|
|
#11
11th Apr 2009, 14:13
| |||
| |||
 Spyware.Banker Detected in MBAM Scan Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there)
Important: Close all windows except for HijackThis and then click Fix checked. Exit HijackThis. ---------- Go to Start > Run and type notepad.exe then click OK Copy and paste the below into Notepad and save as fixme.reg to Your Desktop Code: REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14F3A256-C031-4CCC-915E-5DDE39921308}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"brastia"=-
Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work. Delete the fixme.reg from the Desktop. ---------- Delete ComboFix and download the new version. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFix
__________________  |
|
#12
11th Apr 2009, 14:36
| |||
| |||
| Spyware.Banker Detected in MBAM Scan I downloaded ComboFix, saved it to the desktop, ran it, I saw the little ComboFix box that has progress bars as if it is loading up but then the main window that looks like the CMD window never appeared. I restarted and nothing changed. |
|
#13
11th Apr 2009, 14:47
| |||
| |||
| Spyware.Banker Detected in MBAM Scan Look in C:\combofix.txt for the log and post it please.
__________________ |
|
#14
11th Apr 2009, 14:53
| |||
| |||
| Spyware.Banker Detected in MBAM Scan ComboFix 09-03-29.02 - - 2009-03-30 21:19:04.4 - NTFSx86 Running from: c:\documents and settings\-\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\-\Desktop\CFScript.txt * Resident AV is active FILE :: c:\ab31.exe c:\windows\system32\DE744B18AA.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\DE744B18AA.sys . ((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 ))))))))))))))))))))))))))))))) . 2009-03-25 20:37 . 2009-03-25 20:37 <DIR> d-------- c:\program files\Outsim 2009-03-25 20:37 . 2002-07-07 18:14 1,294,336 --a------ c:\windows\system32\vorbis.acm 2009-03-25 20:37 . 2006-06-20 04:56 225,280 --a------ c:\windows\system32\rewire.dll 2009-03-25 20:35 . 2009-03-25 20:37 <DIR> d-------- c:\program files\Image-Line 2009-03-16 16:45 . 2009-03-16 16:45 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-03-15 20:42 . 2009-03-15 20:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-03-15 20:41 . 2009-03-16 13:10 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-03-15 20:41 . 2009-03-16 13:10 <DIR> d-------- c:\documents and settings\-\Application Data\SUPERAntiSpyware.com 2009-03-01 13:46 . 2009-03-01 13:46 <DIR> d-------- c:\program files\Adobe Media Player 2009-03-01 13:45 . 2009-03-01 13:45 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2009-03-01 11:14 . 2009-03-01 13:33 <DIR> d-------- c:\documents and settings\-\Application Data\Download Manager 2009-02-27 17:34 . 1998-10-29 17:45 306,688 --a------ c:\windows\IsUninst.exe 2009-02-26 23:31 . 2009-03-28 15:12 <DIR> d-------- c:\windows\system32\Adobe 2009-02-26 23:31 . 2009-02-26 23:31 <DIR> d-------- c:\program files\Common Files\Vbox 2009-02-26 23:31 . 2001-10-26 18:16 16,384 --a------ c:\windows\system32\FileOps.exe 2009-02-21 13:14 . 2009-03-15 10:17 <DIR> d-------- c:\program files\AoA Audio Extractor 2009-02-21 13:14 . 2009-03-15 10:24 <DIR> d-------- C:\MyAudio 2009-02-11 19:17 . 2009-02-11 19:17 <DIR> d-------- c:\windows\SQLTools9_KB960089_ENU 2009-02-11 19:14 . 2009-02-11 19:14 <DIR> d-------- c:\windows\SQL9_KB960089_ENU 2009-02-04 21:22 . 2009-03-30 20:17 <DIR> d--h----- C:\$AVG8.VAULT$ . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-03-30 23:15 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2009-03-29 22:00 --------- d-----w c:\program files\Norton Security Scan 2009-03-27 23:15 --------- d-----w c:\program files\VSTplugins 2009-03-27 22:00 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-03-23 16:36 --------- d-----w c:\program files\Common Files\Adobe 2009-03-19 23:41 --------- d--h--w c:\documents and settings\-\Application Data\Move Networks 2009-03-16 20:45 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-03-16 17:10 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-03-16 00:13 --------- d-----w c:\documents and settings\-\Application Data\uTorrent 2009-03-12 18:26 --------- d-----w c:\program files\Common Files\AOL 2009-03-12 18:26 --------- d-----w c:\documents and settings\All Users\Application Data\AOL 2009-03-12 02:12 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-02-27 21:17 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-23 18:36 --------- d-----w c:\program files\Common Files\Blizzard Entertainment 2009-02-11 23:17 --------- d-----w c:\program files\Microsoft SQL Server 2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys 2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys 2009-02-03 18:12 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8 2009-02-03 18:11 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-02-03 18:11 10,520 ----a-w c:\windows\system32\avgrsstx.dll 2009-01-17 02:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll 2009-01-07 15:28 453,152 ----a-w c:\windows\system32\NVUNINST.EXE 2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe 2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe 2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe 2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll 2008-12-12 16:18 87,336 ----a-w c:\windows\system32\dns-sd.exe 2008-12-12 16:11 61,440 ----a-w c:\windows\system32\dnssd.dll 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2008-12-10 13:45 70,936 ----a-w c:\windows\system32\PhysXLoader.dll 2008-12-05 06:54 144,896 ----a-w c:\windows\system32\schannel.dll 2008-12-05 06:54 144,896 ------w c:\windows\system32\dllcache\schannel.dll 2008-12-04 13:28 24,344 ----a-w c:\windows\system32\PhysXDevice.dll 2007-01-04 03:16 0 ----a-w c:\documents and settings\-\Application Data\wklnhst.dat 2008-10-14 23:40 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll 2007-05-31 18:25 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys 2008-08-19 01:09 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081820080 819\index.dat . ((((((((((((((((((((((((((((( SnapShot@2009-03-29_18.05.18.28 ))))))))))))))))))))))))))))))))))))))))) . + 2009-03-30 10:02:52 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1d0.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "SkinClock"="c:\program files\Free Desktop Clock\DesktopClock.exe" [2006-10-01 334848] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-06-26 68856] "ANT Agent"="c:\garmin\ANT Agent\ANT Agent.exe" [2008-09-02 8203352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-14 29744] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-03 1601304] "NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-01-15 86016] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-16 148888] "nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-02-03 14:11 10520 c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp] --a------ 2004-04-01 16:51 1589248 c:\dell\DellHelp\DellHelp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] --a------ 2005-10-05 04:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] --a------ 2005-09-29 15:01 67584 c:\windows\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] --a------ 2008-10-14 19:39 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif] --a------ 2006-07-06 08:15 151552 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] --a------ 2005-06-10 11:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] --a------ 2005-06-10 11:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2009-01-15 08:19 13680640 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM] --a------ 2006-04-11 19:39 176201 c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe] --a------ 2005-08-30 17:36 823362 c:\program files\Trend Micro\Internet Security 12\pccguide.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp] --a------ 2006-07-24 18:20 282624 c:\windows\stsystra.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\America Online 9.0\\waol.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader "6112:TCP"= 6112:TCP:Blizzard Downloader R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-10-14 29744] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-03 325128] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-03 298264] S2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312] S2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXP Flt.sys [2007-09-17 202768] S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-30 290889] S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-08-30 585792] S2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpr eflt.sys [2007-09-17 35856] S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-08-30 262215] S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-12-18 29181272] --- Other Services/Drivers In Memory --- *Deregistered* - AegisP *Deregistered* - AFD *Deregistered* - ALG *Deregistered* - AOL ACS *Deregistered* - Apple Mobile Device *Deregistered* - AudioSrv *Deregistered* - audstub *Deregistered* - avg8wd *Deregistered* - AvgLdx86 *Deregistered* - AvgMfx86 *Deregistered* - BcmSqlStartupSvc *Deregistered* - Beep *Deregistered* - Belkin Wireless USB Network Adapter Service *Deregistered* - Bonjour Service *Deregistered* - Browser *Deregistered* - Cdfs *Deregistered* - COMSysApp *Deregistered* - CryptSvc *Deregistered* - DcomLaunch *Deregistered* - Dhcp *Deregistered* - dmio *Deregistered* - dmload *Deregistered* - dmserver *Deregistered* - Dnscache *Deregistered* - ehRecvr *Deregistered* - ehSched *Deregistered* - ELService *Deregistered* - ERSvc *Deregistered* - EventSystem *Deregistered* - Fastfat *Deregistered* - FastUserSwitchingCompatibility *Deregistered* - Fax *Deregistered* - Fips *Deregistered* - FltMgr *Deregistered* - Ftdisk *Deregistered* - Gpc *Deregistered* - gusvc *Deregistered* - helpsvc *Deregistered* - HidServ *Deregistered* - HTTP *Deregistered* - HTTPFilter *Deregistered* - i2omgmt *Deregistered* - IAANTMON *Deregistered* - ImapiService *Deregistered* - IpNat *Deregistered* - iPod Service *Deregistered* - IPSec *Deregistered* - JavaQuickStarterService *Deregistered* - Kbdclass *Deregistered* - KSecDD *Deregistered* - lanmanserver *Deregistered* - lanmanworkstation *Deregistered* - LmHosts *Deregistered* - McrdSvc *Deregistered* - MDM *Deregistered* - mdmxsdk *Deregistered* - mnmdd *Deregistered* - Mouclass *Deregistered* - MountMgr *Deregistered* - MRxDAV *Deregistered* - MRxSmb *Deregistered* - Msfs *Deregistered* - mssmbios *Deregistered* - MSSQL$MSSMLBIZ *Deregistered* - Mup *Deregistered* - NDIS *Deregistered* - NdisTapi *Deregistered* - Ndisuio *Deregistered* - NdisWan *Deregistered* - NDProxy *Deregistered* - NetBIOS *Deregistered* - NetBT *Deregistered* - Netman *Deregistered* - Nla *Deregistered* - Npfs *Deregistered* - Ntfs *Deregistered* - Null *Deregistered* - NVSvc *Deregistered* - PartMgr *Deregistered* - PcCtlCom *Deregistered* - PolicyAgent *Deregistered* - PptpMiniport *Deregistered* - ProtectedStorage *Deregistered* - PSched *Deregistered* - RasAcd *Deregistered* - Rasl2tp *Deregistered* - RasMan *Deregistered* - RasPppoe *Deregistered* - Raspti *Deregistered* - Rdbss *Deregistered* - RDPCDD *Deregistered* - rdpdr *Deregistered* - RemoteRegistry *Deregistered* - RpcSs *Deregistered* - SamSs *Deregistered* - Schedule *Deregistered* - seclogon *Deregistered* - SENS *Deregistered* - SharedAccess *Deregistered* - ShellHWDetection *Deregistered* - Spooler *Deregistered* - SQLWriter *Deregistered* - sr *Deregistered* - srservice *Deregistered* - Srv *Deregistered* - SSDPSRV *Deregistered* - swenum *Deregistered* - TapiSrv *Deregistered* - Tcpip *Deregistered* - TermService *Deregistered* - Themes *Deregistered* - tm_cfw *Deregistered* - Tmfilter *Deregistered* - Tmntsrv *Deregistered* - TmPfw *Deregistered* - Tmpreflt *Deregistered* - tmproxy *Deregistered* - tmtdi *Deregistered* - TrkWks *Deregistered* - Update *Deregistered* - VgaSave *Deregistered* - VolSnap *Deregistered* - Vsapint *Deregistered* - w32time *Deregistered* - Wanarp *Deregistered* - wanatw *Deregistered* - WebClient *Deregistered* - winmgmt *Deregistered* - wscsvc *Deregistered* - wuauserv *Deregistered* - WZCSVC [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{1cd82bd2-688a-11dd-a80e-00173f13b137}] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{677cb2b4-5270-11dc-a6a1-00173f13b137}] \Shell\AutoRun\command - E:\LaunchU3.exe . Contents of the 'Scheduled Tasks' folder 2009-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-03-30 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 22:22] 2009-03-29 c:\windows\Tasks\Norton Security Scan for -.job - c:\program files\Norton Security Scan\Nss.exe [2009-03-11 20:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.aol.com/?src=aim uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\-\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search= yesab&query= FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\documents and settings\-\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\ext ensions\moveplayer@movenetworks.com\platform\WINNT _x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll . ************************************************** ************************ catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-30 21:23:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . Completion time: 2009-03-30 21:27:10 ComboFix-quarantined-files.txt 2009-03-31 01:26:19 ComboFix2.txt 2009-03-29 22:06:13 Pre-Run: 210,746,732,544 bytes free Post-Run: 210,727,317,504 bytes free 358 --- E O F --- 2009-03-30 02:43:20 |
|
#15
11th Apr 2009, 16:56
| |||
| |||
| Spyware.Banker Detected in MBAM Scan It looks like both AVG and Trend micro are running?
__________________ |
|
#16
11th Apr 2009, 17:43
| |||
| |||
| Spyware.Banker Detected in MBAM Scan I thought I had uninstalled Trend micro earlier? I have nothing I can click on in terms of shutting it off. I did exactly what I should have for the AVG Anti-virus so here is another log. ComboFix 09-03-29.02 - - 2009-03-30 21:19:04.4 - NTFSx86 Running from: c:\documents and settings\-\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\-\Desktop\CFScript.txt * Resident AV is active FILE :: c:\ab31.exe c:\windows\system32\DE744B18AA.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\DE744B18AA.sys . ((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 ))))))))))))))))))))))))))))))) . 2009-03-25 20:37 . 2009-03-25 20:37 <DIR> d-------- c:\program files\Outsim 2009-03-25 20:37 . 2002-07-07 18:14 1,294,336 --a------ c:\windows\system32\vorbis.acm 2009-03-25 20:37 . 2006-06-20 04:56 225,280 --a------ c:\windows\system32\rewire.dll 2009-03-25 20:35 . 2009-03-25 20:37 <DIR> d-------- c:\program files\Image-Line 2009-03-16 16:45 . 2009-03-16 16:45 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-03-15 20:42 . 2009-03-15 20:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-03-15 20:41 . 2009-03-16 13:10 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-03-15 20:41 . 2009-03-16 13:10 <DIR> d-------- c:\documents and settings\-\Application Data\SUPERAntiSpyware.com 2009-03-01 13:46 . 2009-03-01 13:46 <DIR> d-------- c:\program files\Adobe Media Player 2009-03-01 13:45 . 2009-03-01 13:45 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2009-03-01 11:14 . 2009-03-01 13:33 <DIR> d-------- c:\documents and settings\-\Application Data\Download Manager 2009-02-27 17:34 . 1998-10-29 17:45 306,688 --a------ c:\windows\IsUninst.exe 2009-02-26 23:31 . 2009-03-28 15:12 <DIR> d-------- c:\windows\system32\Adobe 2009-02-26 23:31 . 2009-02-26 23:31 <DIR> d-------- c:\program files\Common Files\Vbox 2009-02-26 23:31 . 2001-10-26 18:16 16,384 --a------ c:\windows\system32\FileOps.exe 2009-02-21 13:14 . 2009-03-15 10:17 <DIR> d-------- c:\program files\AoA Audio Extractor 2009-02-21 13:14 . 2009-03-15 10:24 <DIR> d-------- C:\MyAudio 2009-02-11 19:17 . 2009-02-11 19:17 <DIR> d-------- c:\windows\SQLTools9_KB960089_ENU 2009-02-11 19:14 . 2009-02-11 19:14 <DIR> d-------- c:\windows\SQL9_KB960089_ENU 2009-02-04 21:22 . 2009-03-30 20:17 <DIR> d--h----- C:\$AVG8.VAULT$ . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-03-30 23:15 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2009-03-29 22:00 --------- d-----w c:\program files\Norton Security Scan 2009-03-27 23:15 --------- d-----w c:\program files\VSTplugins 2009-03-27 22:00 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-03-23 16:36 --------- d-----w c:\program files\Common Files\Adobe 2009-03-19 23:41 --------- d--h--w c:\documents and settings\-\Application Data\Move Networks 2009-03-16 20:45 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-03-16 17:10 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-03-16 00:13 --------- d-----w c:\documents and settings\-\Application Data\uTorrent 2009-03-12 18:26 --------- d-----w c:\program files\Common Files\AOL 2009-03-12 18:26 --------- d-----w c:\documents and settings\All Users\Application Data\AOL 2009-03-12 02:12 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-02-27 21:17 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-23 18:36 --------- d-----w c:\program files\Common Files\Blizzard Entertainment 2009-02-11 23:17 --------- d-----w c:\program files\Microsoft SQL Server 2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys 2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys 2009-02-03 18:12 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8 2009-02-03 18:11 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-02-03 18:11 10,520 ----a-w c:\windows\system32\avgrsstx.dll 2009-01-17 02:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll 2009-01-07 15:28 453,152 ----a-w c:\windows\system32\NVUNINST.EXE 2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe 2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe 2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe 2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll 2008-12-12 16:18 87,336 ----a-w c:\windows\system32\dns-sd.exe 2008-12-12 16:11 61,440 ----a-w c:\windows\system32\dnssd.dll 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2008-12-10 13:45 70,936 ----a-w c:\windows\system32\PhysXLoader.dll 2008-12-05 06:54 144,896 ----a-w c:\windows\system32\schannel.dll 2008-12-05 06:54 144,896 ------w c:\windows\system32\dllcache\schannel.dll 2008-12-04 13:28 24,344 ----a-w c:\windows\system32\PhysXDevice.dll 2007-01-04 03:16 0 ----a-w c:\documents and settings\-\Application Data\wklnhst.dat 2008-10-14 23:40 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll 2007-05-31 18:25 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys 2008-08-19 01:09 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081820080 819\index.dat . ((((((((((((((((((((((((((((( SnapShot@2009-03-29_18.05.18.28 ))))))))))))))))))))))))))))))))))))))))) . + 2009-03-30 10:02:52 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1d0.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "SkinClock"="c:\program files\Free Desktop Clock\DesktopClock.exe" [2006-10-01 334848] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-06-26 68856] "ANT Agent"="c:\garmin\ANT Agent\ANT Agent.exe" [2008-09-02 8203352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-14 29744] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-03 1601304] "NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-01-15 86016] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-16 148888] "nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-02-03 14:11 10520 c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp] --a------ 2004-04-01 16:51 1589248 c:\dell\DellHelp\DellHelp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] --a------ 2005-10-05 04:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] --a------ 2005-09-29 15:01 67584 c:\windows\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] --a------ 2008-10-14 19:39 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif] --a------ 2006-07-06 08:15 151552 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] --a------ 2005-06-10 11:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] --a------ 2005-06-10 11:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2009-01-15 08:19 13680640 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM] --a------ 2006-04-11 19:39 176201 c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe] --a------ 2005-08-30 17:36 823362 c:\program files\Trend Micro\Internet Security 12\pccguide.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp] --a------ 2006-07-24 18:20 282624 c:\windows\stsystra.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\America Online 9.0\\waol.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader "6112:TCP"= 6112:TCP:Blizzard Downloader R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-10-14 29744] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-03 325128] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-03 298264] S2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312] S2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXP Flt.sys [2007-09-17 202768] S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-30 290889] S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-08-30 585792] S2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpr eflt.sys [2007-09-17 35856] S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-08-30 262215] S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-12-18 29181272] --- Other Services/Drivers In Memory --- *Deregistered* - AegisP *Deregistered* - AFD *Deregistered* - ALG *Deregistered* - AOL ACS *Deregistered* - Apple Mobile Device *Deregistered* - AudioSrv *Deregistered* - audstub *Deregistered* - avg8wd *Deregistered* - AvgLdx86 *Deregistered* - AvgMfx86 *Deregistered* - BcmSqlStartupSvc *Deregistered* - Beep *Deregistered* - Belkin Wireless USB Network Adapter Service *Deregistered* - Bonjour Service *Deregistered* - Browser *Deregistered* - Cdfs *Deregistered* - COMSysApp *Deregistered* - CryptSvc *Deregistered* - DcomLaunch *Deregistered* - Dhcp *Deregistered* - dmio *Deregistered* - dmload *Deregistered* - dmserver *Deregistered* - Dnscache *Deregistered* - ehRecvr *Deregistered* - ehSched *Deregistered* - ELService *Deregistered* - ERSvc *Deregistered* - EventSystem *Deregistered* - Fastfat *Deregistered* - FastUserSwitchingCompatibility *Deregistered* - Fax *Deregistered* - Fips *Deregistered* - FltMgr *Deregistered* - Ftdisk *Deregistered* - Gpc *Deregistered* - gusvc *Deregistered* - helpsvc *Deregistered* - HidServ *Deregistered* - HTTP *Deregistered* - HTTPFilter *Deregistered* - i2omgmt *Deregistered* - IAANTMON *Deregistered* - ImapiService *Deregistered* - IpNat *Deregistered* - iPod Service *Deregistered* - IPSec *Deregistered* - JavaQuickStarterService *Deregistered* - Kbdclass *Deregistered* - KSecDD *Deregistered* - lanmanserver *Deregistered* - lanmanworkstation *Deregistered* - LmHosts *Deregistered* - McrdSvc *Deregistered* - MDM *Deregistered* - mdmxsdk *Deregistered* - mnmdd *Deregistered* - Mouclass *Deregistered* - MountMgr *Deregistered* - MRxDAV *Deregistered* - MRxSmb *Deregistered* - Msfs *Deregistered* - mssmbios *Deregistered* - MSSQL$MSSMLBIZ *Deregistered* - Mup *Deregistered* - NDIS *Deregistered* - NdisTapi *Deregistered* - Ndisuio *Deregistered* - NdisWan *Deregistered* - NDProxy *Deregistered* - NetBIOS *Deregistered* - NetBT *Deregistered* - Netman *Deregistered* - Nla *Deregistered* - Npfs *Deregistered* - Ntfs *Deregistered* - Null *Deregistered* - NVSvc *Deregistered* - PartMgr *Deregistered* - PcCtlCom *Deregistered* - PolicyAgent *Deregistered* - PptpMiniport *Deregistered* - ProtectedStorage *Deregistered* - PSched *Deregistered* - RasAcd *Deregistered* - Rasl2tp *Deregistered* - RasMan *Deregistered* - RasPppoe *Deregistered* - Raspti *Deregistered* - Rdbss *Deregistered* - RDPCDD *Deregistered* - rdpdr *Deregistered* - RemoteRegistry *Deregistered* - RpcSs *Deregistered* - SamSs *Deregistered* - Schedule *Deregistered* - seclogon *Deregistered* - SENS *Deregistered* - SharedAccess *Deregistered* - ShellHWDetection *Deregistered* - Spooler *Deregistered* - SQLWriter *Deregistered* - sr *Deregistered* - srservice *Deregistered* - Srv *Deregistered* - SSDPSRV *Deregistered* - swenum *Deregistered* - TapiSrv *Deregistered* - Tcpip *Deregistered* - TermService *Deregistered* - Themes *Deregistered* - tm_cfw *Deregistered* - Tmfilter *Deregistered* - Tmntsrv *Deregistered* - TmPfw *Deregistered* - Tmpreflt *Deregistered* - tmproxy *Deregistered* - tmtdi *Deregistered* - TrkWks *Deregistered* - Update *Deregistered* - VgaSave *Deregistered* - VolSnap *Deregistered* - Vsapint *Deregistered* - w32time *Deregistered* - Wanarp *Deregistered* - wanatw *Deregistered* - WebClient *Deregistered* - winmgmt *Deregistered* - wscsvc *Deregistered* - wuauserv *Deregistered* - WZCSVC [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{1cd82bd2-688a-11dd-a80e-00173f13b137}] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{677cb2b4-5270-11dc-a6a1-00173f13b137}] \Shell\AutoRun\command - E:\LaunchU3.exe . Contents of the 'Scheduled Tasks' folder 2009-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-03-30 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 22:22] 2009-03-29 c:\windows\Tasks\Norton Security Scan for -.job - c:\program files\Norton Security Scan\Nss.exe [2009-03-11 20:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.aol.com/?src=aim uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\-\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search= yesab&query= FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\documents and settings\-\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\ext ensions\moveplayer@movenetworks.com\platform\WINNT _x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll . ************************************************** ************************ catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-30 21:23:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . Completion time: 2009-03-30 21:27:10 ComboFix-quarantined-files.txt 2009-03-31 01:26:19 ComboFix2.txt 2009-03-29 22:06:13 Pre-Run: 210,746,732,544 bytes free Post-Run: 210,727,317,504 bytes free 358 --- E O F --- 2009-03-30 02:43:20 |
|
#17
11th Apr 2009, 18:13
| |||
| |||
| Spyware.Banker Detected in MBAM Scan Download the OTMoveIt3 by OldTimer Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator. * Save it to your Desktop. * Double-click OTMoveIt3.exe to run it. * Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy) Code: :Processes
explorer.exe
:services
Tmfilter
Tmntsrv
TmPfw
Tmpreflt
tmproxy
:reg
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
:files
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
* Click the red Moveit! button. * Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTMoveIt3 Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.
__________________ |
|
#18
11th Apr 2009, 18:41
| |||
| |||
| Spyware.Banker Detected in MBAM Scan ========== PROCESSES ========== Process explorer.exe killed successfully. ========== SERVICES/DRIVERS ========== Service\Driver Tmfilter not found. Service\Driver Tmfilter not found. Service\Driver Tmntsrv not found. Service\Driver Tmntsrv not found. Service\Driver TmPfw not found. Service\Driver TmPfw not found. Service\Driver Tmpreflt not found. Service\Driver Tmpreflt not found. Service\Driver tmproxy not found. Service\Driver tmproxy not found. ========== REGISTRY ========== Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM\\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe\\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus\\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall\\ deleted successfully. Registry key HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\\ not found. ========== FILES ========== ========== COMMANDS ========== File delete failed. C:\DOCUME~1\KEVINY~1\LOCALS~1\Temp\etilqs_fRmKQ2vr zNB72h6KbYxi scheduled to be deleted on reboot. User's Temp folder emptied. User's Internet Explorer cache folder emptied. File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Temporary Internet Files\Content.IE5\D4FMXUTV\google_com[1].htm scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Temporary Internet Files\Content.IE5\D4FMXUTV\google_com[2].htm scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Temporary Internet Files\Content.IE5\CFJKKGVW\google_com[3].htm scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. User's Temporary Internet Files folder emptied. Local Service Temp folder emptied. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. Local Service Temporary Internet Files folder emptied. File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_134.dat scheduled to be deleted on reboot. Network Service Temp folder emptied. File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. Network Service Temporary Internet Files folder emptied. File delete failed. C:\WINDOWS\temp\6ddb73b7-b87e-4070-ac03-0f2813d963e6.tmp scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\eafae059-1c3b-497e-8634-4866acec2402.tmp scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_4c0.dat scheduled to be deleted on reboot. Windows Temp folder emptied. Java cache emptied. File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_001_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_002_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_003_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_MAP_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\url classifier3.sqlite scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\XUL .mfl scheduled to be deleted on reboot. FireFox cache emptied. Temp folders emptied. Explorer started successfully OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04112009_213409 Files moved on Reboot... File C:\DOCUME~1\KEVINY~1\LOCALS~1\Temp\etilqs_fRmKQ2vr zNB72h6KbYxi not found! C:\Documents and Settings\Kevin Young\Local Settings\Temporary Internet Files\Content.IE5\D4FMXUTV\google_com[1].htm moved successfully. C:\Documents and Settings\Kevin Young\Local Settings\Temporary Internet Files\Content.IE5\D4FMXUTV\google_com[2].htm moved successfully. C:\Documents and Settings\Kevin Young\Local Settings\Temporary Internet Files\Content.IE5\CFJKKGVW\google_com[3].htm moved successfully. File C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_134.dat not found! File C:\WINDOWS\temp\6ddb73b7-b87e-4070-ac03-0f2813d963e6.tmp not found! File C:\WINDOWS\temp\eafae059-1c3b-497e-8634-4866acec2402.tmp not found! File C:\WINDOWS\temp\Perflib_Perfdata_4c0.dat not found! C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_001_ moved successfully. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_002_ moved successfully. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_003_ moved successfully. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_MAP_ moved successfully. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\url classifier3.sqlite moved successfully. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\XUL .mfl moved successfully. |
|
#19
12th Apr 2009, 10:31
| |||
| |||
Spyware.Banker Detected in MBAM Scan
---------- 1. Double click OTMoveIt3.exe to launch it. Vista users right click and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTMoveIt3 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
---------- Use the ESET Online Antivirus Scanner This scanner requires Internet Explorer 1. Check the box next to YES, I accept the Terms of Use. 2. Click Start 3. When asked, allow the activex control to install 4. Click Start 5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked. 6. Click Scan 7. Wait for the scan to finish 8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt 9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.
__________________ |
|
#20
12th Apr 2009, 14:47
| |||
| |||
| Spyware.Banker Detected in MBAM Scan # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=4002 (20090411) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=779dd52fbada7441aba5d1cce1027195 # end=finished # remove_checked=true # unwanted_checked=true # utc_time=2009-04-12 08:52:10 # local_time=2009-04-12 04:52:10 (-0500, Eastern Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 3 # scanned=362847 # found=0 # scan_time=3552 |
