:38 . 2009-04-09 14:47 36741 ----a-w c:\windows\DIIUnin.dat
2009-04-09 14:38 . 2009-04-09 14:38 94208 ----a-w c:\windows\DIIUnin.exe
2009-04-09 14:38 . 2009-04-09 14:38 2829 ----a-w c:\windows\DIIUnin.pif
2009-04-08 06:43 . 2009-04-08 06:43 -------- d-----w c:\windows\GameBuffet
2009-04-07 14:25 . 2009-04-07 14:26 -------- d-----w c:\program files\Warcraft III
2009-04-05 10:01 . 2009-04-27 03:24 54156 —ha-w c:\windows\QTFont.qfn
2009-04-05 10:01 . 2009-04-05 10:01 1409 ----a-w c:\windows\QTFont.for
2009-04-05 10:01 . 2009-04-05 10:01 -------- d-----w c:\documents and settings\Sean88\Application Data\Apple Computer
2009-04-05 10:00 . 2009-04-05 10:00 -------- d-----w c:\program files\iPod
2009-04-05 10:00 . 2009-04-05 10:00 -------- d-----w c:\program files\iTunes
2009-04-05 10:00 . 2009-04-05 10:00 -------- d-----w c:\program files\Bonjour
2009-04-05 10:00 . 2009-04-05 10:00 -------- d-----w c:\documents and settings\Sean88\Local Settings\Application Data\Apple
2009-04-05 09:59 . 2009-04-05 09:59 -------- d-----w c:\program files\Apple Software Update
2009-04-05 09:59 . 2009-04-05 09:59 -------- d-----w c:\program files\Common Files\Apple
2009-04-05 09:59 . 2009-04-05 09:59 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-05 09:59 . 2009-04-05 10:01 -------- d-----w c:\documents and settings\Sean88\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 03:25 . 2009-02-18 18:27 4458 ----a-w c:\windows\system32\cid_store.dat
2009-04-26 15:38 . 2009-01-14 15:40 90352 ----a-w c:\documents and settings\Sean88\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-24 11:00 . 2009-01-15 11:44 -------- d-----w c:\program files\Cheat Engine
2009-04-23 03:05 . 2009-01-25 09:14 -------- d-----w c:\program files\Cheat Engine1
2009-04-22 09:28 . 2009-04-22 09:28 4 ----a-w c:\windows\system32\drivers\ok5.txt
2009-04-22 09:28 . 2009-04-22 09:28 4 ----a-w c:\windows\system32\drivers\ok4.txt
2009-04-22 09:27 . 2009-04-22 09:27 4 ----a-w c:\windows\system32\drivers\ok3.txt
2009-04-22 09:26 . 2009-04-22 09:26 4 ----a-w c:\windows\system32\drivers\ok2.txt
2009-04-22 09:18 . 2009-02-18 18:26 -------- d-----w c:\program files\Thunder Network
2009-04-20 10:15 . 2009-01-14 15:28 -------- d–h–w c:\program files\InstallShield Installation Information
2009-04-09 15:01 . 2009-01-27 16:20 -------- d-----w c:\program files\Garena
2009-04-05 10:00 . 2009-01-14 15:46 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-01 07:29 . 2009-01-14 16:07 -------- d-----w c:\program files\Java
2009-03-19 12:46 . 2009-03-19 12:46 -------- d-----w c:\documents and settings\Sean88\Application Data\Xilisoft Corporation
2009-03-19 12:45 . 2009-03-19 12:45 -------- d-----w c:\program files\Xilisoft
2009-03-08 21:19 . 2009-01-14 16:08 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-04 21:15 . 2009-02-03 09:34 7277568 ----a-w c:\windows\system32\3gpcore.dll
2009-01-30 04:57 . 2009-01-30 04:57 268 —ha-w C:\sqmdata00.sqm
2009-01-30 04:57 . 2009-01-30 04:57 244 —ha-w C:\sqmnoopt00.sqm
2008-12-01 09:2009-02-18 18:27 43:56 . c:\program files\mozilla firefox\components\NsThunderLoader.dll
2008-12-01 09:2009-02-18 18:27 43:56 . c:\program files\mozilla firefox\components\ThunderComponent.dll
.

------- Sigcheck -------

[7] 2004-08-03 15:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\system32\dllcache\tcpip.sys
[-] 2004-08-03 15:14 359040 85FB316CFD966DDEED8407C596321976 c:\windows\system32\drivers\tcpip.sys

23

.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
注意 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{D5DC8911-DCD3-49CE-AE95-8AD512F2D280}]
2009-04-16 06:34 164816 ----a-w c:\program files\Thunder Network\GougouToolbar\2.0.1.20\GougouToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{D5DC8911-DCD3-49CE-AE95-8AD512F2D280}”= “c:\program files\Thunder Network\GougouToolbar\2.0.1.20\GougouToolbar.dll” [2009-04-16 164816]

[HKEY_CLASSES_ROOT\clsid{d5dc8911-dcd3-49ce-ae95-8ad512f2d280}]
[HKEY_CLASSES_ROOT\GougouToolbar.WebBrowserBar.1]
[HKEY_CLASSES_ROOT\TypeLib{1E020BA8-B9A6-46D4-9BCA-846D73BFDB37}]
[HKEY_CLASSES_ROOT\GougouToolbar.WebBrowserBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\ctfmon.exe” [2004-08-03 15360]
“AlcoholAutomount”=“c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe” [2008-02-22 217544]
“MessengerPlus3”=“c:\program files\MessengerPlus! 3\MsgPlus.exe” [2009-01-14 190024]
“MSMSGS”=“c:\program files\Messenger\msmsgs.exe” [2004-08-03 1667584]
“SUPERAntiSpyware”=“c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2009-03-23 1830128]
“msnmsgr”=“c:\program files\MSN Messenger\msnmsgr.exe” [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IMJPMIG8.1”=“c:\windows\IME\imjp8_1\IMJPMIG.EXE” [2004-08-03 208952]
“PHIME2002ASync”=“c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE” [2004-08-03 455168]
“PHIME2002A”=“c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE” [2004-08-03 455168]
“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2006-08-11 7630848]
“NvMediaCenter”=“c:\windows\system32\NvMcTray.dll” [2006-08-11 86016]
“JMB36X IDE Setup”=“c:\windows\JM\JMInsIDE.exe” [2006-10-31 36864]
“36X Raid Configurer”=“c:\windows\system32\JMRaidSetup.exe” [2006-11-17 1953792]
“CTSysVol”=“c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe” [2005-10-31 57344]
“UpdReg”=“c:\windows\UpdReg.EXE” [2000-05-10 90112]
“StormCodec_Helper”=“c:\program files\Ringz Studio\Storm Codec\StormSet.exe” [2006-09-30 96984]
“MessengerPlus3”=“c:\program files\MessengerPlus! 3\MsgPlus.exe” [2009-01-14 190024]
“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2008-06-11 34672]
“GrooveMonitor”=“c:\program files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-26 31016]
“NeroFilterCheck”=“c:\program files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-07 161328]
“Thunder”=“c:\program files\Thunder Network\Thunder\Thunder.exe” [2008-12-01 50640]
“SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe” [2009-03-08 148888]
“QuickTime Task”=“c:\program files\Ringz Studio\Storm Codec\qttask.exe” [2008-01-31 385024]
“iTunesHelper”=“c:\program files\iTunes\iTunesHelper.exe” [2008-02-19 267048]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-02-05 81000]
“RRT-Auto”=“c:\documents and settings\Sean88\Desktop\RRT\RRT.exe” [2009-03-17 152576]
“nwiz”=“nwiz.exe” - c:\windows\system32\nwiz.exe [2006-08-11 1519616]
“SkyTel”=“SkyTel.EXE” - c:\windows\SkyTel.exe [2006-05-16 2879488]
“P17Helper”=“P17.dll” - c:\windows\system32\P17.dll [2005-05-03 64512]
“RTHDCPL”=“RTHDCPL.EXE” - c:\windows\RTHDCPL.exe [2006-11-14 16270848]
“SoundMan”=“SOUNDMAN.EXE” - c:\windows\SoundMan.exe [2006-07-21 86016]
“AlcWzrd”=“ALCWZRD.EXE” - c:\windows\alcwzrd.exe [2006-05-04 2808832]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2004-08-03 15360]

c:\documents and settings\Sean88\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“NoViewOnDrive”= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoViewOnDrive”= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
“{F86369D9-52D7-4CA1-BF3C-34B173E51222}”= “c:\program files\Common Files\Microsoft Shared\MSInfo\System.sys” [2009-04-22 28346]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “c:\program files\SUPERAntiSpyware\SASSEH.DLL” [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
2008-12-22 04:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\MSN Messenger\msnmsgr.exe”=
“c:\Program Files\MSN Messenger\livecall.exe”=
“c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=
“c:\Program Files\Microsoft Office\Office12\GROOVE.EXE”=
“c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=
“e:\Program Files\Left 4 Dead\left4dead.exe”=
“e:\bitcomet\BitComet.exe”=
“c:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe”=
“c:\Program Files\Bonjour\mDNSResponder.exe”=
“c:\Program Files\iTunes\iTunes.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“26243:TCP”= 26243:TCP:BitComet 26243 TCP
“26243:UDP”= 26243:UDP:BitComet 26243 UDP
“26723:TCP”= 26723:TCP:BitComet 26723 TCP
“26723:UDP”= 26723:UDP:BitComet 26723 UDP

R3 aswArKrn;aswArKrn;
R3 dump_wmimmc;dump_wmimmc;
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-03-16 2771933]
S1 aswSP;avast! Self Protection;
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;c:\windows\system32\libusbd-nt.exe [2005-03-09 18944]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-09 33792]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

.
‘计划任务’ 文件夹 里的内容

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job

  • c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 06:57]
    .
        • ORPHANS REMOVED - - - -

BHO-{ACDC15CD-B675-4C7C-86E9-CA92F2DF2896} - c:\program files\Thunder Network\GouGouToolbar\GougouToolBarHelper_now.dll

.
------- 而外的扫描 -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: 使用迅雷下载 - c:\program files\Thunder Network\Thunder\Program\GetUrl.htm
IE: 使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe
FF - ProfilePath - c:\documents and settings\Sean88\Application Data\Mozilla\Firefox\Profiles\fs4ak38w.default
.

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
“ImagePath”=“c:\windows\system32\GameMon.des -service”
.
--------------------- 运行进程下的动态链接库 ---------------------

              • ‘winlogon.exe’(680)
                c:\program files\SUPERAntiSpyware\SASWINLO.dll

              • ‘explorer.exe’(3064)
                c:\program files\MessengerPlus! 3\MsgPlusLoader1.dll
                .
                ------------------------ 其他运行进程 ------------------------
                .
                c:\program files\Alwil Software\Avast4\aswUpdSv.exe
                c:\program files\Alwil Software\Avast4\ashServ.exe
                c:\windows\system32\conime.exe
                c:\windows\system32\rundll32.exe
                c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                c:\windows\system32\rundll32.exe
                c:\program files\Bonjour\mDNSResponder.exe
                c:\windows\system32\CTSVCCDA.EXE
                c:\program files\Java\jre6\bin\jqs.exe
                c:\windows\system32\nvsvc32.exe
                c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
                c:\windows\system32\wdfmgr.exe
                c:\windows\system32\wscntfy.exe
                c:\program files\iPod\bin\iPodService.exe
                .

.
完成时间: 2009-04-27 11:26 - 电脑已重新启动
ComboFix-quarantined-files.txt 2009-04-27 03:26

Pre-Run: 33,785,548,800 bytes free
Post-Run: 34,236,882,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect

247

24

Is Avast still reporting the Virus ?

If so I will do a deeper search

Download avz4.zip from here

[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://rathat.geekstogo.com/images/AVZupdate.jpg

[*]Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

[*] Start AVZ.

[] Choose from the menu “File” => "Standard scripts " and mark the “Healing/Quarantine and Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[] Automatic scanning, healing and system check will be executed.
[] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[] All applications will work properly after the system restart.

When restarted

[*] Start AVZ.

[] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post or upload to Mediafire http://www.mediafire.com/ and post the sharing link

25

ya is still alert
now i doing the avz solution

26

http://www.mediafire.com/file/aoztgmmwmzo/virusinfo_syscheck.zip
http://www.mediafire.com/file/godxjzjzdhm/virusinfo_syscure.zip
here the zip file

if the avast still alert the virus
i will inform u in the post
mostly in 30min will know

27

it still alerting the virus

is sooooooooooooooooooooooooooooooo annoiying

28

Messenger plus comes bundled wit adware - however, you can remove that element in the following way

First of all close any instances of MSN Messenger & Internet Explorer (IEXPLORE.EXE), then go to Control Panel > Add/Remove programs, then scroll down to “Messenger Plus! 3”, you can then press “Uninstall the sponsor program only.”
As the adware bundled in the installer is optional, and it isn’t required for Messenger Plus! to work, it is simply a form of income for Patchou. Then follow the steps that it gives, then you can restart your computer, and your computer will be 100% free of any c2media adware,

THEN

Please download ATF Cleaner by Atribune.
This program is for XP, Vista and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Can you confirm the location of this file that Avast is alerting on

29

my virus is at C:\DOCUME~1\Sean88\LOCALS~1\Temp\2.exe
but when i use avast and scan only that folder it scan nothing (totally clean) but dunno why keep on alert

use the cleaner to clean the all file except save passwords
but it still alert virus

30

Run ATF and let me know if you still get it

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:

:dir
C:\DOCUME~1\Sean88\LOCALS~1\Temp

[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

31

i gave run the ATF clean all things in main and in firefox after a while it still get the virus alert

SystemLook v1.0 by jpshortstuff (24.04.09)
Log created at 05:11 on 28/04/2009 by Sean88 (Administrator - Elevation successful)

========== dir ==========

C:\DOCUME~1\Sean88\LOCALS~1\Temp - Parameters: “(none)”

—Files—
etilqs_6XyAazWhJphak5cX7nMh --ah-- 0 bytes [20:27 27/04/2009] [20:27 27/04/2009]
MsgPlusUninst.bat --a— 1862 bytes [21:06 27/04/2009] [21:06 27/04/2009]
~DF26E2.tmp --a— 49152 bytes [20:36 27/04/2009] [20:36 27/04/2009]

—Folders—
MessengerCache d----- [21:06 27/04/2009]
avast4 d----- [21:03 27/04/2009]

-=End Of File=-

32

Scan this one with Avast - right click and select scan with Avast
C:\DOCUME~1\Sean88\LOCALS~1\Temp\MsgPlusUninst.bat as this appears to be updated just minutes ago

33

nothing found after scaning C:\DOCUME~1\Sean88\LOCALS~1\Temp\MsgPlusUninst.bat

do i need to reboot my pc after using ATF to clear temp file?

34

OK I will use a very strong tool now to see if that file is present

  1. Please download The Avenger2 by Swandog46 to your Desktop.
    [*]Right click on the Avenger.zip folder and select “Extract All…”
    [*] Follow the prompts and extract the avenger folder to your desktop
  2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:

Files to delete:
C:\DOCUME~1\Sean88\LOCALS~1\Temp\2.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

  1. The Avenger will automatically do the following:
    [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete” or “Drivers to Disable”, The Avenger will actually restart your system twice.)
    [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  2. Please copy/paste the content of c:\avenger.txt into your reply
35

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Tue Apr 28 05:41:06 2009

05:41:06: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file “C:\DOCUME~1\Sean88\LOCALS~1\Temp\2.exe” not found!
Deletion of file “C:\DOCUME~1\Sean88\LOCALS~1\Temp\2.exe” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
→ the object does not exist

Completed script processing.

Finished! Terminate.

… OMG :o
Error: file “C:\DOCUME~1\Sean88\LOCALS~1\Temp\2.exe” not found!

36

Now this is intriguing as if it was there it would find and kill it - Avenger loads before windows with full super admin rights - so I guess it’s not there. Now the question is what is Avast finding and why

Does it only find it on boot

Dirlook showed nothing either although it only has admin rights

Is there anything in Avast virus chest ?

Does Avast try to delete it ?

37

what do u mean by find it on boot
i not sure how it find
it keep on alert when i accidentally download an unknow file which contain virus and the avast alert and i choose to delete
but at that time got 1 virus (forgot what name) cant delete because it say that it has been use
inside virus chest got
C:\Documents and Settings\Sean88\Local Settings\Temp\12.exe
C:\DOCUME~1\Sean88\LOCALS~1\Temp\2.exe
C:\System Volume Information_restore{ABC8BA5C-B0EB-4CD0-BB40-578E941277E2}\RP124\A0009647.dll
C:\System Volume Information_restore{ABC8BA5C-B0EB-4CD0-BB40-578E941277E2}\RP124\A0009648.dll
C:\WINDOWS\system32\killkb.dll
other cant copy

i put a print sceen for u

38

omg why suddenly infected so many trojan and malware
i did not download anything
many of them cant move to chest or delete it say it has been use by other program

39

i give up already
i will format my computer NOW!!!
format use about 2-3 hours
better than fixing the virus (already thinking ways to fix the virus for 4 days and virus still there furthermore infected new malware and virus AGAIN)

this make me soooooooooooooooooooooo mAD