|
30th Jan 2010, 11:55
|
|||
|
|||
|
Malwarebytes says I'm infected with these four spywares. It can't get rid of them no matter how many times it tries. They just keep coming back after reboot. Symptoms are slower than usual startup, and being redirected from google searches to ad sites. I've tried a number of online scanners like Windows One Care, and the Kapersky file checker, even Spybot Seach & Destroy, HijackThis, and some free Norton scanners. All fingers point to this file, yxgnfvce.dll. Yet there's nothing I can do. I've tried deleting it, renaming it, unregistering it, but it's going nowhere. Please help.
Here's the Malwarebytes log: Malwarebytes' Anti-Malware 1.44 Database version: 3649 Windows 5.1.2600 Service Pack 2 (Safe Mode) Internet Explorer 7.0.5730.13 1/30/2010 2:52:04 PM mbam-log-2010-01-30 (14-52-04).txt Scan type: Full Scan (C:\|) Objects scanned: 240952 Time elapsed: 23 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 11 Registry Values Infected: 3 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\yxgnfvce.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01426bd7-4ff8-42da-8e49-2d9847f69262} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{01426bd7-4ff8-42da-8e49-2d9847f69262} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{01426bd7-4ff8-42da-8e49-2d9847f69262} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Documents and Settings/NetworkService/Local Settings/Temp/cjphnmli.dat (Rootkit.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cjphnmli.dat (Rootkit.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cjphnmli.dat (Rootkit.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Documents and Settings/LocalService/Local Settings/Temp/cjphnmli.dat (Rootkit.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Documents and Settings/Administrator/Local Settings/Temp/cjphnmli.dat (Rootkit.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Documents and Settings/User/Local Settings/Temp/cjphnmli.dat (Rootkit.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dueavlel (Rootkit.Agent) -> Delete on reboot. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\yxgnfvce.dll (Trojan.Vundo.H) -> Delete on reboot. C:\Documents and Settings\NetworkService\Local Settings\Temp\cjphnmli.dat (Rootkit.Agent) -> Delete on reboot. C:\Documents and Settings\LocalService\Local Settings\Temp\cjphnmli.dat (Rootkit.Agent) -> Delete on reboot. C:\Documents and Settings\Administrator\Local Settings\Temp\cjphnmli.dat (Rootkit.Agent) -> Delete on reboot. C:\Documents and Settings\User\Local Settings\Temp\cjphnmli.dat (Rootkit.Agent) -> Delete on reboot. -------------------------------------------------------------------------------------------- And here's the HijackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:45:11 PM, on 1/30/2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16981) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {01426BD7-4FF8-42DA-8E49-2D9847F69262} - C:\WINDOWS\system32\yxgnfvce.dll O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0EF1052F-9AC3-4F3B-B776-DBD787B30BB1} - c:\windows\system32\msencodev.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe" /tray O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [ccApp] - O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart (User 'NETWORK SERVICE') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.04\AMVConverter\grab.html O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.04\MediaManager\grab.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by139fd.bay139.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8942.cab O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab O20 - Winlogon Notify: tkcderci - C:\WINDOWS\SYSTEM32\msencodev.dll O20 - Winlogon Notify: tt - C:\WINDOWS\ O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: PDKGNKKHZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\User\LOCALS~1\Temp\PDKGNKKHZ.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- End of file - 8059 bytes Thanks in advance |
|
30th Jan 2010, 14:06
|
|||
|
|||
|
Hello BaHa.
Can you start the computer in normal boot mode? If so please run all scans in normal mode. Disable Spybot's TeaTimer While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean. 1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident 2. Run Spybot S&D 3. Go to the Mode menu, and make sure Advanced Mode is selected. 4. On the left hand side, choose Tools > Resident uncheck Resident TeaTimer and OK any prompt and Restart your computer. Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it. If TeaTimer will not turn off then uninstall Spybot until we are done cleaning. ---------- Open HijackThis and select Do a system scan only Place a check mark next to the following entries: (if there)
Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- Now locate and delete these files: C:\WINDOWS\system32\yxgnfvce.dll c:\windows\system32\msencodev.dll ---------- Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups. Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply. Exit out of MessengerDisable then delete the two files that were put on the desktop. ---------- Download Lop S&D by Eric_71 and save it to your desktop. Lop S&D will only run on Windows XP and Windows Vista Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Double click LopSD.exe - If you are using Windows Vista or Windows 7, right-click on the LopSD icon and select Run as administrator to perform this scan. * Choose the language by typing of the corresponding letter and press Enter * Click OK at the informative window * Type 1, to choose Option 1 (Search) then press Enter * Wait until the end of the scan * A report will be generated, post the contents of it in your next reply. A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt
__________________
 |
|
30th Jan 2010, 20:18
|
|||
|
|||
|
Problem: Windows won't let me delete
C:\WINDOWS\system32\yxgnfvce.dll c:\windows\system32\msencodev.dll |
|
30th Jan 2010, 20:21
|
|||
|
|||
|
Start Malwarebytes and go to the More Tools tab. There you'll find a button named Run Tool to run FileASSISSIN.
Then browse to this file: C:\windows\system32\yxgnfvce.dll Select that file and click OK, then Yes to remove it. Now do the same with: c:\windows\system32\msencodev.dll
__________________
|
|
30th Jan 2010, 21:13
|
|||
|
|||
|
FileASSISSIN can't remove them.
|
|
30th Jan 2010, 21:29
|
|||
|
|||
|
We'll get them.
Let's do this instead. If you already have ComboFix be sure to delete it and download a new copy. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFix
__________________
|
|
30th Jan 2010, 22:29
|
|||
|
|||
|
ComboFix 10-01-30.04 - User 01/31/2010 0:59.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.342 [GMT -5:00] Running from: c:\documents and settings\User\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{37f82d4d-b5ca-45f2-97fd-6391d9e4ab16} c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{37f82d4d-b5ca-45f2-97fd-6391d9e4ab16}\chrome.manifest c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{37f82d4d-b5ca-45f2-97fd-6391d9e4ab16}\chrome\xulcache.jar c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{37f82d4d-b5ca-45f2-97fd-6391d9e4ab16}\defaults\preferences\xulcache.js c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{37f82d4d-b5ca-45f2-97fd-6391d9e4ab16}\install.rdf c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{482dbe47-0a6c-4c22-8dea-7d43642f3a61} c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{482dbe47-0a6c-4c22-8dea-7d43642f3a61}\chrome.manifest c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{482dbe47-0a6c-4c22-8dea-7d43642f3a61}\chrome\xulcache.jar c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{482dbe47-0a6c-4c22-8dea-7d43642f3a61}\defaults\preferences\xulcache.js c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{482dbe47-0a6c-4c22-8dea-7d43642f3a61}\install.rdf c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{4f8b00cf-5215-43e5-b3da-a24e5808aa5f} c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{4f8b00cf-5215-43e5-b3da-a24e5808aa5f}\chrome.manifest c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{4f8b00cf-5215-43e5-b3da-a24e5808aa5f}\chrome\xulcache.jar c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{4f8b00cf-5215-43e5-b3da-a24e5808aa5f}\defaults\preferences\xulcache.js c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{4f8b00cf-5215-43e5-b3da-a24e5808aa5f}\install.rdf c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{6db91b6f-7c2a-4485-8879-30d3ae55ef1d} c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{6db91b6f-7c2a-4485-8879-30d3ae55ef1d}\chrome.manifest c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{6db91b6f-7c2a-4485-8879-30d3ae55ef1d}\chrome\xulcache.jar c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{6db91b6f-7c2a-4485-8879-30d3ae55ef1d}\defaults\preferences\xulcache.js c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{6db91b6f-7c2a-4485-8879-30d3ae55ef1d}\install.rdf c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{dc692978-cd3a-4248-98c5-054ce26c81e8} c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{dc692978-cd3a-4248-98c5-054ce26c81e8}\chrome.manifest c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{dc692978-cd3a-4248-98c5-054ce26c81e8}\chrome\xulcache.jar c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{dc692978-cd3a-4248-98c5-054ce26c81e8}\defaults\preferences\xulcache.js c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{dc692978-cd3a-4248-98c5-054ce26c81e8}\install.rdf c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{dc692978-cd3a-4248-98c5-054ce26c81e8} c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{dc692978-cd3a-4248-98c5-054ce26c81e8}\chrome.manifest c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{dc692978-cd3a-4248-98c5-054ce26c81e8}\chrome\xulcache.jar c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{dc692978-cd3a-4248-98c5-054ce26c81e8}\defaults\preferences\xulcache.js c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\extensions\{dc692978-cd3a-4248-98c5-054ce26c81e8}\install.rdf c:\windows\system32\drivers\dueavlel.sys c:\windows\system32\drivers\lbqmtppe.sys c:\windows\system32\info.txt c:\windows\system32\msencodev.dll c:\windows\system32\rvwpiiscm.dll c:\windows\system32\yxgnfvce.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_DUEAVLEL -------\Legacy_OIWQMHQQ -------\Legacy_POOF -------\Service_dueavlel -------\Service_oiwqmhqq ((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-31 ))))))))))))))))))))))))))))))) . 2010-01-30 07:35 . 2010-01-30 07:35 -------- d-----w- C:\FOUND.000 2010-01-28 08:31 . 2010-01-28 08:31 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-01-28 08:31 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-28 08:31 . 2010-01-28 08:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-01-28 08:31 . 2010-01-28 08:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-28 08:31 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-28 07:30 . 2010-01-28 07:30 -------- d-----w- c:\windows\system32\CatRoot_bak 2010-01-27 17:38 . 2010-01-27 17:38 25 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8EE82118DAE80BD4586C712CEC05FF17.dll 2010-01-27 17:38 . 2010-01-27 17:38 154 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_7E577B2224C65CF4E801A9E52375DB49.dll 2010-01-27 17:38 . 2010-01-27 17:38 1104 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_7BD25099295922545A854571BBDA84EE.dll 2010-01-27 17:38 . 2010-01-27 17:38 137 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_70B83354632A0724A977BE4B1155715B.dll 2010-01-27 17:38 . 2010-01-27 17:38 152 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6E8A266FCD4F2A1409E1C8110F44DBCE.dll 2010-01-27 17:38 . 2010-01-27 17:38 744 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7448A3100000030.dll 2010-01-27 17:38 . 2010-01-27 17:38 3568 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_26DDC2EC4210AC63483DF9D4FCC5B59D.dll 2010-01-27 17:38 . 2010-01-27 17:38 210 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1D034B0FAA6BD374B960AAD30DF10D8B.dll 2010-01-27 17:38 . 2010-01-27 17:38 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0DC1503A46F231838AD88BCDDC8E8F7C.dll 2010-01-27 17:38 . 2010-01-27 17:38 41 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0CB8AE65157339B4CBD96615CC635EAA.dll 2010-01-27 17:38 . 2010-01-27 17:38 73 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_04DE0F7511F8AA149B62A4660D1D9ACC.dll 2010-01-27 17:38 . 2010-01-27 17:38 833 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_000021599B0090400000000000F01FEC.dll 2010-01-27 17:38 . 2010-01-27 17:38 274 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002159221090400000000000F01FEC.dll 2010-01-27 17:22 . 2010-01-27 17:22 -------- d-----w- c:\windows\system32\drivers\NSS 2010-01-27 17:22 . 2010-01-27 17:22 -------- d-----w- c:\program files\Norton Security Scan 2010-01-27 17:22 . 2010-01-27 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2010-01-27 17:21 . 2010-01-27 17:21 -------- d-----w- c:\program files\NortonInstaller 2010-01-27 17:21 . 2010-01-27 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2010-01-13 12:01 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll 2010-01-09 12:41 . 2010-01-09 12:41 -------- d-----w- C:\FOUND.011 2010-01-09 06:00 . 2010-01-09 06:00 -------- d-----w- C:\FOUND.010 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-05 10:00 . 2005-08-23 05:34 832512 ----a-w- c:\windows\system32\wininet.dll 2010-01-05 10:00 . 2009-08-04 20:25 78336 ------w- c:\windows\system32\ieencode.dll 2010-01-05 10:00 . 2004-08-04 06:07 17408 ------w- c:\windows\system32\corpol.dll 2009-12-22 02:41 . 2007-03-08 20:28 45504 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-21 16:36 . 2004-08-04 06:07 470528 ----a-w- c:\windows\AppPatch\AcLayers.dll 2008-01-03 04:47 . 2008-01-03 04:47 560 ----a-w- c:\program files\Global.sw . ------- Sigcheck ------- [-] 2005-05-24 00:48 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\system32\mspmsnsv.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSPower"="SiSPower.dll" [2005-08-25 49152] "QuickTime Task"="c:\program files\QuickTime\bak\qttask.exe" [2007-03-02 98304] "nwiz"="nwiz.exe" [2006-02-13 1519616] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-02-13 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] c:\documents and settings\guinea pig\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] c:\documents and settings\User\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Utility Tray.lnk - c:\windows\system32\sistray.exe [2007-3-3 262144] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] HP Digital Imaging Monitor.lnk.disabled [2008-9-14 1712] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^dwvwpzbki.lnk] path=c:\documents and settings\User\Start Menu\Programs\Startup\dwvwpzbki.lnk backup=c:\windows\pss\dwvwpzbki.lnkStartup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"= "c:\\Program Files\\Real\\RealPlayer Enterprise\\realplay.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "50776:TCP"= 50776:TCP:@xpsp2res.dll "27600:TCP"= 27600:TCP:@xpsp2res.dll "36055:TCP"= 36055:TCP:@xpsp2res.dll "52689:TCP"= 52689:TCP:@xpsp2res.dll "52443:TCP"= 52443:TCP:@xpsp2res.dll,-22009 "30702:TCP"= 30702:TCP:@xpsp2res.dll,-22009 "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service S2 Aba33;Aba33;c:\windows\system32\Aba33.sys --> c:\windows\system32\Aba33.sys [?] S3 PDKGNKKHZ;PDKGNKKHZ;c:\docume~1\User\LOCALS~1\Temp\PDKGNKKHZ.exe --> c:\docume~1\User\LOCALS~1\Temp\PDKGNKKHZ.exe [?] S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows\system32\UnlockerDriver4.sys [3/2/2007 8:04 AM 3584] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-01-30 c:\windows\Tasks\Norton Security Scan for User.job - c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-01-27 19:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.ca/ uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.04\AMVConverter\grab.html IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.04\MediaManager\grab.html IE: E&xport to Microsoft Excel FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - BHO-{01426BD7-4FF8-42DA-8E49-2D9847F69262} - c:\windows\system32\yxgnfvce.dll Notify-NavLogon - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-31 01:14 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ccEvtMgr] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SAVRT] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SNDSrvc] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SYMTDI] "ImagePath"="-" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\LocalService\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder] @Denied: (Full) (Administrators) @Denied: (Full) (S-1-5-21-606747145-1770027372-839522115-1003) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\LocalService\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu] "Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00 [HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder] @Denied: (Full) (Administrators) @Denied: (Full) (S-1-5-21-606747145-1770027372-839522115-1003) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu] "Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00 [HKEY_USERS\S-1-5-21-1214440339-1979792683-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder] @Denied: (Full) (Administrators) @Denied: (Full) (S-1-5-21-606747145-1770027372-839522115-1003) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-1214440339-1979792683-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu] "Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00 [HKEY_USERS\S-1-5-21-1214440339-1979792683-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:89,c6,1e,f3,8d,eb,ad,f9,35,91,18,53,fe,a7,6b,c1,f1,42,d9,be,d3,a2,6e, b9,77,ae,ca,68,77,e4,38,67,6b,66,08,4b,73,a7,34,ab,9a,57,92,a8,7f,98,4e,93,\ "??"=hex:b5,5e,67,b3,49,08,72,ad,41,a9,3a,9c,e3,bb,58,83 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3752) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe c:\windows\system32\RUNDLL32.EXE c:\program files\Microsoft ActiveSync\wcescomm.exe c:\windows\System32\NOTEPAD.EXE c:\progra~1\MICROS~2\rapimgr.exe c:\windows\system32\nvsvc32.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-01-31 01:15:55 - machine was rebooted ComboFix-quarantined-files.txt 2010-01-31 06:15 Pre-Run: 52,088,864,768 bytes free Post-Run: 52,769,816,576 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3 - - End Of File - - 56BC5D069A5C437556CB47400F00BF63 -------------------------------------------------------------------------------------------- I now receive an alert from Windows Security saying that I do not have any antivirus software installed. All I did was make sure Tea Timer was disabled, I've never had this before. Also, another IE icon was created on my desktop. What does all this mean? |
|
31st Jan 2010, 08:46
|
|||
|
|||
|
Quote:
---------- 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code:
KillAll:: Folder:: C:\FOUND.000 C:\FOUND.011 C:\FOUND.010 Driver:: PDKGNKKHZ Aba33 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!  ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze ---------- Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups. Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply. Exit out of MessengerDisable then delete the two files that were put on the desktop. ---------- Download Lop S&D by Eric_71 and save it to your desktop. Lop S&D will only run on Windows XP and Windows Vista Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Double click LopSD.exe - If you are using Windows Vista or Windows 7, right-click on the LopSD icon and select Run as administrator to perform this scan. * Choose the language by typing of the corresponding letter and press Enter * Click OK at the informative window * Type 1, to choose Option 1 (Search) then press Enter * Wait until the end of the scan * A report will be generated, post the contents of it in your next reply. A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt
__________________
|
|
31st Jan 2010, 10:40
|
|||
|
|||
|
The ComboFix log:
ComboFix 10-01-30.07 - User 01/31/2010 13:10:24.2.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.229 [GMT -5:00] Running from: c:\documents and settings\User\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\FOUND.000 c:\found.000\FILE0000.CHK C:\FOUND.010 c:\found.010\FILE0000.CHK c:\found.010\FILE0001.CHK c:\found.010\FILE0002.CHK C:\FOUND.011 c:\found.011\FILE0000.CHK c:\found.011\FILE0001.CHK c:\found.011\FILE0002.CHK c:\found.011\FILE0003.CHK c:\found.011\FILE0004.CHK c:\found.011\FILE0005.CHK c:\found.011\FILE0006.CHK c:\found.011\FILE0007.CHK c:\found.011\FILE0008.CHK c:\found.011\FILE0009.CHK c:\found.011\FILE0010.CHK c:\found.011\FILE0011.CHK c:\found.011\FILE0012.CHK c:\found.011\FILE0013.CHK c:\found.011\FILE0014.CHK c:\found.011\FILE0015.CHK c:\found.011\FILE0016.CHK c:\found.011\FILE0017.CHK c:\found.011\FILE0018.CHK c:\found.011\FILE0019.CHK c:\found.011\FILE0020.CHK c:\found.011\FILE0021.CHK c:\found.011\FILE0022.CHK c:\found.011\FILE0023.CHK c:\found.011\FILE0024.CHK . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ABA33 -------\Legacy_PDKGNKKHZ -------\Service_Aba33 -------\Service_PDKGNKKHZ ((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-31 ))))))))))))))))))))))))))))))) . 2010-01-28 08:31 . 2010-01-28 08:31 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-01-28 08:31 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-28 08:31 . 2010-01-28 08:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-01-28 08:31 . 2010-01-28 08:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-28 08:31 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-28 07:30 . 2010-01-28 07:30 -------- d-----w- c:\windows\system32\CatRoot_bak 2010-01-27 17:38 . 2010-01-27 17:38 25 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8EE82118DAE80BD4586C712CEC05FF17.dll 2010-01-27 17:38 . 2010-01-27 17:38 154 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_7E577B2224C65CF4E801A9E52375DB49.dll 2010-01-27 17:38 . 2010-01-27 17:38 1104 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_7BD25099295922545A854571BBDA84EE.dll 2010-01-27 17:38 . 2010-01-27 17:38 137 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_70B83354632A0724A977BE4B1155715B.dll 2010-01-27 17:38 . 2010-01-27 17:38 152 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6E8A266FCD4F2A1409E1C8110F44DBCE.dll 2010-01-27 17:38 . 2010-01-27 17:38 744 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7448A3100000030.dll 2010-01-27 17:38 . 2010-01-27 17:38 3568 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_26DDC2EC4210AC63483DF9D4FCC5B59D.dll 2010-01-27 17:38 . 2010-01-27 17:38 210 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1D034B0FAA6BD374B960AAD30DF10D8B.dll 2010-01-27 17:38 . 2010-01-27 17:38 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0DC1503A46F231838AD88BCDDC8E8F7C.dll 2010-01-27 17:38 . 2010-01-27 17:38 41 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0CB8AE65157339B4CBD96615CC635EAA.dll 2010-01-27 17:38 . 2010-01-27 17:38 73 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_04DE0F7511F8AA149B62A4660D1D9ACC.dll 2010-01-27 17:38 . 2010-01-27 17:38 833 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_000021599B0090400000000000F01FEC.dll 2010-01-27 17:38 . 2010-01-27 17:38 274 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002159221090400000000000F01FEC.dll 2010-01-27 17:22 . 2010-01-27 17:22 -------- d-----w- c:\windows\system32\drivers\NSS 2010-01-27 17:22 . 2010-01-27 17:22 -------- d-----w- c:\program files\Norton Security Scan 2010-01-27 17:22 . 2010-01-27 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2010-01-27 17:21 . 2010-01-27 17:21 -------- d-----w- c:\program files\NortonInstaller 2010-01-27 17:21 . 2010-01-27 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2010-01-13 12:01 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-05 10:00 . 2005-08-23 05:34 832512 ------w- c:\windows\system32\wininet.dll 2010-01-05 10:00 . 2009-08-04 20:25 78336 ------w- c:\windows\system32\ieencode.dll 2010-01-05 10:00 . 2004-08-04 06:07 17408 ------w- c:\windows\system32\corpol.dll 2009-12-22 02:41 . 2007-03-08 20:28 45504 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-21 16:36 . 2004-08-04 06:07 470528 ----a-w- c:\windows\AppPatch\AcLayers.dll 2008-01-03 04:47 . 2008-01-03 04:47 560 ----a-w- c:\program files\Global.sw . ------- Sigcheck ------- [-] 2005-05-24 00:48 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\system32\mspmsnsv.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSPower"="SiSPower.dll" [2005-08-25 49152] "QuickTime Task"="c:\program files\QuickTime\bak\qttask.exe" [2007-03-02 98304] "nwiz"="nwiz.exe" [2006-02-13 1519616] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-02-13 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] c:\documents and settings\guinea pig\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] c:\documents and settings\User\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Utility Tray.lnk - c:\windows\system32\sistray.exe [2007-3-3 262144] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] HP Digital Imaging Monitor.lnk.disabled [2008-9-14 1712] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^dwvwpzbki.lnk] path=c:\documents and settings\User\Start Menu\Programs\Startup\dwvwpzbki.lnk backup=c:\windows\pss\dwvwpzbki.lnkStartup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"= "c:\\Program Files\\Real\\RealPlayer Enterprise\\realplay.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "50776:TCP"= 50776:TCP:@xpsp2res.dll "27600:TCP"= 27600:TCP:@xpsp2res.dll "36055:TCP"= 36055:TCP:@xpsp2res.dll "52689:TCP"= 52689:TCP:@xpsp2res.dll "52443:TCP"= 52443:TCP:@xpsp2res.dll,-22009 "30702:TCP"= 30702:TCP:@xpsp2res.dll,-22009 "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows\system32\UnlockerDriver4.sys [3/2/2007 8:04 AM 3584] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-01-30 c:\windows\Tasks\Norton Security Scan for User.job - c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-01-27 19:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.ca/ uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.04\AMVConverter\grab.html IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.04\MediaManager\grab.html IE: E&xport to Microsoft Excel FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\z41kfifo.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-31 13:22 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ccEvtMgr] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SAVRT] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SNDSrvc] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SYMTDI] "ImagePath"="-" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\LocalService\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder] @Denied: (Full) (Administrators) @Denied: (Full) (S-1-5-21-606747145-1770027372-839522115-1003) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\LocalService\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu] "Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00 [HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder] @Denied: (Full) (Administrators) @Denied: (Full) (S-1-5-21-606747145-1770027372-839522115-1003) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu] "Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00 [HKEY_USERS\S-1-5-21-1214440339-1979792683-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder] @Denied: (Full) (Administrators) @Denied: (Full) (S-1-5-21-606747145-1770027372-839522115-1003) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-1214440339-1979792683-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu] "Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00 [HKEY_USERS\S-1-5-21-1214440339-1979792683-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:89,c6,1e,f3,8d,eb,ad,f9,35,91,18,53,fe,a7,6b,c1,f1,42,d9,be,d3,a2,6e, b9,77,ae,ca,68,77,e4,38,67,6b,66,08,4b,73,a7,34,ab,9a,57,92,a8,7f,98,4e,93,\ "??"=hex:b5,5e,67,b3,49,08,72,ad,41,a9,3a,9c,e3,bb,58,83 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3468) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\RUNDLL32.EXE c:\program files\Microsoft ActiveSync\wcescomm.exe c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe c:\progra~1\MICROS~2\rapimgr.exe c:\windows\system32\nvsvc32.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-01-31 13:24:21 - machine was rebooted ComboFix-quarantined-files.txt 2010-01-31 18:24 ComboFix2.txt 2010-01-31 06:15 Pre-Run: 52,744,847,360 bytes free Post-Run: 52,740,816,896 bytes free Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3 - - End Of File - - C11E3CC183BDD5D7D83E90733F97340B -------------------------------------------------------------------------------------------- The Lop log: --------------------\\ Lop S&D 4.2.5-0 XP/Vista Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2 X86-based PC ( Uniprocessor Free : Mobile AMD Sempron(tm) Processor 2800+ ) BIOS : Default System BIOS USER : User ( Administrator ) BOOT : Normal boot A:\ (USB) C:\ (Local Disk) - FAT32 - Total:74 Go (Free:49 Go) E:\ (USB) F:\ (USB) G:\ (USB) H:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go) I:\ (USB) "C:\Lop SD" ( MAJ : 19-12-2008|23:40 ) Option : [1] ( Sun 01/31/2010|13:32 ) --------------------\\ Listing folders in APPLIC~1 [03/02/2007|07:55] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft [05/19/2005|10:12] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Mozilla [03/02/2007|08:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe [03/06/2007|09:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe Systems [05/30/2007|09:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Ahead [03/02/2007|08:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> CyberLink [10/25/2009|11:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google [09/14/2008|07:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Hewlett-Packard [09/13/2008|10:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HP [09/14/2008|07:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HP Product Assistant [02/09/2008|08:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Installations [10/27/2009|12:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Kaspersky Lab Setup Files [01/28/2010|03:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes [03/02/2007|07:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft [01/27/2010|12:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Norton [01/27/2010|12:21] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NortonInstaller [03/09/2007|12:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> nView_Profiles [02/09/2008|08:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PC Suite [03/02/2007|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime [05/30/2007|01:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SecTaskMan [03/05/2007|09:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Sony Corporation [09/26/2007|02:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy [03/02/2007|08:19] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec [09/14/2008|07:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WEBREG [03/05/2007|04:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage [09/14/2008|07:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo! Companion [07/22/2009|01:55] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Adobe [10/09/2009|05:41] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> kwzfarml [07/22/2009|01:55] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Macromedia [03/02/2007|07:55] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft [06/17/2008|04:03] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Mozilla [09/17/2007|12:12] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Adobe [09/17/2007|01:25] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Macromedia [03/02/2007|07:55] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft [03/02/2007|08:10] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities [03/02/2007|07:55] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft [05/19/2005|10:12] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Mozilla [03/07/2007|08:17] C:\DOCUME~1\USER\APPLIC~1\<DIR> Adobe [05/30/2007|09:27] C:\DOCUME~1\USER\APPLIC~1\<DIR> Ahead [08/21/2007|08:47] C:\DOCUME~1\USER\APPLIC~1\<DIR> Bearshare Premium P2P [08/21/2007|09:16] C:\DOCUME~1\USER\APPLIC~1\<DIR> BitTorrent [05/30/2007|08:42] C:\DOCUME~1\USER\APPLIC~1\<DIR> CyberLink [04/28/2007|10:49] C:\DOCUME~1\USER\APPLIC~1\<DIR> DivX [03/06/2007|09:12] C:\DOCUME~1\USER\APPLIC~1\<DIR> FrostWire [05/01/2007|03:40] C:\DOCUME~1\USER\APPLIC~1\<DIR> Help [09/14/2008|07:42] C:\DOCUME~1\USER\APPLIC~1\<DIR> HP [09/14/2008|07:47] C:\DOCUME~1\USER\APPLIC~1\<DIR> HPAppData [09/10/2007|05:56] C:\DOCUME~1\USER\APPLIC~1\<DIR> Identities [11/01/2009|07:33] C:\DOCUME~1\USER\APPLIC~1\<DIR> kwzfarml [08/16/2007|12:08] C:\DOCUME~1\USER\APPLIC~1\<DIR> LimeWire [03/03/2007|01:23] C:\DOCUME~1\USER\APPLIC~1\<DIR> Macromedia [01/28/2010|03:31] C:\DOCUME~1\USER\APPLIC~1\<DIR> Malwarebytes [03/02/2007|07:55] C:\DOCUME~1\USER\APPLIC~1\<DIR> Microsoft [03/05/2007|04:34] C:\DOCUME~1\USER\APPLIC~1\<DIR> Microsoft Web Folders [05/19/2005|10:12] C:\DOCUME~1\USER\APPLIC~1\<DIR> Mozilla [02/09/2008|08:57] C:\DOCUME~1\USER\APPLIC~1\<DIR> Nokia [03/07/2007|06:35] C:\DOCUME~1\USER\APPLIC~1\<DIR> Opera [02/09/2008|08:55] C:\DOCUME~1\USER\APPLIC~1\<DIR> PC Suite [03/14/2007|09:39] C:\DOCUME~1\USER\APPLIC~1\<DIR> Real [03/05/2007|05:24] C:\DOCUME~1\USER\APPLIC~1\<DIR> SecuROM [03/05/2007|09:12] C:\DOCUME~1\USER\APPLIC~1\<DIR> Sony Corporation [03/10/2007|01:23] C:\DOCUME~1\USER\APPLIC~1\<DIR> Sun [09/14/2008|07:08] C:\DOCUME~1\USER\APPLIC~1\<DIR> Yahoo! [03/03/2007|12:53] C:\DOCUME~1\ALLUSE~1.0\APPLIC~1\<DIR> Microsoft [03/03/2007|12:53] C:\DOCUME~1\ALLUSE~1.0\APPLIC~1\<DIR> MSN6 [03/03/2007|12:53] C:\DOCUME~1\ALLUSE~1.0\APPLIC~1\<DIR> Sony Corporation [03/03/2007|12:53] C:\DOCUME~1\ALLUSE~1.0\APPLIC~1\<DIR> Symantec [03/03/2007|12:53] C:\DOCUME~1\ALLUSE~1.0\APPLIC~1\<DIR> Windows Genuine Advantage [03/03/2007|12:52] C:\DOCUME~1\DEFAUL~1.WIN\APPLIC~1\<DIR> Microsoft [03/03/2007|12:52] C:\DOCUME~1\DEFAUL~1.0\APPLIC~1\<DIR> Microsoft [03/03/2007|12:52] C:\DOCUME~1\DEFAUL~1.2\APPLIC~1\<DIR> Microsoft [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> Adobe [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> AdobeUM [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> Ahead [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> Autodesk [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> FrostWire [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> Help [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> Identities [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> Macromedia [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> Microsoft [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> Microsoft Web Folders [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> MSN6 [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> NCH Swift Sound [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> Sony Corporation [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> Sun [03/03/2007|12:52] C:\DOCUME~1\GUINEA~1\APPLIC~1\<DIR> Unwiredtec --------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks [01/30/2010 03:54 PM][--a------] C:\WINDOWS\tasks\Norton Security Scan for User.job [01/31/2010 01:20 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT [08/03/2004 08:07 PM][-r-h-----] C:\WINDOWS\tasks\desktop.ini --------------------\\ Listing Folders in C:\Program Files [03/02/2007|08:15] C:\Program Files\<DIR> Adobe [03/02/2007|08:17] C:\Program Files\<DIR> Ahead [03/03/2007|12:30] C:\Program Files\<DIR> Analog Devices [12/01/2008|02:02] C:\Program Files\<DIR> AVConverter [03/02/2007|07:47] C:\Program Files\<DIR> Common Files [03/02/2007|08:04] C:\Program Files\<DIR> ComPlus Applications [03/02/2007|08:18] C:\Program Files\<DIR> CyberLink [03/17/2007|05:09] C:\Program Files\<DIR> DivX [09/10/2009|06:39] C:\Program Files\<DIR> ESET [10/25/2009|11:48] C:\Program Files\<DIR> Google [09/14/2008|07:21] C:\Program Files\<DIR> Hewlett-Packard [09/14/2008|07:16] C:\Program Files\<DIR> HP [03/02/2007|08:18] C:\Program Files\<DIR> InstallShield Installation Information [03/02/2007|08:05] C:\Program Files\<DIR> Internet Explorer [03/02/2007|08:14] C:\Program Files\<DIR> Java [08/24/2007|01:52] C:\Program Files\<DIR> LimeWire [01/28/2010|03:31] C:\Program Files\<DIR> Malwarebytes' Anti-Malware [03/02/2007|08:04] C:\Program Files\<DIR> Messenger [09/18/2009|07:01] C:\Program Files\<DIR> Microsoft [03/02/2007|08:22] C:\Program Files\<DIR> Microsoft ActiveSync [09/19/2009|08:28] C:\Program Files\<DIR> Microsoft CAPICOM 2.1.0.2 [03/02/2007|08:20] C:\Program Files\<DIR> Microsoft Office [09/18/2009|07:10] C:\Program Files\<DIR> Microsoft Office Outlook Connector [09/18/2009|07:12] C:\Program Files\<DIR> Microsoft Silverlight [09/18/2009|07:07] C:\Program Files\<DIR> Microsoft SQL Server Compact Edition [03/28/2007|12:53] C:\Program Files\<DIR> Microsoft Visual Studio [05/23/2007|10:35] C:\Program Files\<DIR> Microsoft Windows OneCare Live [03/02/2007|08:20] C:\Program Files\<DIR> Microsoft.NET [03/02/2007|08:06] C:\Program Files\<DIR> Movie Maker [09/18/2008|12:41] C:\Program Files\<DIR> Mozilla Firefox [12/03/2008|04:28] C:\Program Files\<DIR> MP3 Player Utilities 3.57 [12/03/2008|05:05] C:\Program Files\<DIR> MP3 Player Utilities 4.04 [05/15/2008|01:56] C:\Program Files\<DIR> MSBuild [03/02/2007|08:03] C:\Program Files\<DIR> MSN [03/02/2007|08:04] C:\Program Files\<DIR> MSN Gaming Zone [03/02/2007|08:16] C:\Program Files\<DIR> MSN Messenger [10/02/2007|01:02] C:\Program Files\<DIR> MSXML 4.0 [05/15/2008|01:48] C:\Program Files\<DIR> MSXML 6.0 [03/02/2007|08:05] C:\Program Files\<DIR> NetMeeting [01/27/2010|12:22] C:\Program Files\<DIR> Norton Security Scan [01/27/2010|12:21] C:\Program Files\<DIR> NortonInstaller [03/03/2007|12:22] C:\Program Files\<DIR> On-line Help Console [03/02/2007|08:04] C:\Program Files\<DIR> Online Services [03/02/2007|08:05] C:\Program Files\<DIR> Outlook Express [03/02/2007|08:16] C:\Program Files\<DIR> QuickTime [03/02/2007|08:16] C:\Program Files\<DIR> Real [05/15/2008|01:56] C:\Program Files\<DIR> Reference Assemblies [03/03/2007|12:26] C:\Program Files\<DIR> SiS VGA Utilities V3.69 [03/03/2007|12:23] C:\Program Files\<DIR> sisagp [03/05/2007|09:13] C:\Program Files\<DIR> Sony [03/05/2007|09:16] C:\Program Files\<DIR> Sony Corporation [09/26/2007|02:09] C:\Program Files\<DIR> Spybot - Search & Destroy [03/02/2007|08:19] C:\Program Files\<DIR> Symantec [03/02/2007|08:19] C:\Program Files\<DIR> Symantec AntiVirus [09/27/2007|01:14] C:\Program Files\<DIR> Trend Micro [03/10/2007|04:45] C:\Program Files\<DIR> Ubi Soft [03/05/2007|05:27] C:\Program Files\<DIR> Ubisoft [10/04/2007|02:59] C:\Program Files\<DIR> Uninstall Information [09/18/2009|06:57] C:\Program Files\<DIR> Windows Live [05/23/2007|09:59] C:\Program Files\<DIR> Windows Live Safety Center [09/18/2009|06:59] C:\Program Files\<DIR> Windows Live SkyDrive [03/02/2007|08:04] C:\Program Files\<DIR> Windows Media Player [11/20/2008|12:45] C:\Program Files\<DIR> Windows Mobile Device Handbook [03/02/2007|08:03] C:\Program Files\<DIR> Windows NT [03/02/2007|08:07] C:\Program Files\<DIR> WindowsUpdate [03/02/2007|08:18] C:\Program Files\<DIR> WinRAR --------------------\\ Listing Folders in C:\Program Files\Common Files [03/02/2007|08:15] C:\Program Files\Common Files\<DIR> Adobe [03/06/2007|09:03] C:\Program Files\Common Files\<DIR> Adobe Systems Shared [03/02/2007|08:17] C:\Program Files\Common Files\<DIR> Ahead [03/02/2007|08:22] C:\Program Files\Common Files\<DIR> DESIGNER [09/13/2008|10:21] C:\Program Files\Common Files\<DIR> Hewlett-Packard [09/14/2008|07:19] C:\Program Files\Common Files\<DIR> HP [03/02/2007|08:18] C:\Program Files\Common Files\<DIR> InstallShield [03/02/2007|08:14] C:\Program Files\Common Files\<DIR> Java [03/02/2007|07:47] C:\Program Files\Common Files\<DIR> Microsoft Shared [08/04/2004|01:07] C:\Program Files\Common Files\<DIR> Mozilla Shared [03/02/2007|08:06] C:\Program Files\Common Files\<DIR> MSSoap [03/02/2007|07:47] C:\Program Files\Common Files\<DIR> ODBC [03/02/2007|08:16] C:\Program Files\Common Files\<DIR> Real [03/05/2007|09:12] C:\Program Files\Common Files\<DIR> Sony Shared [03/02/2007|07:47] C:\Program Files\Common Files\<DIR> SpeechEngines [11/12/2009|12:35] C:\Program Files\Common Files\<DIR> SWF Studio [03/02/2007|08:19] C:\Program Files\Common Files\<DIR> Symantec Shared [03/02/2007|08:05] C:\Program Files\Common Files\<DIR> System [03/06/2007|12:50] C:\Program Files\Common Files\<DIR> SystemRequirementsLab [09/18/2009|06:51] C:\Program Files\Common Files\<DIR> Windows Live --------------------\\ Process ( 37 Processes ) iexplore.exe ~ [PID:3392] --------------------\\ Searching with S_Lop No Lop folder found ! --------------------\\ Searching for Lop Files - Folders C:\DOCUME~1\User\Cookies\user@adverts.digitalspy.co[2].txt C:\DOCUME~1\User\Cookies\user@freecodesource.advertserve[1].txt C:\DOCUME~1\User\Cookies\user@stanzapub.advertserve[1].txt C:\DOCUME~1\User\Cookies\user@advertstream[2].txt C:\DOCUME~1\User\Cookies\user@imagevenue.advertserve[2].txt C:\DOCUME~1\User\Cookies\user@mysummercamps.advertserve[1].txt C:\DOCUME~1\User\Cookies\user@adultfriendfinder[2].txt C:\DOCUME~1\User\Cookies\user@adultfriendfinder[3].txt C:\DOCUME~1\User\Cookies\user@advertising[2].txt C:\DOCUME~1\User\Cookies\user@advertising[3].txt C:\DOCUME~1\User\Cookies\user@ad.pro-advertising[2].txt C:\DOCUME~1\User\Cookies\user@advertising[4].txt C:\DOCUME~1\User\Cookies\user@advertising.marketnetwork[1].txt C:\DOCUME~1\User\Cookies\user@www.arpadvertising[1].txt C:\DOCUME~1\User\Cookies\user@traveladvertising[1].txt C:\DOCUME~1\User\Cookies\user@advertising.sheknows[2].txt C:\DOCUME~1\User\Cookies\user@ads.adultadvertising[2].txt C:\DOCUME~1\User\Cookies\user@cotedazurpalace[1].txt C:\DOCUME~1\User\Cookies\user@banner.cotedazurpalace[2].txt C:\DOCUME~1\User\Cookies\user@adopt.euroclick[2].txt C:\DOCUME~1\User\Cookies\user@adopt.euroclick[3].txt C:\DOCUME~1\User\Cookies\user@adopt.euroclick[4].txt C:\DOCUME~1\User\Cookies\user@adopt.euroclick[5].txt C:\DOCUME~1\User\Cookies\user@adopt.euroclick[6].txt C:\DOCUME~1\User\Cookies\user@adopt.euroclick[7].txt C:\DOCUME~1\User\Cookies\user@adopt.euroclick[8].txt C:\DOCUME~1\User\Cookies\user@adopt.euroclick[9].txt C:\DOCUME~1\User\Cookies\user@euroclick[2].txt C:\DOCUME~1\User\Cookies\user@adopt.euroclick[1].txt C:\DOCUME~1\User\Cookies\user@euroclick[1].txt C:\DOCUME~1\User\Cookies\user@partygaming.122.2o7[1].txt C:\DOCUME~1\User\Cookies\user@partygaming.122.2o7[2].txt C:\DOCUME~1\User\Cookies\user@partypoker[2].txt C:\DOCUME~1\User\Cookies\user@partypoker[1].txt C:\DOCUME~1\User\Cookies\user@partypoker[3].txt C:\DOCUME~1\User\Cookies\user@partypoker[4].txt C:\DOCUME~1\User\Cookies\user@partypoker[6].txt C:\DOCUME~1\User\Cookies\user@partypoker[7].txt C:\DOCUME~1\User\Cookies\user@partypoker[8].txt C:\DOCUME~1\User\Cookies\user@partypoker[5].txt C:\DOCUME~1\User\Cookies\user@partypoker[9].txt C:\DOCUME~1\User\Cookies\user@partypoker[10].txt C:\DOCUME~1\User\Cookies\user@www.partypoker[1].txt C:\DOCUME~1\User\Cookies\user@banner.32vegas[1].txt C:\DOCUME~1\User\Cookies\user@32vegas[2].txt C:\DOCUME~1\User\Cookies\user@banner.32vegas[3].txt C:\DOCUME~1\User\Cookies\user@www.lopforums[2].txt C:\DOCUME~1\User\Cookies\user@www.lopforums[3].txt --------------------\\ Searching within the Registry ..... OK ! --------------------\\ Checking the Hosts file Hosts file CLEAN --------------------\\ Searching for hidden files with Catchme catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-31 13:33:39 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden files: 0 --------------------\\ Searching for other infections No other infections found ! [F:1][D:0]-> C:\DOCUME~1\User\LOCALS~1\Temp [F:17323][D:0]-> C:\DOCUME~1\User\Cookies [F:209][D:4]-> C:\DOCUME~1\User\LOCALS~1\TEMPOR~1\content.IE5 [F:4][D:0]-> C:\Recycled 1 - "C:\Lop SD\LopR_1.txt" - Sun 01/31/2010|13:34 - Option : [1] --------------------\\ Scan completed at 13:34:40 |
|
31st Jan 2010, 11:29
|
|||
|
|||
|
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one) * Copy the file path in the below Code box: Code:
c:\windows\system32\mspmsnsv.dll * Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window. * Next click Submit file * Your file will possibly be entered into a queue which normally takes less than a minute to clear. * This will perform a scan across multiple different virus scanning engines. * Important: Wait for all of the scanning engines to complete. * Once the scan is finished, Copy and then Paste the link in the address bar into your next reply. ---------- Also add this please. Create An Uninstall List * Start HijackThis * Click on the Open the Misc Tools section * Click on the Open Uninstall Manager button. * Click on the Save list button and specify where you would like to save this file and click Save. * When you press Save button a notepad will open with the contents of that file. * Copy and paste that list in your reply.
__________________
|
|
31st Jan 2010, 11:41
|
|||
|
|||
|
http://virusscan.jotti.org/en/scanre...41021044c4ea7f
32 Bit HP CIO Components Installer Adobe Bridge 1.0 Adobe Common File Installer Adobe Flash Player 10 ActiveX Adobe Help Center 2.1 Adobe Photoshop CS2 Adobe Premiere Elements 3.0 Templates Tryout Adobe Premiere Elements 3.0 Tryout Adobe Premiere Elements 3.0 Tryout Adobe Reader 8.1.3 Adobe Stock Photos 1.0 AVConverter 1.0 DivX Converter DivX Web Player ESET Online Scanner v3 HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows XP (KB909394) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954708) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) HP Customer Participation Program 10.0 HP Deskjet F4200 All-In-One Driver Software 10.0 Rel .3 HP Imaging Device Functions 10.0 HP Photosmart Essential 2.5 HP Smart Web Printing HP Solution Center 10.0 HP Update IL-2 Sturmovik 1946 J2SE Runtime Environment 5.0 Update 3 Junk Mail filter update LimeWire 4.16.6 LiveUpdate 2.7 (Symantec Corporation) LiveUpdate Notice (Symantec Corporation) Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB953297) Microsoft .NET Framework 1.1 SP1 with Hotfixes Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 3.5 SP1 Microsoft ActiveSync Microsoft Choice Guard Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office 2000 Professional Microsoft Office Live Add-in 1.3 Microsoft Office Outlook Connector Microsoft Office Professional Edition 2003 Microsoft Silverlight Microsoft SQL Server 2005 Compact Edition [ENU] Mozilla Firefox (3.0.17) MP3 Player Utilities 3.57 MP3 Player Utilities 4.04 MSVC80_x86 MSVCRT MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) MSXML 6 Service Pack 2 (KB973686) Nero 6 Ultra Edition Nero Digital Norton Security Scan NVIDIA Drivers On-line Help Console OpenMG Limited Patch 4.6-06-09-04-01 OpenMG Secure Module 4.6.00 PDF Manual NW-S600/S700F Series PowerDVD QuickTime RealPlayer Enterprise Security Update for CAPICOM (KB931906) Security Update for CAPICOM (KB931906) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 7 (KB972260) Security Update for Windows Internet Explorer 7 (KB974455) Security Update for Windows Internet Explorer 7 (KB976325) Security Update for Windows Internet Explorer 7 (KB978207) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB937143) Security Update for Windows XP (KB937894) Security Update for Windows XP (KB938127) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB941693) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB945553) Security Update for Windows XP (KB946026) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB948590) Security Update for Windows XP (KB948881) Security Update for Windows XP (KB950749) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971032) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Segoe UI SiS VGA Utilities SiSAGP driver SonicStage 4.1 SoundMAX Spybot - Search & Destroy System Requirements Lab Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 7 (KB976749) Update for Windows XP (KB900485) Update for Windows XP (KB908531) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB925720) Update for Windows XP (KB927891) Update for Windows XP (KB930916) Update for Windows XP (KB932823-v3) Update for Windows XP (KB933360) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Update for Windows XP (KB951072-v2) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB961503) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) Windows Imaging Component Windows Live Call Windows Live Communications Platform Windows Live Essentials Windows Live Essentials Windows Live Mail Windows Live Messenger Windows Live OneCare safety scanner Windows Live Photo Gallery Windows Live Sign-in Assistant Windows Live Sync Windows Live Upload Tool Windows Live Writer Windows Media Player 10 Hotfix - KB894476 Windows Mobile® Device Handbook WinRAR archiver |
|
31st Jan 2010, 12:02
|
|||
|
|||
|
Looks good. How is the computer running now?
Also, what antivirus do you use? Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. First install the new Sun Java Runtime Environment Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update. Be sure to close all browser windows before beginning the install. Remove the old version(s) Download JavaRa * Unzip the file and open the JavaRa.exe * Click Remove Older Versions * JavaRa will search for and remove any outdated version of Java and remove any that are found. * Click Additional Tasks * Place a check next to Remove Useless JRE Files and click Go * Exit JavaRa * Delete the JavaRa files from the desktop Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.
__________________
|
|
31st Jan 2010, 14:06
|
|||
|
|||
|
Well, the browsers start up faster now. Although Firefox starts up much faster than IE. Don't know why that is. I ran another Malwarebytes scan, and it showed no reports of Trojan.Vundo.H, Trojan.BHO and their associated files/registries. However, it did report 10 obects infected by Trojan.Agent, Rootkit.Agent, and Malware.Trace (that's a new one). It was able to quarantine and delete these files after reboot. Another Malwarebytes scan showed no objects. I went ahead an put TeaTimer back on, and updated Java.
Now as for antivirus software, I could have sworn that this machine came with a Norton Internet Security software preinstalled. But I can't remember what happened to it or who uninstalled it. Therefore, all I use are Spybot S&D, Malwarebytes and HijackThis. Windows Security is now telling me, in the system tray, that I have no antivirus software installed, and another icon says that is has updates to install on this computer. Do you think it would be OK to go ahead and install them? |
|
31st Jan 2010, 14:53
|
|||
|
|||
|
Go to Add or Remove Programs and uninstall:
Next: Download the Norton Removal Tool (SymNRT) to your desktop. Once downloaded please close ALL open browsers, also save any work because this may require a restart. * Go to your desktop and double click on the 'Norton_Removal_Tool' and then click Setup. * Once open Click Next * Accept the license agreement and click Next * Type in the letters/numbers that you see into the text box then click Next. * Then click Next and the tool will start running. * Once finished restart the PC. * Delete the 'Norton_Removal_Tool' from your desktop. ---------- Now install a free antivirus. I use Microsoft Security Essentials but these are all good. Remember to only install one antivirus! 1) Avast! Home Edition 2) AVG Free Edition 3) Avira AntiVir Personal 4) Microsoft Security Essentials for Windows Vista\Windows 7 // MSE 64 bit Download 4-a) Microsoft Security Essentials for Windows XP ---------- Let me know when you get that done. .
__________________
|
|
31st Jan 2010, 15:58
|
|||
|
|||
|
Can these be used alongside Spybot and Malwarebytes?
|
|
31st Jan 2010, 16:02
|
|||
|
|||
|
Yes.
I actually don't recommend the use of Tea-Timer. It's a resource hog, can be annoying and (obviously) didn't do much good to begin with.
__________________
|
| The following user says thank you to evilfantasy for this post: | ||
BaHa (31st Jan 2010) | ||
|
31st Jan 2010, 18:21
|
|||
|
|||
|
Ok. I removed all files related to Norton, turned off TeaTimer, and downloaded and installed Avira AntiVir. After updating, I ran a scan which showed 18 objects infected. I don't know if these were just backup files retained by the tools we were using, but Avira was able to quarantine and delete most of them. After a reboot, a second scan says there are still 5 objects on my machine.
Here's the latest report: Avira AntiVir Personal Report file date: Sunday, January 31, 2010 20:29 Scanning for 1712557 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 2) [5.1.2600] Boot mode : Normally booted Username : SYSTEM Computer name : COMPUTER Version information: BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00 AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 16:26:34 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:26 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:50 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:54 VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 12:35:52 VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:40:04 VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 00:40:12 VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 00:40:16 VBASE004.VDF : 7.10.3.76 2048 Bytes 1/26/2010 00:40:16 VBASE005.VDF : 7.10.3.77 2048 Bytes 1/26/2010 00:40:16 VBASE006.VDF : 7.10.3.78 2048 Bytes 1/26/2010 00:40:16 VBASE007.VDF : 7.10.3.79 2048 Bytes 1/26/2010 00:40:16 VBASE008.VDF : 7.10.3.80 2048 Bytes 1/26/2010 00:40:16 VBASE009.VDF : 7.10.3.81 2048 Bytes 1/26/2010 00:40:16 VBASE010.VDF : 7.10.3.82 2048 Bytes 1/26/2010 00:40:16 VBASE011.VDF : 7.10.3.83 2048 Bytes 1/26/2010 00:40:16 VBASE012.VDF : 7.10.3.84 2048 Bytes 1/26/2010 00:40:16 VBASE013.VDF : 7.10.3.85 2048 Bytes 1/26/2010 00:40:16 VBASE014.VDF : 7.10.3.122 172544 Bytes 1/29/2010 00:40:18 VBASE015.VDF : 7.10.3.123 2048 Bytes 1/29/2010 00:40:18 VBASE016.VDF : 7.10.3.124 2048 Bytes 1/29/2010 00:40:18 VBASE017.VDF : 7.10.3.125 2048 Bytes 1/29/2010 00:40:18 VBASE018.VDF : 7.10.3.126 2048 Bytes 1/29/2010 00:40:18 VBASE019.VDF : 7.10.3.127 2048 Bytes 1/29/2010 00:40:18 VBASE020.VDF : 7.10.3.128 2048 Bytes 1/29/2010 00:40:18 VBASE021.VDF : 7.10.3.129 2048 Bytes 1/29/2010 00:40:18 VBASE022.VDF : 7.10.3.130 2048 Bytes 1/29/2010 00:40:18 VBASE023.VDF : 7.10.3.131 2048 Bytes 1/29/2010 00:40:18 VBASE024.VDF : 7.10.3.132 2048 Bytes 1/29/2010 00:40:18 VBASE025.VDF : 7.10.3.133 2048 Bytes 1/29/2010 00:40:18 VBASE026.VDF : 7.10.3.134 2048 Bytes 1/29/2010 00:40:18 VBASE027.VDF : 7.10.3.135 2048 Bytes 1/29/2010 00:40:20 VBASE028.VDF : 7.10.3.136 2048 Bytes 1/29/2010 00:40:20 VBASE029.VDF : 7.10.3.137 2048 Bytes 1/29/2010 00:40:20 VBASE030.VDF : 7.10.3.138 2048 Bytes 1/29/2010 00:40:20 VBASE031.VDF : 7.10.3.140 12800 Bytes 1/31/2010 00:40:20 Engineversion : 8.2.1.154 AEVDF.DLL : 8.1.1.3 106868 Bytes 2/1/2010 00:40:28 AESCRIPT.DLL : 8.1.3.12 823675 Bytes 2/1/2010 00:40:28 AESCN.DLL : 8.1.4.0 127348 Bytes 2/1/2010 00:40:28 AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 12:38:44 AERDL.DLL : 8.1.3.4 479605 Bytes 2/1/2010 00:40:26 AEPACK.DLL : 8.2.0.5 422262 Bytes 2/1/2010 00:40:26 AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 12:38:38 AEHEUR.DLL : 8.1.1.1 2322805 Bytes 2/1/2010 00:40:24 AEHELP.DLL : 8.1.10.0 237942 Bytes 2/1/2010 00:40:22 AEGEN.DLL : 8.1.1.85 369012 Bytes 2/1/2010 00:40:22 AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 12:38:26 AECORE.DLL : 8.1.10.0 184695 Bytes 2/1/2010 00:40:20 AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 12:38:20 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:48:00 AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 20:14:04 AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:30 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:10 AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:42 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:10 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:50 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:34 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:12 RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:40:00 RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 17:25:48 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Deviating risk categories...........: +PFS, Start of the scan: Sunday, January 31, 2010 20:29 Starting search for hidden objects. '64884' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'WUAUCLT.EXE' - '1' Module(s) have been scanned Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'WUAUCLT.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SMAgent.exe' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'NVSVC32.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'jqs.exe' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'RAPIMGR.EXE' - '1' Module(s) have been scanned Scan process 'SISTRAY.EXE' - '1' Module(s) have been scanned Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned Scan process 'WCESCOMM.EXE' - '1' Module(s) have been scanned Scan process 'MSNMSGR.EXE' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'reader_sl.exe' - '1' Module(s) have been scanned Scan process 'RUNDLL32.EXE' - '1' Module(s) have been scanned Scan process 'QTTASK.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'LSASS.EXE' - '1' Module(s) have been scanned Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned Scan process 'SMSS.EXE' - '1' Module(s) have been scanned 37 processes with 37 modules were scanned Starting master boot sector scan: Master boot sector HD0 [INFO] No virus was found! Master boot sector HD1 [INFO] No virus was found! Master boot sector HD2 [INFO] No virus was found! Master boot sector HD3 [INFO] No virus was found! Master boot sector HD4 [INFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [INFO] No virus was found! Starting to scan executable files (registry). The registry was scanned ( '59' files ). Starting the file scan: Begin scan in 'C:\' C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\System Volume Information\_restore{4D626CDA-5675-4A01-963D-4BB4094D45BF}\RP5\A0000830.dll [DETECTION] Is the TR/Dldr.Agent.csen Trojan C:\System Volume Information\_restore{4D626CDA-5675-4A01-963D-4BB4094D45BF}\RP5\A0000831.dll [DETECTION] Is the TR/Dldr.Agent.csen Trojan C:\System Volume Information\_restore{4D626CDA-5675-4A01-963D-4BB4094D45BF}\RP5\A0000832.dll [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan C:\System Volume Information\_restore{4D626CDA-5675-4A01-963D-4BB4094D45BF}\RP5\A0000833.dll [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan C:\System Volume Information\_restore{4D626CDA-5675-4A01-963D-4BB4094D45BF}\RP5\A0000834.dll [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan Beginning disinfection: C:\System Volume Information\_restore{4D626CDA-5675-4A01-963D-4BB4094D45BF}\RP5\A0000830.dll [DETECTION] Is the TR/Dldr.Agent.csen Trojan [NOTE] The file was moved to '4b96380c.qua'! C:\System Volume Information\_restore{4D626CDA-5675-4A01-963D-4BB4094D45BF}\RP5\A0000831.dll [DETECTION] Is the TR/Dldr.Agent.csen Trojan [NOTE] The file was moved to '4affde35.qua'! C:\System Volume Information\_restore{4D626CDA-5675-4A01-963D-4BB4094D45BF}\RP5\A0000832.dll [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4acf2065.qua'! C:\System Volume Information\_restore{4D626CDA-5675-4A01-963D-4BB4094D45BF}\RP5\A0000833.dll [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4af1eea5.qua'! C:\System Volume Information\_restore{4D626CDA-5675-4A01-963D-4BB4094D45BF}\RP5\A0000834.dll [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4af3ff15.qua'! End of the scan: Sunday, January 31, 2010 21:09 Used time: 36:41 Minute(s) The scan has been done completely. 9209 Scanned directories 369490 Files were scanned 5 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 5 Files were moved to quarantine 0 Files were renamed 1 Files cannot be scanned 369484 Files not concerned 2180 Archives were scanned 1 Warnings 6 Notes 64884 Objects were scanned with rootkit scan 0 Hidden objects were found |
|
31st Jan 2010, 22:40
|
|||
|
|||
|
The items found were to be expected and we will remove anything that may be left with the next steps.
Time to do some cleanup and secure the work you have done.
---------- Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ---------- Use the Secunia Software Inspector to check for out of date software. Out of date software has security vulnerabilities that malware can exploit.
---------- Go to Microsoft Windows Update and get all critical updates. ---------- I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
__________________
|
|
2nd Feb 2010, 11:18
|
|||
|
|||
|
I did all the steps and I can say that my computer runs more shoothly now. I updated all old software and kept Windows Updates up to date. I have SUPERAntiSpyware and Spyware Blaster on my computer alongside Malwarebytes', Spybot S&D and Avira AntiVir. I also added Web of Trust to IE and Firefox. My Google search results haven't been redirected since. Thanks for all your help, evilfantasy, these past few days. You were super.
|
|
2nd Feb 2010, 11:23
|
|||
|
|||
|
Your welcome.
Safe surfing...
__________________
|
|
|
