Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

antispyware soldier has taken me over

Started by mwfire308 , Oct 01 2006 02:15 AM

  • Please log in to reply

#16
Wizard
Posted 01 October 2006 - 05:31 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I like to hear the news that the machine is running better! :whistling:

That file however concerns me,will you go to safe mode and run ComboFix.

Save the resulting log and post it in the next reply.

It is possible thats the file that F-Secure got.


After posting the log from ComboFix,lets run a couple more Online Scans to be sure we havent overlooked anything.


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0

Advertisements

#17
mwfire308
Posted 01 October 2006 - 10:58 PM

mwfire308

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
combifix scan as requested

Owner - 06-10-02 0:43:51.54 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-02 to 2006-10-02 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-01 14:13 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-01 01:46 -------- d-------- C:\Program Files\PokerStars.NET
2006-09-30 02:08 -------- d-------- C:\Program Files\Cosmi
2006-09-26 13:58 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-13 23:05 -------- d-------- C:\Program Files\anywebcam
2006-09-05 14:46 -------- d-------- C:\Program Files\Java
2006-09-05 14:45 -------- d-------- C:\Program Files\Common Files\Java
2006-09-05 14:45 -------- d-------- C:\Program Files\Common Files
2006-09-04 19:14 -------- d-------- C:\Program Files\Google
2006-09-04 19:04 -------- d-------- C:\Program Files\Arcsoft
2006-08-21 19:20 -------- d-------- C:\Program Files\SpywareGuard
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-13 11:12 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-13 02:39 -------- d-------- C:\Program Files\Internet Explorer
2006-08-12 22:08 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-12 12:44 -------- d-------- C:\Program Files\SpywareBlaster
2006-08-12 12:33 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-08-12 12:33 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-08-12 12:33 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-08-12 12:33 -------- d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-08-12 12:32 -------- d-------- C:\Program Files\Grisoft
2006-08-06 00:19 -------- d-------- C:\Program Files\MSN Messenger
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7"
"AlcxMonitor"="ALCXMNTR.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Mon 10/02/2006 0:45:26.07
ComboFix.txt
ComboFix2.txt
ComboFix3.txt
  • 0

#18
mwfire308
Posted 02 October 2006 - 12:04 AM

mwfire308

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I did the active scan and was shocked with the amount of stuff it found, this after clearing everything to date. I'm starting to feel like it's a lost cause.
Here is the log

Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
Adware:adware/transponder Not disinfected Windows Registry
Adware:adware/btgrab Not disinfected Windows Registry
Adware:adware/dailytoolbar Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/alexa-toolbar Not disinfected Windows Registry
Adware:adware/ieplugin Not disinfected Windows Registry
Dialer:dialer.du Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B55BB05-0B4D-44FD-81A6-B136188F5DEB}
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\business\Cookies\business@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\business\Cookies\business@banner[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\business\Cookies\business@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\business\Cookies\[email protected][2].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\business\Cookies\business@kount[1].txt
Hacktool:HackTool/Jkill.A Not disinfected C:\Documents and Settings\business\Local Settings\Temp\RebateNation.exe[jkill.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\business\Local Settings\Temp\RebateNation.exe[RebateNation1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\business\Local Settings\Temp\RebateNation.exe[RebateNation0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\business\Local Settings\Temp\RebateNation.exe[disp5300.exe]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Ebay\Cookies\[email protected][1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Ebay\Cookies\ebay@realmedia[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Guest\Cookies\guest@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\guest@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Guest\Cookies\guest@rightmedia[2].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cassava[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ccbill[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[3].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\owner@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Owner\Cookies\owner@entrepreneur[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Owner\Cookies\owner@kount[1].txt
Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\Owner\Cookies\owner@outster[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rightmedia[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rn11[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@spywarestormer[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Owner\Cookies\owner@webpower[2].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\My Documents\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\My Documents\SmitfraudFix\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\My Documents\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Sharon\Cookies\sharon@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Sharon\Cookies\sharon@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Sharon\Cookies\sharon@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Sharon\Cookies\[email protected][2].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Sharon\Cookies\sharon@kount[1].txt
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\0A4BDA1F-63DD-4074-B026-9B8E21
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\187BA5CF-3879-4120-8C0F-1EF6B4
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\204A91E1-945F-47F6-AC12-A9705E
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\3AC310E3-B8C0-4D19-9968-D90614
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\456423C0-88FB-4F50-9C8E-9F2B80
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\4CC51C09-00A9-4433-BBB6-F475BA
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\51AF8374-143B-4D5D-8952-C8FF4B
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\520B3D33-DDEA-4D13-A714-9CA9E0
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\52A941BF-A535-4DBE-B6BB-6B4390
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\57F8AE08-655F-43DE-9080-32A0B8
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\79D2F08A-F941-46EB-802C-B370EE
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\9AB71477-5725-415A-BAFE-D4F8B3
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\BE1F9D7F-45A1-4074-A266-B2016D
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\C74B5481-2972-48EB-9087-9F50A5
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\E45F4C35-5275-4D18-B2D7-A18E96
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\E6D6DA05-B7DB-4722-AE17-8527E2
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\EEFCBBC2-F84E-4DA4-921D-B3C69A
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1E9ED7DD-A1DD-4397-92FE-9F2808\EF99857C-4FFD-42CA-837F-52B311
  • 0

#19
Wizard
Posted 02 October 2006 - 03:32 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Wow,that is a surprise! :whistling:

You would think with Ewido and Spybot,the registry would have been cleaned.

Post the entire Panda log by itself and let me research some of those entries at thier site.


Open Internet Explorer,
Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)

Go to Start,
Select All Programs
Select Accessories
Select System Tools
Select and Run Disk Cleanup(Make sure that all boxes are checked for cleaning)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP