Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Downloader.MissleadApp & Trojan.Perfcoo [RESOLVED]

Started by fsfshorelines , Feb 03 2008 12:35 AM

This topic is locked

#16
fsfshorelines

Posted 04 February 2008 - 10:22 PM

Member

Topic Starter
Member
21 posts

So, I don't know why, but when I finished, there was no button to save the report. I've attached a screen shot of the screen. I'm going to try it again to see if it works this time. I did manage to get something saved by saving through IE, but I doubt that's what you need. I'll post here if I can get it to work this time. Here is what I got from IE:

Kaspersky Online ScannerWelcome to the Kaspersky Online Scanner! Use it to
scan your PC for viruses and other malware for free
Warning: if you have installed Kaspersky Online Scanner Pro, please
manually uninstall it using "Add/Remove Programs" before installing this
version! Otherwise this version will not function correctly.

Benefits:

Kaspersky Anti-Virus exceptional detection rates and thorough scanning
Hourly AV database updates available each time the Online Scanner is
launched
Heuristic analysis to detect unknown viruses
Simple installation (just click on a link)

Requirements and limitations:

When using this service for the first time, you have to run with
Administrator privileges in order to install the product. Also, you will
need to download and install files about 400 KB in size followed by 9 MB
of virus definitions.
However, if you use the Online Scanner again, you will only need to
download the files that have been updated since your last scan.
The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX
technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner
work only with MS Internet Explorer 6.0 or higher.
We cannot guarantee that the Online Scanner will function correctly if you
are using any other browser or any Internet Explorer extensions (such as
AvantBrowser). If you use a different browser, you can use the Kaspersky
File Scanner to scan individual files.
The free Kaspersky Online Scanner does not scan boot sectors and MBRs, so
it cannot detect malicious code located in these areas.
Please note: The free Kaspersky Online Scanner does not protect against
malicious code, and cannot prevent future infections. It only detects
malware that has already penetrated your computer. We strongly recommend
that you install a full antivirus solution to protect your system.

Privacy statement:

The Kaspersky Online Scanner will collect information about the malicious
programs found on your computer during the scanning process. The
information will be sent to the Kaspersky Virus Lab for statistical
purposes. No personal information about you or specific information about
your system will be collected or transmitted to Kaspersky Lab.

Select: All, None, Suspicious Selected objects: 0

Scan settings:
Here you can configure the scanning process.

Scan using the following antivirus database:
standard - detect viruses, worms, Trojans,
rootkits
extended - protect your computer from Spyware,
adware, dialers and potentially dangerous
software such as remote access utilities, prank
programs and jokes. We do not recommend this
option to beginners or inexperienced users.

Scan options:
Scan Archives - scan files inside archives
Note: affects all targets except 'A
File...' scan target.
Scan Mail Bases - scan e-mails/attachments
inside mail base files
Note: affects all targets except 'My
Email' and 'A File...' scan targets.

Initialize Kaspersky Online Scanner
(downloading and installing Kaspersky Online
Scanner ActiveX from the server into your
computer)

Update Kaspersky Anti-Virus Databases [100%]:
(downloading and installing the latest Kaspersky
Anti-Virus Databases)

Please wait to update the virus definitions...
Downloading from url:
http://downloads1.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kavset.xml
Downloading remote file: soft.xml
Downloading remote file: updcfg.xml
Downloading remote file: kernel.avc
Downloading remote file: krnunp.avc
Downloading remote file: krnexe.avc
Downloading remote file: krnmacro.avc
Downloading remote file: krnjava.avc
Downloading remote file: krndos.avc
Downloading remote file: krngen.avc
Downloading remote file: krnexe32.avc
Downloading remote file: krnengn.avc
Downloading remote file: krn001.avc
Downloading remote file: krn002.avc
Downloading remote file: krn003.avc
Downloading remote file: krn004.avc
Downloading remote file: krn005.avc
Downloading remote file: smart.avc
Downloading remote file: ocr.avc
Downloading remote file: chuka.avc
Downloading remote file: fa001.avc
Downloading remote file: base001c.avc
Downloading remote file: base002c.avc
Downloading remote file: base003c.avc
Downloading remote file: base004c.avc
Downloading remote file: base005c.avc
Downloading remote file: base006c.avc
Downloading remote file: base007c.avc
Downloading remote file: base008c.avc
Downloading remote file: base009c.avc
Downloading remote file: base010c.avc
Downloading remote file: base011c.avc
Downloading remote file: base012c.avc
Downloading remote file: base013c.avc
Downloading remote file: base014c.avc
Downloading remote file: base015c.avc
Downloading remote file: base016c.avc
Downloading remote file: base017c.avc
Downloading remote file: base018c.avc
Downloading remote file: base019c.avc
Downloading remote file: base020c.avc
Downloading remote file: base021c.avc
Downloading remote file: base022c.avc
Downloading remote file: base023c.avc
Downloading remote file: base024c.avc
Downloading remote file: base025c.avc
Downloading remote file: base026c.avc
Downloading remote file: base027c.avc
Downloading remote file: base028c.avc
Downloading remote file: base029c.avc
Downloading remote file: base030c.avc
Downloading remote file: base031c.avc
Downloading remote file: base032c.avc
Downloading remote file: base033c.avc
Downloading remote file: base034c.avc
Downloading remote file: base035c.avc
Downloading remote file: base036c.avc
Downloading remote file: base037c.avc
Downloading remote file: base038c.avc
Downloading remote file: base039c.avc
Downloading remote file: base040c.avc
Downloading remote file: base041c.avc
Downloading remote file: base042c.avc
Downloading remote file: base043c.avc
Downloading remote file: base044c.avc
Downloading remote file: base045c.avc
Downloading remote file: base046c.avc
Downloading remote file: base047c.avc
Downloading remote file: base048c.avc
Downloading remote file: base049c.avc
Downloading remote file: base050c.avc
Downloading remote file: base051c.avc
Downloading remote file: base052c.avc
Downloading remote file: base053c.avc
Downloading remote file: base054c.avc
Downloading remote file: base055c.avc
Downloading remote file: base056c.avc
Downloading remote file: base057c.avc
Downloading remote file: base058c.avc
Downloading remote file: base059c.avc
Downloading remote file: base060c.avc
Downloading remote file: base061c.avc
Downloading remote file: base062c.avc
Downloading remote file: base063c.avc
Downloading remote file: base064c.avc
Downloading remote file: base065c.avc
Downloading remote file: base066c.avc
Downloading remote file: base067c.avc
Downloading remote file: base068c.avc
Downloading remote file: base069c.avc
Downloading remote file: base070c.avc
Downloading remote file: base071c.avc
Downloading remote file: base072c.avc
Downloading remote file: base073c.avc
Downloading remote file: base074c.avc
Downloading remote file: base075c.avc
Downloading remote file: base076c.avc
Downloading remote file: base077c.avc
Downloading remote file: base078c.avc
Downloading remote file: base079c.avc
Downloading remote file: base080c.avc
Downloading remote file: base081c.avc
Downloading remote file: base082c.avc
Downloading remote file: base083c.avc
Downloading remote file: base084c.avc
Downloading remote file: base085c.avc
Downloading remote file: base086c.avc
Downloading remote file: base087c.avc
Downloading remote file: base088c.avc
Downloading remote file: base089c.avc
Downloading remote file: base090c.avc
Downloading remote file: base091c.avc
Downloading remote file: base092c.avc
Downloading remote file: base093c.avc
Downloading remote file: base094c.avc
Downloading remote file: base095c.avc
Downloading remote file: base096c.avc
Downloading remote file: base097c.avc
Downloading remote file: dailyc.avc
Downloading remote file: ext001c.avc
Downloading remote file: ext002c.avc
Downloading remote file: ext003c.avc
Downloading remote file: ext004c.avc
Downloading remote file: ext005c.avc
Downloading remote file: ext006c.avc
Downloading remote file: ext007c.avc
Downloading remote file: ext008c.avc
Downloading remote file: ext009c.avc
Downloading remote file: ext010c.avc
Downloading remote file: ext011c.avc
Downloading remote file: daily-ec.avc
Downloading remote file: base001.avc
Downloading remote file: base002.avc
Downloading remote file: base003.avc
Downloading remote file: base004.avc
Downloading remote file: base005.avc
Downloading remote file: base006.avc
Downloading remote file: base007.avc
Downloading remote file: base008.avc
Downloading remote file: base009.avc
Downloading remote file: base010.avc
Downloading remote file: base011.avc
Downloading remote file: base012.avc
Downloading remote file: base013.avc
Downloading remote file: base014.avc
Downloading remote file: base015.avc
Downloading remote file: base016.avc
Downloading remote file: base017.avc
Downloading remote file: base018.avc
Downloading remote file: base019.avc
Downloading remote file: base020.avc
Downloading remote file: base021.avc
Downloading remote file: base022.avc
Downloading remote file: base023.avc
Downloading remote file: base024.avc
Downloading remote file: base025.avc
Downloading remote file: base026.avc
Downloading remote file: base027.avc
Downloading remote file: base028.avc
Downloading remote file: base029.avc
Downloading remote file: base030.avc
Downloading remote file: base031.avc
Downloading remote file: base032.avc
Downloading remote file: base033.avc
Downloading remote file: base034.avc
Downloading remote file: base035.avc
Downloading remote file: base036.avc
Downloading remote file: base037.avc
Downloading remote file: base038.avc
Downloading remote file: base039.avc
Downloading remote file: base040.avc
Downloading remote file: base041.avc
Downloading remote file: base042.avc
Downloading remote file: base043.avc
Downloading remote file: base044.avc
Downloading remote file: base045.avc
Downloading remote file: base046.avc
Downloading remote file: base047.avc
Downloading remote file: base048.avc
Downloading remote file: base049.avc
Downloading remote file: base050.avc
Downloading remote file: base051.avc
Downloading remote file: base052.avc
Downloading remote file: base053.avc
Downloading remote file: base054.avc
Downloading remote file: base055.avc
Downloading remote file: base056.avc
Downloading remote file: base057.avc
Downloading remote file: base058.avc
Downloading remote file: base059.avc
Downloading remote file: base060.avc
Downloading remote file: base061.avc
Downloading remote file: base062.avc
Downloading remote file: base063.avc
Downloading remote file: base064.avc
Downloading remote file: base065.avc
Downloading remote file: base066.avc
Downloading remote file: base067.avc
Downloading remote file: base068.avc
Downloading remote file: base069.avc
Downloading remote file: base070.avc
Downloading remote file: base071.avc
Downloading remote file: base072.avc
Downloading remote file: base073.avc
Downloading remote file: base074.avc
Downloading remote file: base075.avc
Downloading remote file: base076.avc
Downloading remote file: base077.avc
Downloading remote file: base078.avc
Downloading remote file: base079.avc
Downloading remote file: base080.avc
Downloading remote file: base081.avc
Downloading remote file: base082.avc
Downloading remote file: base083.avc
Downloading remote file: base084.avc
Downloading remote file: base085.avc
Downloading remote file: base086.avc
Downloading remote file: base087.avc
Downloading remote file: base088.avc
Downloading remote file: base089.avc
Downloading remote file: base090.avc
Downloading remote file: base091.avc
Downloading remote file: base092.avc
Downloading remote file: base093.avc
Downloading remote file: base094.avc
Downloading remote file: base095.avc
Downloading remote file: base096.avc
Downloading remote file: base097.avc
Downloading remote file: base098.avc
Downloading remote file: base099.avc
Downloading remote file: base100.avc
Downloading remote file: base101.avc
Downloading remote file: base102.avc
Downloading remote file: base103.avc
Downloading remote file: base104.avc
Downloading remote file: base105.avc
Downloading remote file: base106.avc
Downloading remote file: base107.avc
Downloading remote file: base108.avc
Downloading remote file: base109.avc
Downloading remote file: base110.avc
Downloading remote file: base111.avc
Downloading remote file: base112.avc
Downloading remote file: base113.avc
Downloading remote file: base114.avc
Downloading remote file: base115.avc
Downloading remote file: base116.avc
Downloading remote file: base117.avc
Downloading remote file: base118.avc
Downloading remote file: base119.avc
Downloading remote file: base120.avc
Downloading remote file: base121.avc
Downloading remote file: base122.avc
Downloading remote file: base123.avc
Downloading remote file: base124.avc
Downloading remote file: base125.avc
Downloading remote file: base126.avc
Downloading remote file: base127.avc
Downloading remote file: base128.avc
Downloading remote file: base129.avc
Downloading remote file: base130.avc
Downloading remote file: base131.avc
Downloading remote file: base132.avc
Downloading remote file: base133.avc
Downloading remote file: base134.avc
Downloading remote file: base135.avc
Downloading remote file: base136.avc
Downloading remote file: base137.avc
Downloading remote file: base138.avc
Downloading remote file: base139.avc
Downloading remote file: base140.avc
Downloading remote file: base141.avc
Downloading remote file: base142.avc
Downloading remote file: base143.avc
Downloading remote file: base144.avc
Downloading remote file: base145.avc
Downloading remote file: base146.avc
Downloading remote file: base147.avc
Downloading remote file: base148.avc
Downloading remote file: base149.avc
Downloading remote file: base150.avc
Downloading remote file: base151.avc
Downloading remote file: base152.avc
Downloading remote file: base153.avc
Downloading remote file: base154.avc
Downloading remote file: base155.avc
Downloading remote file: base156.avc
Downloading remote file: base157.avc
Downloading remote file: base158.avc
Downloading remote file: base159.avc
Downloading remote file: base160.avc
Downloading remote file: base161.avc
Downloading remote file: base162.avc
Downloading remote file: base163.avc
Downloading remote file: base999.avc
Downloading remote file: unp000.avc
Downloading remote file: unp001.avc
Downloading remote file: unp002.avc
Downloading remote file: unp003.avc
Downloading remote file: unp004.avc
Downloading remote file: unp005.avc
Downloading remote file: unp006.avc
Downloading remote file: unp007.avc
Downloading remote file: unp008.avc
Downloading remote file: unp009.avc
Downloading remote file: unp010.avc
Downloading remote file: unp011.avc
Downloading remote file: unp012.avc
Downloading remote file: unp013.avc
Downloading remote file: unp014.avc
Downloading remote file: unp015.avc
Downloading remote file: unp016.avc
Downloading remote file: unp017.avc
Downloading remote file: unp018.avc
Downloading remote file: unp019.avc
Downloading remote file: unp020.avc
Downloading remote file: unp021.avc
Downloading remote file: unp022.avc
Downloading remote file: unp023.avc
Downloading remote file: unp024.avc
Downloading remote file: unp025.avc
Downloading remote file: unp026.avc
Downloading remote file: unp027.avc
Downloading remote file: unp028.avc
Downloading remote file: unp029.avc
Downloading remote file: unp030.avc
Downloading remote file: unp031.avc
Downloading remote file: unp032.avc
Downloading remote file: unp033.avc
Downloading remote file: unp034.avc
Downloading remote file: unp035.avc
Downloading remote file: unp036.avc
Downloading remote file: unp037.avc
Downloading remote file: unp038.avc
Downloading remote file: unp039.avc
Downloading remote file: daily.avc
Downloading remote file: daily-ex.avc
Downloading remote file: urgent.avc
Downloading remote file: mail.avc
Downloading remote file: ext001.avc
Downloading remote file: ext002.avc
Downloading remote file: ext003.avc
Downloading remote file: ext004.avc
Downloading remote file: ext005.avc
Downloading remote file: ext006.avc
Downloading remote file: ext007.avc
Downloading remote file: ext008.avc
Downloading remote file: ext009.avc
Downloading remote file: ext999.avc
Downloading remote file: gen001.avc
Downloading remote file: gen002.avc
Downloading remote file: gen003.avc
Downloading remote file: gen004.avc
Downloading remote file: gen005.avc
Downloading remote file: gen999.avc
Downloading remote file: ca.avc
Downloading remote file: fa.avc
Downloading remote file: eicar.avc
Downloading remote file: verdicts.ini
Downloading remote file: engine.dt
Downloading remote file: engine.cfg
Downloading remote file: avcmhk5.mhk
Downloading remote file: black.lst
Downloading remote file: avp.set
Downloading remote file: avp_ext.set
Downloading remote file: avp_x.set
Downloading remote file: avp.vnd
Downloading remote file: avp.klb
Downloading remote file: soft.ver
Update finished. Ready to scan.
Next
Please select a target to scan:
You can configure the scanning process by
pressing "Scan Settings" button.

Critical Areas
scan critical areas of your hard disks
specified in %windir% and %tmp% system variables
Memory
scan disk modules of running processes
My Computer
scan all your hard and mapped disks
My Email
scan all your hard and mapped disks only for the
following extensions: *.PST; *.MSG; *.OST;
*.MDB; *.DBX; *.EML; *.MBS
Folders...
scan selected folders
A File...
scan a one file

Warning: The Kaspersky Online Scanner may not
run successfully while any other Anti-Virus
software is running. If you have Anti-Virus
software installed, please disable your AV
protection before running the Kaspersky Online
Scanner.
Selected target: My Computer
Source: C:\; D:\;

Report is empty.
Please note: The free Kaspersky Online Scanner
does not provide comprehensive protection and
cannot prevent future infections. It only
detects malware that has already penetrated your
storage devices. We strongly recommend that you
use a fully-functional antivirus solution to
protect your computer at all times.

Please wait, this process may take a long time
depending on the selected target. If you want to
continue browsing, open a new window.

Scan Progress [99%]:

Total number of scanned objects:111863
Number of viruses found:5
Number of infected objects:17
Number of suspicious objects:0
Duration of the scan process:02:12:57
Stop Scan

Get a Free Trial

Buy Kaspersky Anti-Virus

Help

Virus Encyclopedia

Kaspersky Lab

Product Info
You have Kaspersky Online Scanner version 5.0.98.0
installed. The current anti-virus database was
released on Tuesday, February 05, 2008 and
contains 548717 records.

System Info
Operating System: Microsoft Windows XP Home
Edition, Service Pack 2 (Build 2600)Please wait
while the Kaspersky Online Scanner is initializing
and updating...

Copyright © Kaspersky Lab 1997 - 2007
Portions Copyright © Lan Crypto

Attached Thumbnails

#17
fsfshorelines

Posted 05 February 2008 - 12:51 AM

Member

Topic Starter
Member
21 posts

Ah, ok. This time it worked. Here you go:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 05, 2008 1:50:56 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/02/2008
Kaspersky Anti-Virus database records: 548987
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 111908
Number of viruses found: 6
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 02:22:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AA40003.VBN/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AA40003.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AA40003.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AA40004.VBN/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AA40004.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AA40004.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AA40005.VBN/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AA40005.VBN/Installer.class Infected: Trojan-Downloader.Java.Agent.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AA40005.VBN ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AA40005.VBN CryptZ: infected - 2 skipped
C:\Documents and Settings\Austen Talbot\Application Data\Global Forex Trading\DealBook FX 2\Logs\Client_04_02_2008__01_06_36_254.log Object is locked skipped
C:\Documents and Settings\Austen Talbot\Application Data\Global Forex Trading\DealBook FX 2\Logs\storage_04_02_2008_01_06_50_484.log Object is locked skipped
C:\Documents and Settings\Austen Talbot\Application Data\Mozilla\Firefox\Profiles\bhzb04yt.default\cert8.db Object is locked skipped
C:\Documents and Settings\Austen Talbot\Application Data\Mozilla\Firefox\Profiles\bhzb04yt.default\history.dat Object is locked skipped
C:\Documents and Settings\Austen Talbot\Application Data\Mozilla\Firefox\Profiles\bhzb04yt.default\key3.db Object is locked skipped
C:\Documents and Settings\Austen Talbot\Application Data\Mozilla\Firefox\Profiles\bhzb04yt.default\parent.lock Object is locked skipped
C:\Documents and Settings\Austen Talbot\Application Data\Mozilla\Firefox\Profiles\bhzb04yt.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Austen Talbot\Application Data\Mozilla\Firefox\Profiles\bhzb04yt.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Austen Talbot\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\Application Data\Last.fm\Client\container.log Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\Application Data\Last.fm\Client\iTunesPlugin.log Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\Application Data\Last.fm\Client\lastfmhelper.log Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\Application Data\Mozilla\Firefox\Profiles\bhzb04yt.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\Application Data\Mozilla\Firefox\Profiles\bhzb04yt.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\Application Data\Mozilla\Firefox\Profiles\bhzb04yt.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\Application Data\Mozilla\Firefox\Profiles\bhzb04yt.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\History\History.IE5\MSHist012008020420080205\index.dat Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Austen Talbot\Local Settings\Temporary Internet Files\Content.IE5\LNMRJ1Y4\udefender_setup[1].exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\Documents and Settings\Austen Talbot\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\Austen Talbot\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Austen Talbot\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\DealBook 360\Storage\demo.gftforex.com_80\EUR_USD_8h_4_19\base.dat Object is locked skipped
C:\Program Files\DealBook 360\Storage\demo.gftforex.com_80\EUR_USD_8h_4_19\base.tmp Object is locked skipped
C:\Program Files\DealBook 360\Storage\demo.gftforex.com_80\GBP_USD_8h_3_19\base.dat Object is locked skipped
C:\Program Files\DealBook 360\Storage\demo.gftforex.com_80\GBP_USD_8h_3_19\base.tmp Object is locked skipped
C:\Program Files\DealBook 360\Storage\demo.gftforex.com_80\USD_CHF_8h_2_19\base.dat Object is locked skipped
C:\Program Files\DealBook 360\Storage\demo.gftforex.com_80\USD_CHF_8h_2_19\base.tmp Object is locked skipped
C:\Program Files\DealBook 360\Storage\demo.gftforex.com_80\USD_JPY_8h_1_19\base.dat Object is locked skipped
C:\Program Files\DealBook 360\Storage\demo.gftforex.com_80\USD_JPY_8h_1_19\base.tmp Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP1\A0000008.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP1\A0000008.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP1\A0000008.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP1\A0000023.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP1\A0002060.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP2\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A35B9565-5FBE-4AC8-BA13-78DA0BCAF608}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af skipped
C:\WINDOWS\system32\drivers\beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5901.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winivstr.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#18
kahdah

Posted 05 February 2008 - 02:56 AM

GeekU Teacher

Retired Staff
15,822 posts

Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Documents and Settings\Austen Talbot\Local Settings\Temporary Internet Files\Content.IE5\LNMRJ1Y4\udefender_setup[1].exe 
C:\WINDOWS\system32\dllcache\beep.sys 
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\winivstr.exe

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===================================
See if Hijackthis will now run and post that log with the OTmove it log and let me know how things are running?

#19
fsfshorelines

Posted 05 February 2008 - 09:40 AM

Member

Topic Starter
Member
21 posts

C:\Documents and Settings\Austen Talbot\Local Settings\Temporary Internet Files\Content.IE5\LNMRJ1Y4\udefender_setup[1].exe moved successfully.
C:\WINDOWS\system32\dllcache\beep.sys moved successfully.
C:\WINDOWS\system32\drivers\beep.sys moved successfully.
C:\WINDOWS\system32\winivstr.exe moved successfully.

OTMoveIt2 v1.0.17 log created on 02052008_103609

Hijack this still won't run. I don't notice any problems with my computer running... the only obvious thing is the popup caused by the Downloader.MisleadApp which is getting pretty annoying. Here's what it looks like:

Attached Thumbnails

#20
kahdah

Posted 05 February 2008 - 08:06 PM

GeekU Teacher

Retired Staff
15,822 posts

Please download RogueRemover by RubberDucky here.

Double-click rr-free-setup.exe to begin installing the program.
Follow the setup instructions for installation.
Double-click the RogueRemover icon on your desktop.
Once the program runs, select Check for Updates.
When prompted, select Check for Updates.
If prompted again, click Download to receive the latest updates.
When completed, close the update window.
Next, click Scan
If it detects anything, select to remove all objects found.
Close RogueRemover

Let me know what it finds.
=========================
After that Please download SUPERAntiSpyware Home Edition (free version).
–Install it and double-click the icon on your desktop to run it.

It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
Close browsers before scanning
Scan for tracking cookies
Scan for Alternate Data streams
Terminate memory threats before quarantining.
Please leave the others unchecked.
Click the Close button to leave the control center screen.

*Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Then run Superantispyware.

Double click on the icon to start Superantispyware.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.

1. To retrieve the removal information for me please do the following:
2. After reboot, double-click the SUPERAntispyware icon on your desktop.
3. Click Preferences. Click the Statistics/Logs tab.
4. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
5. It will open in your default text editor (such as Notepad/Wordpad).
6. Please highlight everything in the notepad, then right-click and choose copy.
7. Click close and close again to exit the program.
Save the log information. If needed (still infected) paste this info.

#21
fsfshorelines

Posted 05 February 2008 - 10:06 PM

Member

Topic Starter
Member
21 posts

Malwarebytes' RogueRemover
Malwarebytes ©2007 http://www.malwarebytes.org
6725 total fingerprints loaded.

Loading database ...
Expanding environmental variables ...

Scanning files ... [ 100% ].
Scanning folders ... [ 100% ].
Scanning registry keys ... [ 100% ].
Scanning registry values ... [ 100% ].

RogueRemover has detected rogue antispyware components! Results below...

Type: Registry Key
Vendor: Ultimate Defender
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Ultimate Defender
Selected for removal: Yes

RogueRemover has found the objects above.

SuperAntiSpyware wouldn't run. It downloaded, but when I double clicked on it, it wouldn't do anything.

By the way, I don't think I've said this yet, but I really appreciate that you're helping me out--even if things haven't been too successful so far. If I didn't have your help, I'd have no idea what to do, so thank you a lot. :-)

#22
kahdah

Posted 05 February 2008 - 10:12 PM

GeekU Teacher

Retired Staff
15,822 posts

You are welcome

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

#23
fsfshorelines

Posted 05 February 2008 - 10:21 PM

Member

Topic Starter
Member
21 posts

SmitFraudFix v2.281

Scan done at 23:20:22.86, Tue 02/05/2008
Run from C:\Documents and Settings\Austen Talbot\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\DealBook 360\DealBookFX.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Austen Talbot

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Austen Talbot\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\AUSTEN~1\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\AUSTEN~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="cru629.dat"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller - Packet Scheduler Miniport
DNS Server Search Order: 128.118.25.3
DNS Server Search Order: 128.118.141.32
DNS Server Search Order: 146.186.163.66
DNS Server Search Order: 130.203.1.4

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DCD8D422-7B01-439D-8120-232683E61BC9}: DhcpNameServer=128.118.25.3 128.118.141.32 146.186.163.66 130.203.1.4
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DCD8D422-7B01-439D-8120-232683E61BC9}: DhcpNameServer=128.118.25.3 128.118.141.32 146.186.163.66 130.203.1.4
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DCD8D422-7B01-439D-8120-232683E61BC9}: DhcpNameServer=128.118.25.3 128.118.141.32 146.186.163.66 130.203.1.4
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=128.118.25.3 128.118.141.32 146.186.163.66 130.203.1.4
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=128.118.25.3 128.118.141.32 146.186.163.66 130.203.1.4
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=128.118.25.3 128.118.141.32 146.186.163.66 130.203.1.4

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

#24
kahdah

Posted 05 February 2008 - 10:27 PM

GeekU Teacher

Retired Staff
15,822 posts

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 will remove your Desktop background.
Post the smitfraudfix log (rapport.txt)
=============================================================
After reboot try this.
Rename Combofix from Pickle.exe to Combofix.exe and then

Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

"%userprofile%\desktop\ComboFix.exe" /KillAll
Click OK and this will start ComboFix in a special way.
When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

See if it will then work.

Let me know if it does I am off to beddy bye time for now.

#25
fsfshorelines

Posted 05 February 2008 - 10:54 PM

Member

Topic Starter
Member
21 posts

SmitFraudFix v2.281

Scan done at 23:34:41.13, Tue 02/05/2008
Run from C:\Documents and Settings\Austen Talbot\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\.protected Deleted
C:\DOCUME~1\AUSTEN~1\STARTM~1\Programs\Startup\.protected Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DCD8D422-7B01-439D-8120-232683E61BC9}: DhcpNameServer=128.118.25.3 128.118.141.32 146.186.163.66 130.203.1.4
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DCD8D422-7B01-439D-8120-232683E61BC9}: DhcpNameServer=128.118.25.3 128.118.141.32 146.186.163.66 130.203.1.4
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DCD8D422-7B01-439D-8120-232683E61BC9}: DhcpNameServer=128.118.25.3 128.118.141.32 146.186.163.66 130.203.1.4
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=128.118.25.3 128.118.141.32 146.186.163.66 130.203.1.4
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=128.118.25.3 128.118.141.32 146.186.163.66 130.203.1.4
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=128.118.25.3 128.118.141.32 146.186.163.66 130.203.1.4

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 23:53, on 2008-02-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ACS.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - c:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Okay, good news and bad news. First, the little annoying thing that was part of Downloader.MisleadApp is gone, Hijack This worked, and combofix sort of worked! But... after combofix loaded, it displayed this error... which I took a screen shot of but then stupidly copied something else before I pasted it to anything :-\ then after it closed... it turned into an Internet Explorer icon and apparently disappeared from my system.

#26
kahdah

Posted 06 February 2008 - 03:31 AM

GeekU Teacher

Retired Staff
15,822 posts

Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O4 - HKLM\..\Run: [braviax] braviax.exe
O20 - AppInit_DLLs: cru629.dat

Now click on Fix Checked and then close Hijackthis.
You will more than likely get an error when fixing the o20 but it is fine.
============================================
Let's try it again please.

Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

#27
fsfshorelines

Posted 06 February 2008 - 09:13 AM

Member

Topic Starter
Member
21 posts

ComboFix 08-02.05.3 - Austen Talbot 2008-02-06 8:40:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.666 [GMT -5:00]
Running from: C:\Documents and Settings\Austen Talbot\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.protected
C:\WINDOWS\system32\drivers\etc\.protected

.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-05 23:20 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-05 23:20 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-05 23:20 . 2008-02-06 00:03 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-05 23:20 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-05 23:20 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-05 23:20 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-05 23:20 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-05 23:01 . 2008-02-05 23:01 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-02-04 20:26 . 2008-02-04 20:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-04 20:26 . 2008-02-04 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 08:37 . 2008-02-04 08:37 <DIR> d-------- C:\Documents and Settings\Austen Talbot\DoctorWeb
2008-02-04 08:34 . 2008-02-04 08:34 <DIR> d-------- C:\_OTMoveIt
2008-02-03 17:33 . 2008-02-03 17:33 <DIR> d-------- C:\Deckard
2008-02-02 23:01 . 2008-02-02 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 22:37 . 2008-02-05 23:34 2,368 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-02 22:18 . 2005-01-13 22:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-02-02 22:17 . 2008-02-04 12:08 <DIR> d-------- C:\MGtools
2008-02-02 22:17 . 2008-02-02 22:18 56,992 --a------ C:\MGlogs.zip
2008-02-02 22:13 . 2008-02-02 22:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-02 22:06 . 2008-02-02 22:06 <DIR> d-------- C:\Program Files\CCleaner
2008-02-02 15:40 . 2004-08-04 07:00 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-01-21 17:54 . 2008-01-21 17:54 <DIR> d-------- C:\Program Files\Power Tab Software
2008-01-13 01:08 . 2008-01-13 01:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-13 00:26 . 2008-01-13 00:26 <DIR> d-------- C:\Program Files\Bonjour
2008-01-13 00:04 . 2008-01-13 00:04 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 13:39 --------- d-----w C:\Program Files\Trillian
2008-01-13 05:26 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 18:22 --------- d-----w C:\Program Files\Last.fm
2007-12-24 18:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm
2007-12-12 16:59 --------- d-----w C:\Documents and Settings\Austen Talbot\Application Data\uTorrent
2007-12-08 17:31 --------- d-----w C:\Program Files\Unrar
2007-12-08 02:51 --------- d-----w C:\Program Files\Photomatix
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-09-12 21:08 580 -c--a-w C:\Documents and Settings\Austen Talbot\Application Data\wklnhst.dat
2006-12-06 05:12 54,568 -c--a-w C:\Documents and Settings\Austen Talbot\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-08-10 13:23 356352]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 18:17 88358 C:\WINDOWS\agrsmmsg.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 17:28 98394]
"TFncKy"="TFncKy.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 08:33 122941]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 18:26 217088]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 16:14 53408]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 00:38 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 00:32 696320]

C:\Documents and Settings\Austen Talbot\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-12-24 13:22:11 110592]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-12-24 13:22:11 110592]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-07-28 15:56:17 155648]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2005-09-09 04:18 57344 C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2005-06-07 21:59 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2005-06-07 22:02 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 13:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notebook Maximizer]
--a--c--- 2004-05-25 16:35 28672 C:\Program Files\Notebook Maximizer\maximizer_startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a--c--- 2004-09-07 16:03 1077301 C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a--c--- 2005-06-07 22:03 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a--c--- 2005-03-17 19:37 151552 c:\toshiba\ivp\ism\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a--c--- 2005-01-12 02:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a--c--- 2006-08-03 10:55 1249280 c:\progra~1\valve\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2004-10-14 17:26 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-02-13 00:21 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2004-12-30 02:32 65536 C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
--a------ 2005-05-31 23:00 282624 C:\WINDOWS\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
--a--c--- 2005-04-05 18:25 73728 C:\Program Files\Toshiba\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\µTorrent]
--a------ 2007-02-15 19:20 177152 C:\Program Files\uTorrent\utorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"AdobeActiveFileMonitor4.0"=2 (0x2)

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-11 12:05]
R0 PzWDM;PzWDM;C:\WINDOWS\system32\Drivers\PzWDM.sys [2007-01-03 00:07]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-05-23 22:20]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-05-30 20:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 18:53:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 08:44:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-06 8:44:47
ComboFix-quarantined-files.txt 2008-02-06 13:44:32
.
2008-01-09 08:03:02 --- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 10:12, on 2008-02-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - c:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#28
kahdah

Posted 06 February 2008 - 10:20 AM

GeekU Teacher

Retired Staff
15,822 posts

Please uninstall Viewpoint.
================================================
After that please submit the following file to one of these online file scanners.
(All you have to do is copy and paste it in)

C:\WINDOWS\system32\dllcache\beep.sys

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.

#29
fsfshorelines

Posted 06 February 2008 - 10:59 AM

Member

Topic Starter
Member
21 posts

Scanner Malware name
A-Squared Trojan-Spy.Win32.BZub.brd
AntiVir X
ArcaVir X
Avast Win32:IRCBot-CDS
AVG Antivirus BackDoor.Generic8.ENX
BitDefender Backdoor.Bifrost.JJ
ClamAV Trojan.Bzub-252
CPsecure X
Dr.Web BackDoor.Bifrost.101
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-Spy.Win32.BZub.brd
Fortinet X
Ikarus Virus.Win32.Ircbot.CDS
Kaspersky Anti-Virus Trojan-Spy.Win32.BZub.brd
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus Trojan.DL.Mnless.ajp
Sophos Antivirus X
VirusBuster X
VBA32 Trojan-Spy.Win32.BZub.brd

#30
kahdah

Posted 06 February 2008 - 07:32 PM

GeekU Teacher

Retired Staff
15,822 posts

Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
C:\WINDOWS\system32\dllcache\beep.sys /D
```
Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
========================================
PLease then try to run Superantispyware again you can run it in normal mode.
Check for updates before running please it will prompt you to do so when you double click on the icon.
Post that log and a new dss (look.exe) log.

Edited by kahdah, 07 February 2008 - 03:11 AM.