Posts by Lewis_UnderGrad

Thanks. ComboFix:

ComboFix 10-02-03.08 - Avnish Jani 04/02/2010 18:50:00.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.510.328 [GMT 0:00]
Running from: c:\documents and settings\Avnish Jani\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2203416353-1657562295-645918495-500
c:\recycler\S-1-5-21-978585148-2060435377-995363448-500
c:\windows\system32\al.txt
c:\windows\system32\dz1.txt
c:\windows\system32\kjs
c:\windows\system32\p1.txt
c:\windows\system32\r24.txt

c:\windows\system32\grpconv.exe . . . is missing!!

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-01-13 16:50 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 17:23 . 2009-01-11 12:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-26 19:18 . 2005-09-22 12:38 -------- d-----w- c:\documents and settings\Avnish Jani\Application Data\Azureus
2010-01-23 12:43 . 2009-03-12 21:33 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-20 09:15 . 2005-11-22 21:42 -------- d-----w- c:\program files\Lx_cats
2010-01-07 16:07 . 2009-01-11 12:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-01-11 12:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-29 21:15 . 2006-10-07 20:43 -------- d-----w- c:\program files\Blubster
2009-12-21 19:14 . 2005-03-03 09:11 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 16:36 . 2005-03-03 09:10 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Simp"="c:\program files\Secway\SimpLite-MSN 2.2\SimpLite-MSN.exe" [2009-05-15 2108928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-17 5406720]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
…

Hi Crunchie,

I am unable to download the file from the HostXpert link you provided:

http://www.funkytoad.com/content/view/13/31/

Is there anywhere else i can download it from?

Was unable to download MBAM-Rules on the machine infected so a friend downloaded it and sent my the file. Results:

Malwarebytes' Anti-Malware 1.44
Database version: 3628
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

30/01/2010 18:57:59
mbam-log-2010-01-30 (18-57-59).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 232486
Time elapsed: 1 hour(s), 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Downloaded HiJack This. Results:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:33:02, on 30/01/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ftusbsrv.exe
C:\Program Files\Common Files\Microsoft …

Hi Crunchie,

I have just tried to run an update and am presented with the following error:

[IMG]http://i256.photobucket.com/albums/hh179/v1raj/Misc/MBAMUpdateError.jpg[/IMG]

Hi guys,

It appears my IE has been hijacked. I've ran a number of MBAM scans, updating before each scan, a number of issues have been found and removed however, google still redirects. Here are the logs:

28th Jan 2010 - Scan 1
alwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

28/01/2010 12:29:58
mbam-log-2010-01-28 (12-29-58).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 227907
Time elapsed: 1 hour(s), 12 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Avnish Jani\Local Settings\Temp\21.tmp (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sorrd (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\saifx (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\sorrd.sys (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\sorrd.sys (Trojan.Goldun) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell …

Since my last post, i have not used the machine infected. I ran a scan today and noticed that the file previously identified:

Files Infected:
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

Was still showing, therefore it was/has not been fully removed.

Here is the report from MBA today:

Malwarebytes' Anti-Malware 1.38
Database version: 2379
Windows 5.1.2600 Service Pack 3

06/07/2009 11:35:31
mbam-log-2009-07-06 (11-35-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 200201
Time elapsed: 41 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

Does anybody know how to remove this virus?? How dangerous is it?

I've searched the net about the MSIVX rootkit virus and it appears that an app called ComboFix can resolve.

As suggested above, i had the same problem and renamed the .exe file and MBA finally opened.

Ok, removed the items suggested in HJT..

I then carried out a scan using ESET Sceener as suggested above. 1 threat was found and deleted. Below is the lof file:

ESET Log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=7a3d8a9bb97f3f4dbd92c6375f4669cd
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-07-01 07:58:41
# local_time=2009-07-01 08:58:41 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 21 100 100 374716562500
# scanned=92597
# found=1
# cleaned=1
# scan_time=2704
C:\Documents and Settings\Vikram Dal\Desktop\Nero 7.10.1.0\Nero 7.10.1.0.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000

I then restarted my machine, updated MBAM, ran a new scan, here is the log:

MBAM

Malwarebytes' Anti-Malware 1.38
Database version: 2358
Windows 5.1.2600 Service Pack 3

01/07/2009 16:19:00
mbam-log-2009-07-01 (16-19-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 201456
Time elapsed: 39 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry …

Sorry about that, thought i copied all the text.

MBAM-M

Malwarebytes' Anti-Malware 1.38
Database version: 2332
Windows 5.1.2600 Service Pack 3

25/06/2009 09:00:30
mbam-log-2009-06-25 (09-00-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 198397
Time elapsed: 39 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{56acb669-4139-5611-cbba-f5acb0f4db09} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3e9adb4b-ecfc-4889-88ec-3ad373003605}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7eb4a71d-fb5a-4f59-ae0e-0009b6affd8b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7eb4a71d-fb5a-4f59-ae0e-0009b6affd8b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e5f96af2-f1e0-40dc-b9c8-0c06ca88faf2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,

Tried the above and MBA-M successfully launched and updated. 19 issues were found and removed. Here is the log:

Time elapsed: 39 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{56acb669-4139-5611-cbba-f5acb0f4db09} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3e9adb4b-ecfc-4889-88ec-3ad373003605}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7eb4a71d-fb5a-4f59-ae0e-0009b6affd8b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7eb4a71d-fb5a-4f59-ae0e-0009b6affd8b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e5f96af2-f1e0-40dc-b9c8-0c06ca88faf2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
…

Hi jholland,

I tried your suggestion and although MBA installs in Safe Mode (and Normal) the application wont launch once installed.

I have uploaded a print screen of the processes that are running when my machine loads, please see the link below:

http://i256.photobucket.com/albums/hh179/v1raj/Misc/TaskTray.jpg

You may need to click on the image to enlarge it to clearly identify the process names.

Hi Crunchie,

I tired your suggestion and the SafeMode route but still, malwarebytes wont open.

What else can i try as the problem still persists?

I ran an online scanner that i found on the Microsoft site (OneSecurity i think its called). It number 8 files and removed them. My mahcine appears to be a lot faster now but still cant open mbam or HJT.

I've read that renaming mbam.exe to boot.exe is another way to get mbam to work, is this true??

What version of windows are you using?

Hi, im using Windows XP Home Edition

Hi guys,

I have some form of virus on my mahcine and have tried removing it. So far i have ran Avira on my machine which detected 21 files.

My next protocol would be to run malwarebytes however when i try to open the application, it doesnt actaully open. I have tried opening the application within SafeMode too but still unsuccessful. HTJ fails to open too.

What else can i try people??

Thanks for the tutorial's, i've found them quite useful!

However, what i was asking for is if anyone has any tutorials showing how to connect a MySQL db to a VB.Net web app. I've been using the tutorial below as a guide:

http://www.15seconds.com/issue/050210.htm

But have encountered a number of errors.

My aspx page:

<%@ Page Language="VB" AutoEventWireup="false" CodeFile="Default.aspx.vb" Inherits="_Default" Debug="true" %>

<%@ Import Namespace = "System.Data" %>
<%@ Import Namespace = "MySql.Data.MySqlClient" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>MySQL Connection Test</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        MySQL Connection Test<br />
        <br />
        <asp:GridView ID="MySQLGridView" runat="server"></asp:GridView>
    </div>
        

    </form>
</body>
</html>

My aspx.vb page:

Partial Class _Default
    Inherits System.Web.UI.Page

    Sub Page_Load(ByVal sender As Object, ByVal e As EventArgs)

        Dim myConnection As MySqlConnection
        Dim myDataAdapter As MySqlDataAdapter
        Dim myDataSet As DataSet

        Dim strSQL As String
        Dim iRecordCount As Integer

        myConnection = New MySqlConnection("server=localhost; user id=15secs; password=password; database=mydatabase; pooling=false;")

        strSQL = "SELECT * FROM mytable;"

        myDataAdapter = New MySqlDataAdapter(strSQL, myConnection)
        myDataSet = New Dataset()
        myDataAdapter.Fill(myDataSet, "mytable")

        MySQLGridView.DataSource = myDataSet
        MySQLGridView.DataBind()


    End Sub

End Class

Errors Produced:

1. Type 'MySqlConnection' is not defined. (Default.aspx.vb)

2. Type 'MySqlDataAdapter' is not defined. (Default.aspx.vb)

3. Type 'DataSet' is not defined. (Default.aspx.vb)

4. Warning - Namespace or type specified in the Imports 'MySql.Data.MySqlClient' doesn't contain any public member or cannot be found. Make sure the namespace …

Managed to fully install MySQL last night.

I uninstalled the program and then manually deleted the folders that were created during the installation (i noticed that these folders were not removed after i uninstalled it).

Restarted the machine and the installation went through without any problems. =)

Thanks.

Managed to fully install MySQL last night.

I uninstalled the program and then manually deleted the folders that were created during the installation (i noticed that these folders were not removed after i uninstalled it).

Restarted the machine and the installation went through without any problems. =)

Thanks for the advice.

So, here is what i have installed so far:

MySQL v5.0.82
MySQL GUI v5.0
MySQL Connector-Net v6.0.3

I have created a database and am using the following guide to try and connect the DB to my wep app:

http://www.15seconds.com/issue/050210.htm

I'll let you know how i get on..

(If anyone knows of any other tutorials please feel free to add.)

Hi guys,

A few months ago i installed a version (5.0 i believe) of MySQL on my machine with no problems at all. Two weeks ago i had to format my hard drive and reinstall my OS. I have successfully installed Visual Studio 2005 and tried to install MySQL last night however i was proved with the folowing error:

http://i256.photobucket.com/albums/hh179/v1raj/Misc/MySQLInstallError.jpg

From the error produced originally i thought Avira had something to do with it so disbaled the program and tried the installation again. Still, the above error was produced.

Does anyone know how to resolve the above issue??

Thanks.

thanks for the advice, will have a look at that... But first i need to successfully install MySQL..

Does anybody know how to fix the issue described above???

Thanks.

Hi guys,

Thanks for all your replies, they've been very helpful. I've decided to go down the MySQL route as i've always wanted to learn to use MySQL with .Net.

I've visited the dev.mysql website and have downloaded version 5.0. During the final stage of the installation process i am presented with the following error:

[IMG]http://i256.photobucket.com/albums/hh179/v1raj/Misc/MySQLInstallError.jpg[/IMG]

The only firewall'like program i am running is Avira. Is there a way to configure Avira to open port 3306? I have tried turnning Avira off whilst installing too..

Thanks

One question is: Will the site be hosted from a hosting vendor or from an on-site server?

And regarding the database... MSAccess is definitely not the way to go... you really should consider a hosted database platform - it costs a bit more but is A) more secure than MSAccess and B) Can handle the traffic.

Hi,

Yup the site will be hosted from a vendor, possibly streamline.net.

Ok, well if you suggested a hosted platform then i guess MySQL is the way to go?

Hi Timothy,

Originally i thought Access would be the best choice as the system will one be updated by one person.

After reading a number of tutorials on the web i downloaded a project from www.programming.top54u.com. A link to the project can be found here:

http://programming.top54u.com/file.axd?file=AccessImage.rar

I found this small app quite helpful. It allows me to upload images and create a title for them. I can easily modify the code to accept more data i.e. price to hire a vehicle, colour of vehicle..

What do you guys think? Is Access the easiest and simplest way to achieve the desired type of site?

Will deleting records that are already saved be easy to code too?

Thanks.

Hi guys,

I've been developing basic websites for the past 2 years. Recently, a relative of mine had started a vehicle leasing company and has asked me to create the website for him.

Now the majority of the site will be no problem to create however, as it is vehicle leasing company new data (including) images will need to be uploaded on a regular basis.

I've been thinking about achieving this in number of ways:

1. Using Microsoft Access
2. Using MySQL

As you guys probably have a lot of experience, i would like to know what would be the best way about creating the functionality to upload new vehicle data i.e. price, engine size, colour and image??

Thanks in advance.

Or would it be better to use a Microsoft Access db for this type of application? Maybe be this would be a lot simpler than using MySQL??

Hi guys,

I've been using asp.net 2.0 over the past 2 years making simple web applications but have never used it with MySQL.

I've been asked to create a website for a relative. The site will be a vehicle leasing company. After speaking to owner and understanding his requirements i will be able to create the majority of it with no problem. However, as its a leasing company vehicles will need to be added/deleted on a regular basis so i assume having a database (MySQL) connected to the site will be the easiest way to achieve this. Furthermore, it would make sense to have an image of the vehicle too, will MySQL be able to retrieve the images?

I have Visual Studio 2005 installed as well as MySQl 5.1, MySQL Connector/ODBC 5.1 and the MySQL Connector Net 6.0.3.

I have created a new project and placed the following code in my source file:

<%@ Page Language="VB" Debug="true" AutoEventWireup="false" CodeFile="DBConnection.aspx.vb" Inherits="DBConnection" %>

<%@ Import Namespace = "System.Data" %>
<%@ Import Namespace = "MySql.Data.MySqlClient" %>

<script language="VB" runat="server">

    Sub Page_Load(ByVal sender As Object, ByVal e As EventArgs)

        Dim myConnection As MySqlConnection
        Dim myDataAdapter As MySqlDataAdapter
        Dim myDataSet As DataSet

        Dim strSQL As String
        'Dim iRecordCount As Integer

        myConnection = New MySqlConnection("server=localhost; user id=15secs; password=password; database=mydatabase; pooling=false;")

        strSQL = "SELECT * FROM mytable;"

        myDataAdapter = New MySqlDataAdapter(strSQL, myConnection)
        myDataSet = New DataSet()
        myDataAdapter.Fill(myDataSet, "mytable")

        MySQLDataGrid.DataSource = myDataSet
        MySQLDataGrid.DataBind()

    End Sub
   
</script>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 …

ComboFix uninstalled... SpyBlaster already installed.. New Restore Point Created.

Thanks for your help Judy!

Here's the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:23:42, on 17/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Winamp\winamp.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - …

Hi, sorry its taken me a while to reply..

Anyways, i ran the removal tool using Malware and it deleted the file. I then rebooted and ran a scan. Here are the results:

Malwarebytes' Anti-Malware 1.31
Database version: 1506
Windows 5.1.2600 Service Pack 2

16/12/2008 10:46:13
mbam-log-2008-12-16 (10-46-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 150900
Time elapsed: 1 hour(s), 45 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:42:14, on 17/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton …

Hi,

I followed the suggestions that you provided and was unable to delete the file.

I have uploaded an image of the error message. Please see below:

[IMG]http://i256.photobucket.com/albums/hh179/v1raj/Misc/system32error.jpg[/IMG]

Hope this helps..

Here are the results from the new HJT scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:58:52, on 15/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe …

Here is the new ComboFix log:

ComboFix 08-12-13.03 - Viraj Patel 2008-12-15 16:19:35.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1023.238 [GMT 0:00]
Running from: c:\documents and settings\Viraj Patel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Viraj Patel\Desktop\CFScript.txt
* Created a new restore point
.
/wow section - STAGE 32A
Access is denied.
FINDSTR: Cannot open temp0901



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


E:\resycled
e:\resycled\boot.com


.
(((((((((((((((((((((((((   Files Created from 2008-11-15 to 2008-12-15  )))))))))))))))))))))))))))))))
.


2008-12-13 18:09 . 2008-12-13 18:10 <DIR>    d--------   c:\windows\ERUNT
2008-12-13 18:02 . 2008-12-13 18:58 <DIR>    d--------   C:\SDFix
2008-12-12 08:55 . 2008-12-12 08:55 <DIR>    d--------   c:\program files\Trend Micro
2008-12-11 22:50 . 2008-12-11 22:50 <DIR>    d--------   c:\program files\Malwarebytes' Anti-Malware
2008-12-11 22:50 . 2008-12-11 22:50 <DIR>    d--------   c:\documents and settings\Viraj Patel\Application Data\Malwarebytes
2008-12-11 22:50 . 2008-12-11 22:50 <DIR>    d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-11 22:50 . 2008-12-03 19:52 38,496  --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-11 22:50 . 2008-12-03 19:52 15,504  --a------   c:\windows\system32\drivers\mbam.sys
2008-12-11 22:42 . 2008-12-14 13:31 <DIR>    d--------   c:\program files\SpywareBlaster
2008-12-11 22:42 . 2008-12-14 13:31 <DIR>    d-a------   c:\documents and settings\All Users\Application Data\TEMP
2008-12-11 21:46 . 2008-12-11 21:46 6,144   --a------   c:\windows\GnuHashes.ini
2008-12-11 21:38 . 2008-12-11 21:38 135,168 --a------   c:\windows\system32\ds16gt32.dll
2008-12-11 21:38 . 2008-12-11 21:38 1,708   --ahs----   c:\windows\system32\GroupPolicy000.dat
2008-12-11 21:00 . 2008-12-11 21:00 <DIR>    d--------   c:\documents and settings\All Users\Application Data\PCSettings
2008-12-11 20:44 . 2008-12-11 20:44 <DIR>    d--------   c:\program files\Norton Support
2008-12-11 20:29 . 2008-12-11 20:28 35,888  -ra------   c:\windows\system32\drivers\SymIM.sys
2008-12-11 20:28 . 2008-12-12 21:42 <DIR>    d--------   c:\windows\system32\drivers\NAV
2008-12-11 20:28 . 2008-12-11 20:28 <DIR>    d--------   c:\program files\Windows Sidebar
2008-12-11 20:28 . 2008-12-11 20:28 <DIR>    d--------   c:\program …

c:\windows\system32\ds16gt32.dll was uploaded to the site suggested.. here are the results:

Service load: (roughly 25% of the bar was green)
File: ds16gt32.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 3972ed9825c910f321c86c367422e1fd
Packers detected: -

Scan taken on 15 Dec 2008 07:42:16 (GMT)
A-Squared Found Trojan-Dropper.Agent!IK
AntiVir Found TR/Spy.Gen
ArcaVir Found Trojan.Downloader.Agent.Atko
AvastFound Win32:Spyware-gen
AVG Antivirus Found nothing
BitDefender Found Trojan.Generic.1221950
ClamAV Found nothing
CPsecure Found Troj.Downloader.W32.Agent.atko
Dr.Web Found DLOADER.Trojan (probable variant)
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Agent.atko
G DATA Found Win32:Spyware-gen
Ikarus Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.atko
NOD32 Found a variant of Win32/Agent.OAF
Norman Virus Control Found nothing
Panda Antivirus Found Trj/Downloader.MDW
Sophos Antivirus Found Mal/Behav-027
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.Agent.atko

I'm guessing this file isnt supposed to be there?

Hi Judy,

I updated MBA-M andran a scan, here are the results:

Malwarebytes' Anti-Malware 1.31
Database version: 1500
Windows 5.1.2600 Service Pack 2

14/12/2008 18:42:07
mbam-log-2008-12-14 (18-42-07).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 149314
Time elapsed: 2 hour(s), 10 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

As no items were found i couldn't remove anything. I then REBOOTED (restart) the machine and ran HIJACK this. Here is the results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:50:59, on 14/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
…

Download ComboFix, You will get a prompt asking if you want to run or save the file. Choose SAVE and save it to the desk top. DO NOT RUN it YET
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will now start scanning your computer for known infections. This …

Hi Judy,

Here are the three logsas requested:

SDFix:


SDFix: Version 1.240 
Run by Viraj Patel on 13/12/2008 at 18:20


Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix


Checking Services :



Restoring Default Security Values
Restoring Default Hosts File


Rebooting


Checking Files :


Trojan Files Found:


C:\Documents and Settings\Viraj Patel\Local Settings\Temp\aax5A.tmp.exe - Deleted
C:\autorun.PNF - Deleted


Removing Temp Files


ADS Check :


Final Check :


catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 18:51:35
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden services & system hive ...


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxmqltoiqg.sys"
"group"="file system"


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\systemroot\system32\drivers\msqpdxmqltoiqg.sys"
"msqpdxl"="\systemroot\system32\msqpdxwryvprpx.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxmqltoiqg.sys"
"group"="file system"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\systemroot\system32\drivers\msqpdxmqltoiqg.sys"
"msqpdxl"="\systemroot\system32\msqpdxwryvprpx.dll"


scanning hidden registry entries ...


scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Disabled:Yahoo! Messenger"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Disabled:Skype"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\Viraj Patel\\Local Settings\\Temp\\j2eesdk-1_4_03-windows.exe2\\package\\jre\\bin\\javaw.exe"="C:\\Documents and Settings\\Viraj Patel\\Local Settings\\Temp\\j2eesdk-1_4_03-windows.exe2\\package\\jre\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Java\\jre1.5.0_01\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Kiwi Alpha\\KiwiAlpha.exe"="C:\\Program Files\\Kiwi Alpha\\KiwiAlpha.exe:*:Enabled:KiwiAlpha"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:M5Shell"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Enabled:KazaaLite"
"C:\\Program Files\\Blubster\\Blubster.exe"="C:\\Program Files\\Blubster\\Blubster.exe:*:Enabled:Blubster"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\StreamCast\\Morpheus\\Morpheus.exe"="C:\\Program Files\\StreamCast\\Morpheus\\Morpheus.exe:*:Enabled:Morpheus"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" …

Hi Lewis,

If you look at the message given in the pop-up you will see that these items were added to the list Delete on Reboot. So as long as you rebooted the computer after the MBA-M run then these entries should have been removed.
May I ask where are you located, country I mean. There are some fixes which may need to be done showing in your HJT log but they would apply in the US not in the UK for instance.
Judy

Hi Judy,

I'm from the UK. Malware and HJT seem to have fixed the google redirect issues however a new one has coccured. When i search for an item in google, or yahoo, for example facebook, the first result is correct however the others are not related to the search criteria. The rest of them seem to be search engines. Web pages seem to take 20/30 secs (maybe more) to load too.

What do the logs tell you about the state of my machine?

Any suggestions?

Hi Judy,

Here are my results:

Malwarebytes

Malwarebytes' Anti-Malware 1.31
Database version: 1490
Windows 5.1.2600 Service Pack 2

12/12/2008 08:49:00
mbam-log-2008-12-12 (08-49-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 147826
Time elapsed: 1 hour(s), 17 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 26
Registry Values Infected: 1
Registry Data Items Infected: 17
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\gnucdna.core (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0be385a3-85a5-4722-b677-68dae891ff21} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{272c0d60-0561-4c83-b3db-eb0a71f9d2eb} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{284477e4-a7cb-4055-9e1b-0ea7cba28945} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{70ca4938-6a0f-4641-a9a9-c936e4c1e7de} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7468213e-010e-4ec6-a17d-642e909ba7ec} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{89dc33a2-f86f-42a1-8b5f-d4d1943efc9c} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b86f4810-19a9-4050-9ac9-b5cf60b5799a} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bb5b7e14-f8b4-4365-a24d-f4965c33e1ee} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c13d4627-02f5-4b03-897a-bf6a90022dd2} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c636f1fc-6ae4-4e6a-90ab-6d61d821a0dd} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cb971ac0-6408-40da-a540-92f9f256f51f} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d5694dfe-43b6-4e05-aa29-8c556c968973} (Adware.WhenUSave) -> Quarantined and deleted successfully.

Hi guys,

New to this forum, hopefully you guys will be able to help me get rid of this virus..

I switched on my computer today and tried opening Word, noticed the machine was running Very slow but didnt think anything of it. Later tried searching for a number of items on google and started to notice that when clicked on a search result it would automatically direct me to another random page. I also notcied before the page had loaded this URL was present - www32.searchmirror...

I'm a bit worried now s all my Uni work is on this machine and hope nothing is affected or deleted. Cn anyone help to fix this??

Done some searching and apparently some software that might help are:

1. mbam
2. HJT

Any ideas on hows these can help?

Thanks.

Lewis.