Login Register






SMTPMart - Buy Inbox SMTP | Leads | Shell | cPanel 100% Bonus on 1st deposit | Instant Refunds
ProxyByte $2/GB | Residential IPv4 - No Logs - 26M+ IPs - All unblocked
REFUNDING.GG | #1 REFUND SERVICE | SAME DAY REFUNDS | WORLDWIDE ORDERS | GET ITEMS 85% OFF
Thread Rating:
  • 0 Vote(s) - 0 Average


Help me to remove a virus filter_list
Author
Message
leam_lidara Offline
Junior Member
Twelve Years of Service
Posts: 13
Threads: 5
Reputation: 0

Points: 0NSP
RE: Help me to remove a virus 10-19-2011, 05:54 AM #17
(09-04-2011, 12:23 PM)JuiceKing Wrote: My av's detect this virus in C:\System Volume\...I remove it with av and it's again detected.How i can remove it?

[Image: 2dbw5d1.jpg]

My log analysis:

Spoiler:
Code:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:56:10 AM, on 9/5/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
E:\sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\AntiLogger\AntiLogger.exe
E:\sandboxie\SbieCtrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\BANE\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.rs/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=;ftp=;https=;
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live pomagac za prijavljivanje - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\java\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\java\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [AntiLogger] "C:\Program Files\AntiLogger\AntiLogger.exe" /minimized
O4 - HKCU\..\Run: [SandboxieControl] "E:\sandboxie\SbieCtrl.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://192.168.1.1
O15 - ESC Trusted IP range: http://192.168.1.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - E:\sandboxie\SbieSvc.exe

--
End of file - 4974 bytes

Combofix analyze:
Spoiler:
Code:
ComboFix 11-09-03.01 - BANE 09/04/2011  17:33:10.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1527 [GMT 2:00]
Running from: c:\documents and settings\BANE\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\Programs\RelevantKnowledge
c:\documents and settings\All Users\Start Menu\Programs\RelevantKnowledge\About RelevantKnowledge.lnk
c:\documents and settings\All Users\Start Menu\Programs\RelevantKnowledge\Privacy Policy and User License Agreement.lnk
c:\documents and settings\All Users\Start Menu\Programs\RelevantKnowledge\Support.lnk
c:\documents and settings\BANE\Application Data\addons.dat
c:\documents and settings\BANE\Application Data\BANE3SQLite3.dll
c:\documents and settings\BANE\Application Data\chrtmp
c:\documents and settings\BANE\Application Data\data.dat
c:\documents and settings\BANE\Application Data\logs.dat
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchplugins\SearchquWebSearch.xml
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchqutb
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchqutb\games\00d2dfc64c07a4f32824abac1d6f735b
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchqutb\games\3e4265e00cbc4a9cf22a105046a46d8a
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchqutb\games\44a5d79f5451d3036ba3986425e234c8
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchqutb\games\GameCategories.xml
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchqutb\games\GameTypes.xml
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchqutb\guid.dat
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchqutb\preferences.dat
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchqutb\stats.dat
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchqutb\uninstallFF.dat
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchqutb\widgets_cache\84b70525cff6359fdeca553342c23e4c
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchqutb\widgets_cache\bf5b6317ae07da699882fc948f22eda4
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchqutb\widgets_cache\category_cache.xml
c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\searchqutb\widgets_cache\widget_cache.xml
c:\documents and settings\BANE\Application Data\searchqutb
c:\documents and settings\BANE\Application Data\searchqutb\dtx.ini
c:\documents and settings\BANE\Application Data\searchqutb\games\GameTypes.xml
c:\documents and settings\BANE\Application Data\searchqutb\guid.dat
c:\documents and settings\BANE\Application Data\searchqutb\preferences.dat
c:\documents and settings\BANE\Application Data\searchqutb\stats.dat
c:\documents and settings\BANE\Application Data\searchqutb\uninstallIE.dat
c:\documents and settings\BANE\Application Data\searchqutb\widgets_cache\category_cache.xml
c:\documents and settings\BANE\Application Data\searchqutb\widgets_cache\widget_cache.xml
c:\documents and settings\BANE\My Documents\10.mp3
c:\program files\messenger\msmsgsin.exe
c:\program files\RelevantKnowledge
c:\program files\RelevantKnowledge\nscf.dat
c:\program files\RelevantKnowledge\rloci.bin
C:\Win
c:\win\lsass.exe
c:\win\names.txt
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\SkinH_EL.dll
c:\windows\system32\Windupdt
c:\windows\system32\wpcap.dll
c:\windows\WindowsXP-KB822603-x86.exe
c:\windows\XSxS
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Legacy_SSHNAS
-------\Service_NPF
.
.
(((((((((((((((((((((((((   Files Created from 2011-08-04 to 2011-09-04  )))))))))))))))))))))))))))))))
.
.
2011-09-03 22:13 . 2011-09-03 22:15    --------    d-----w-    c:\documents and settings\BANE\Local Settings\Application Data\Temporary Projects
2011-08-30 11:56 . 2011-08-30 11:56    --------    d-----w-    C:\My Music
2011-08-30 11:54 . 2011-08-30 11:54    --------    d-----w-    c:\documents and settings\All Users\Application Data\easetech
2011-08-24 18:40 . 2011-08-24 18:40    --------    d-----w-    c:\documents and settings\All Users\Application Data\prfree
2011-08-22 20:59 . 2011-08-22 20:59    --------    d-----w-    c:\windows\Simple Port Forwarding
2011-08-19 09:05 . 2011-08-19 09:05    --------    d-----w-    c:\documents and settings\BANE\Application Data\AutoHideIP
2011-08-19 09:05 . 2011-08-19 09:05    --------    d-----w-    c:\documents and settings\All Users\Application Data\AutoHideIP
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 20:43 . 2011-07-01 15:28    404640    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-02 12:05 . 2011-05-15 09:53    0    ----a-w-    c:\windows\system32\ConduitEngine.tmp
2011-07-04 10:05 . 2011-05-28 18:08    66616    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2011-07-04 10:05 . 2011-05-28 18:08    138192    ----a-w-    c:\windows\system32\drivers\avipbb.sys
2011-06-29 09:38 . 2011-06-29 09:38    271360    ----a-w-    c:\windows\system32\drivers\atksgt.sys
2011-06-29 09:38 . 2011-06-29 09:38    18048    ----a-w-    c:\windows\system32\drivers\lirsgt.sys
2011-06-27 16:37 . 2011-06-27 16:37    2829    ----a-w-    c:\windows\War3Unin.pif
2011-06-27 16:37 . 2011-06-27 16:37    126976    ----a-w-    c:\windows\War3Unin.exe
2010-07-08 08:37 . 2010-07-08 08:37    101544    ----a-w-    c:\program files\Common Files\LinkInstaller.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="e:\sandboxie\SbieCtrl.exe" [2011-03-24 409320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"AntiLogger"="c:\program files\AntiLogger\AntiLogger.exe" [2010-02-09 2339176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideClock"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Documents and Settings^BANE^Start Menu^Programs^Startup^FriendCaller.lnk]
path=c:\documents and settings\BANE\Start Menu\Programs\Startup\FriendCaller.lnk
backup=c:\windows\pss\FriendCaller.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 17:29    937920    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45    35736    ----a-w-    e:\adobe reader\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTyperMurGee]
2009-11-16 11:20    43520    ----a-w-    e:\auto typer by murgee\AutoTyper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2001-09-24 14:08    136176    ----atw-    c:\documents and settings\BANE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-03-25 19:27    49152    ----a-w-    c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
2011-06-23 19:39    124216    ----a-w-    c:\program files\ICQ7.5\ICQ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2011-06-16 05:55    6276408    ----a-w-    e:\yahoo\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 20:12    3872080    ----a-w-    c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-09-27 16:19    13918208    ----a-w-    c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-09-27 16:19    86016    ----a-w-    c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2011-03-24 11:24    409320    ----a-w-    e:\sandboxie\SbieCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2007-04-04 09:22    1822720    ------r-    c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
2006-09-15 12:21    675840    ----a-w-    c:\windows\vsnp2std.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SbieSvc"=2 (0x2)
"nvsvc"=2 (0x2)
"LcAgent"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"e:\\CarbonCS v1.2\\cstrike.exe"=
"d:\\java\\bin\\javaw.exe"=
"c:\\Program Files\\ICQ7.5\\ICQ.exe"=
"e:\\yahoo\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\BANE\\Desktop\\utorrent.exe"=
"e:\\port forwarding\\spf.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\CS 1.6 MIXER EDITION\\hl.exe"=
"e:\\Warcraft III\\Warcraft III.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"100:TCP"= 100:TCP:HTTP
"100:UDP"= 100:UDP:HTTP
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/1/2010 2:25 PM 716272]
R1 AntiLog32;AntiLog32;c:\program files\AntiLogger\AntiLog32.sys [2/9/2010 5:50 PM 116072]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/28/2011 8:08 PM 136360]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [12/12/2001 10:19 PM 247608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 GUCI_AVS;Canyon USB2.0 PC Camera;c:\windows\system32\DRIVERS\GUCI_AVS.sys --> c:\windows\system32\DRIVERS\GUCI_AVS.sys [?]
S3 nordicis;Flexcrypt Service;c:\windows\system32\DRIVERS\nordicis.sys --> c:\windows\system32\DRIVERS\nordicis.sys [?]
S3 nordicisMP;nordicisMP;c:\windows\system32\DRIVERS\nordicis.sys --> c:\windows\system32\DRIVERS\nordicis.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1214440339-839522115-1003Core.job
- c:\documents and settings\BANE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2001-09-24 14:08]
.
2011-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1214440339-839522115-1003UA.job
- c:\documents and settings\BANE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2001-09-24 14:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.rs/
mStart Page = about:blank
uInternet Settings,ProxyServer = http=;ftp=;https=;
IE: {{7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files\ICQ7.5\ICQ.exe
TCP: DhcpNameServer = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\BANE\Application Data\Mozilla\Firefox\Profiles\fzodb0s9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2776682&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://google.rs
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.1.9&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - d:\firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - d:\java\lib\deploy\jqs\ff
FF - Ext: ICQ Toolbar: {800b5000-a755-47e1-992b-48a1c1357f07} - %profile%\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
FF - Ext: Auto Hide IP: support@auto-hide-ip.com - %profile%\extensions\support@auto-hide-ip.com
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-5GUTNY6MFK - c:\windows\Prozoa.exe
MSConfigStartUp-BabylonToolbar - c:\program files\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarsrv.exe
MSConfigStartUp-HKCU - c:\windows\system32\notpadee\notpadee.exe
MSConfigStartUp-HKLM - c:\windows\system32\notpadee\notpadee.exe
MSConfigStartUp-R8388QA8U8 - c:\docume~1\BANE\LOCALS~1\Temp\Pqx.exe
MSConfigStartUp-USBAV - c:\program files\USB Virus Cleaner\USBAV.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-04 17:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1004336348-1214440339-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A8CD6AB7-D769-A46C-47AD-89C07A9E9BDC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iahbgopdfhchfffffe"=hex:6a,61,6c,63,6c,67,6b,69,63,6f,6c,69,65,6d,67,63,69,64,
   65,6c,00,6e
"hajbiinmgkafgdgl"=hex:6a,61,6c,63,6c,67,6b,69,63,6f,6c,69,65,6d,67,63,69,64,
   65,6c,00,6e
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c2,fc,34,a8,ee,57,df,2c,0a,37,e7,4f,6f,0e,61,33,c6,c9,3a,5d,60,
   f0,ed,f9,b0,12,c7,66,0e,ba,d6,69,6a,ac,cf,c7,e7,6f,ec,51,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ed8b8261-274a-404e-b1d6-fb0cedeab111}]
@Denied: (Full) (Everyone)
"Model"=dword:0000016c
"Therad"=dword:00000022
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,ab,9e,50,1b,eb,77,d1,ab,a7,e4,bd,02,7c,51,c8,b4,83,e0,8b,c5,07,bb,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(612)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'explorer.exe'(4008)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
e:\sandboxie\SbieSvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-09-04  17:43:12 - machine was rebooted
ComboFix-quarantined-files.txt  2011-09-04 15:43
.
Pre-Run: 33,562,353,664 bytes free
Post-Run: 33,464,389,632 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 0228445E94AAEDF2C6999AE6335C3B30

I'm try to remove it with Combofix.My computer now is working faster, but this malware is still detected.
Thanks Jacob for help!

Now avira is detect TR/Dropper.Gen in sometimes this is false positive.
But i'm sure that's not false positive.
Look at this: http://www.avira.com/en/support-threats-...7/tlang/en

Now look at this:
Spoiler:
[Image: 2gu9xxc.jpg]

It's the same path but it's not the same file.When i remove it with avira it's create itself again.That is malware.
I'm restore malware from quarantine to desktop and upload on virustotal it's have 24/48 detections.
I'm scan processes it's don't detect nothing.
Then i'm scan C:\ it's detect 2 cookies in Google Chrome.I'm remove it.

Look at the Process Revealer:
Spoiler:
[img][Image: a1tjbo.jpg][/img]

Startup list:
Spoiler:
[Image: 21e4tnp.jpg]

I'm install malware bytes anti malware and scan my PC it's found 4 infected registry i'm remove it!Now my av's not detect malware!
My computer is clean! ^^

you can change permission of this folder "System Volume Information" to everyone and fully control. Now you can enter it and delete it manually.

(This post was last modified: 10-19-2011, 05:54 AM by pandora_box.)

Reply





Messages In This Thread
Help me to remove a virus - by JuiceKing - 09-04-2011, 12:23 PM



Users browsing this thread: 1 Guest(s)