Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojandownloader.xs attack


  • Please log in to reply

#16
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Ah....my bad..
2008-02-08 16:34 . 2008-02-08 16:33 876,032 -r-hs---- C:\WINDOWS\wkssvc.exe

File is hidden,my apologies,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingc...showtutorial=62

Let the BitDefender Scan roll on,maybe it will find it first.

After it completes,lets get a fresh run with ComboFix and post that log please.
  • 0

Advertisements


#17
Komamura

Komamura

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here is the BitDefender report

BitDefender Online Scanner







Scan report generated at: Thu, Feb 14, 2008 - 13:47:22









Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;















Statistics

Time


02:33:08

Files


584440

Folders


21079

Boot Sectors


5

Archives


4625

Packed Files


71216







Results

Identified Viruses


6

Infected Files


15

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


15







Engines Info

Virus Definitions


980832

Engine build


AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins


16

Archive plugins


41

Unpack plugins


7

E-mail plugins


6

System plugins


5







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Downloads\setup.exe=>(NSIS o)=>lzma_nsis0004=>(NSIS o)=>lzma_solid_nsis0004


Detected with: Adware.Rotator.Gen

C:\Downloads\setup.exe=>(NSIS o)=>lzma_nsis0004=>(NSIS o)=>lzma_solid_nsis0004


Disinfection failed

C:\Downloads\setup.exe=>(NSIS o)=>lzma_nsis0004=>(NSIS o)=>lzma_solid_nsis0004


Deleted

C:\Downloads\setup.exe=>(NSIS o)=>lzma_nsis0004=>(NSIS o)


Update failed

C:\Downloads\setup.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)=>lzma_solid_nsis0004


Detected with: Adware.Fotomoto.Gen

C:\Downloads\setup.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)=>lzma_solid_nsis0004


Disinfection failed

C:\Downloads\setup.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)=>lzma_solid_nsis0004


Deleted

C:\Downloads\setup.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)


Update failed

C:\Downloads\setup.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)=>lzma_solid_nsis0005


Detected with: Adware.Fotomoto.Gen

C:\Downloads\setup.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)=>lzma_solid_nsis0005


Disinfection failed

C:\Downloads\setup.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)=>lzma_solid_nsis0005


Deleted

C:\Downloads\setup.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)


Update failed

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\fcrqhihc.dll.vir


Infected with: Trojan.Otuboh.Gen

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\fcrqhihc.dll.vir


Disinfection failed

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\fcrqhihc.dll.vir


Deleted

C:\QooBox\Quarantine\C\WINDOWS\nsjytgzc.dll.vir


Infected with: Trojan.Otuboh.Gen

C:\QooBox\Quarantine\C\WINDOWS\nsjytgzc.dll.vir


Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\nsjytgzc.dll.vir


Deleted

C:\RECYCLER\S-1-5-21-1341125938-1084467919-1090065079-1006\Dc1.exe


Infected with: Trojan.VB.NMF

C:\RECYCLER\S-1-5-21-1341125938-1084467919-1090065079-1006\Dc1.exe


Disinfection failed

C:\RECYCLER\S-1-5-21-1341125938-1084467919-1090065079-1006\Dc1.exe


Deleted

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP300\A0042206.dll


Detected with: Application.Viewpoint.F

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP300\A0042206.dll


Disinfection failed

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP300\A0042206.dll


Deleted

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP343\A0045895.dll


Infected with: Trojan.Otuboh.Gen

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP343\A0045895.dll


Disinfection failed

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP343\A0045895.dll


Deleted

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP343\A0045896.dll


Infected with: Trojan.Otuboh.Gen

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP343\A0045896.dll


Disinfection failed

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP343\A0045896.dll


Deleted

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe=>(NSIS o)=>lzma_nsis0004=>(NSIS o)=>lzma_solid_nsis0004


Detected with: Adware.Rotator.Gen

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe=>(NSIS o)=>lzma_nsis0004=>(NSIS o)=>lzma_solid_nsis0004


Disinfection failed

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe=>(NSIS o)=>lzma_nsis0004=>(NSIS o)=>lzma_solid_nsis0004


Deleted

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe=>(NSIS o)=>lzma_nsis0004=>(NSIS o)


Update failed

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)=>lzma_solid_nsis0004


Detected with: Adware.Fotomoto.Gen

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)=>lzma_solid_nsis0004


Disinfection failed

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)=>lzma_solid_nsis0004


Deleted

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)


Update failed

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)=>lzma_solid_nsis0005


Detected with: Adware.Fotomoto.Gen

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)=>lzma_solid_nsis0005


Disinfection failed

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)=>lzma_solid_nsis0005


Deleted

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe=>(NSIS o)=>lzma_nsis0005=>(NSIS o)


Update failed

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0049480.dll


Infected with: Backdoor.Agobot.PAI

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0049480.dll


Deleted

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP347\A0050748.exe


Infected with: Trojan.VB.NMF

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP347\A0050748.exe


Disinfection failed

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP347\A0050748.exe


Deleted

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP349\A0050996.exe


Infected with: Trojan.VB.NMF

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP349\A0050996.exe


Disinfection failed

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP349\A0050996.exe


Deleted


and this is the combofix log


ComboFix 08-02.05.3 - Justin Gaines 2008-02-14 22:27:33.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.156 [GMT -5:00]
Running from: C:\Documents and Settings\Justin Gaines\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\default.htm

.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-14 11:10 . 2008-02-14 11:10 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-14 11:10 . 2008-02-14 13:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-12 20:05 . 2008-02-12 20:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-12 19:21 . 2004-08-10 04:00 388,608 --a------ C:\kmd.exe
2008-02-12 15:51 . 2008-02-12 17:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware(2)
2008-02-12 15:50 . 2008-02-12 15:50 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-02-12 14:30 . 2008-02-12 14:30 <DIR> d-------- C:\Documents and Settings\Justin Gaines\Application Data\Malwarebytes
2008-02-12 14:30 . 2008-02-12 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-11 15:16 . 2008-02-11 15:16 <DIR> d-------- C:\Documents and Settings\Justin Gaines\Application Data\Grisoft
2008-02-10 23:29 . 2008-02-12 17:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 23:29 . 2008-02-12 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 21:40 . 2008-02-10 21:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 18:34 . 2008-02-10 18:34 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-09 20:18 . 2008-02-10 20:20 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-02-09 20:17 . 2008-02-14 11:05 <DIR> d-------- C:\WINDOWS\ggcpwmfh
2008-02-09 16:06 . 2008-02-09 16:06 54,764 --a------ C:\WINDOWS\system32\4fdw.dll
2008-02-09 15:17 . 2008-02-09 15:17 244 --ah----- C:\sqmnoopt06.sqm
2008-02-09 15:17 . 2008-02-09 15:17 232 --ah----- C:\sqmdata06.sqm
2008-02-09 15:16 . 2008-02-09 15:16 244 --ah----- C:\sqmnoopt05.sqm
2008-02-09 15:16 . 2008-02-09 15:16 232 --ah----- C:\sqmdata05.sqm
2008-02-09 15:09 . 2008-02-09 15:09 244 --ah----- C:\sqmnoopt04.sqm
2008-02-09 15:09 . 2008-02-09 15:09 244 --ah----- C:\sqmnoopt03.sqm
2008-02-09 15:09 . 2008-02-09 15:09 232 --ah----- C:\sqmdata04.sqm
2008-02-09 15:09 . 2008-02-09 15:09 232 --ah----- C:\sqmdata03.sqm
2008-02-09 14:27 . 2008-02-09 14:27 244 --ah----- C:\sqmnoopt02.sqm
2008-02-09 14:27 . 2008-02-09 14:27 232 --ah----- C:\sqmdata02.sqm
2008-02-09 14:06 . 2008-02-09 14:06 244 --ah----- C:\sqmnoopt01.sqm
2008-02-09 14:06 . 2008-02-09 14:06 232 --ah----- C:\sqmdata01.sqm
2008-01-18 20:43 . 2008-01-18 20:43 65,848 --a------ C:\Documents and Settings\Justin Gaines\g2ax_customer_downloadhelper_win32_x86.exe
2008-01-16 11:26 . 2008-01-16 11:26 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 03:34 --------- d-----w C:\Documents and Settings\Justin Gaines\Application Data\Skype
2008-02-10 02:56 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-02-09 19:58 --------- d-----w C:\Program Files\World of Warcraft
2008-02-01 18:35 --------- d-----w C:\Program Files\DIGStream
2008-01-30 06:13 --------- d-----w C:\Program Files\DivX
2008-01-19 03:04 --------- d-----w C:\Program Files\McAfee
2008-01-19 01:43 --------- d-----w C:\Program Files\Citrix
2008-01-16 16:26 --------- d-----w C:\Program Files\iTunes
2008-01-16 16:23 --------- d-----w C:\Program Files\QuickTime
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-09 11:18 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-09 11:18 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-09 11:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-09 11:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-09 11:16 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-09 11:16 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-09 11:16 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-09 11:16 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-09 11:16 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-09 11:16 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-08 17:59 --------- d-----w C:\Program Files\Game_Maker7
2007-12-26 21:37 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 19:43 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-12-07 02:21 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-12-07 02:21 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-07 02:21 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-07 02:21 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-07 02:21 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-12-07 02:21 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-07 02:21 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-12-07 02:21 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-12-07 02:21 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-07 02:21 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-12-07 02:21 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-07 02:21 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-12-07 02:21 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-12-07 02:21 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-12-07 02:21 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-12-07 02:21 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-12-07 02:21 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-12-07 02:21 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-12-07 02:21 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-12-07 02:21 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-12-07 02:21 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
2007-11-08 05:16 88 --sh--r C:\WINDOWS\system32\18113F8536.sys
2007-11-08 05:16 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 17:20 20058152]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 01:28 68856]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 19:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 19:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 19:50 114688]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 14:30 58992]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 15:05 1537696]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-09-08 23:35 169984]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2006-06-13 21:58 167936]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-06-13 04:20 127036]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 14:49 1121280]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2006-11-01 00:04 321088]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 07:49 86100]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 15:40 1884160]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 13:21 198184]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2007-11-06 19:09 166304]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-08 23:22:56 24576]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40 18432]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 21:07:32 81920]
Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\CineTray.exe [2006-05-26 01:01:00 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
C:\Program Files\Citrix\GoToAssist Express Customer\48\g2ax_winlogon.dll 2008-01-18 20:43 45368 C:\Program Files\Citrix\GoToAssist Express Customer\48\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 15:13 49152 C:\PROGRA~1\COMMON~1\stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 18:55]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-06 18:58]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-06 19:09]
S3 GoToAssist Express Customer;GoToAssist Express Customer;"C:\Program Files\Citrix\GoToAssist Express Customer\48\g2ax_service.exe" Start=service []
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 04:00]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-06 19:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-04 20:30:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-15 06:29:36 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-01 06:00:55 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-02-14 06:58:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 22:34:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Citrix\GoToAssist Express Customer\48\g2ax_winlogon.dll
.
Completion time: 2008-02-14 22:38:31
ComboFix-quarantined-files.txt 2008-02-15 03:38:26
ComboFix2.txt 2008-02-13 00:33:19
ComboFix3.txt 2008-02-11 19:20:11
ComboFix4.txt 2008-02-11 03:41:05
ComboFix5.txt 2008-02-11 03:16:52
.
2008-02-13 08:07:00 --- E O F ---
  • 0

#18
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Copy the text below to notepad and save it to the desktop with the name CFScript

File::
C:\WINDOWS\wkssvc.exe
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\4fdw.dll
Folder::
C:\WINDOWS\ggcpwmfh

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log
  • 0

#19
Komamura

Komamura

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Ok here is my new combofix log

ComboFix 08-02.05.3 - Justin Gaines 2008-02-15 12:35:23.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.270 [GMT -5:00]
Running from: C:\Documents and Settings\Justin Gaines\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Justin Gaines\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\4fdw.dll
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\wkssvc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\4fdw.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\ggcpwmfh
C:\WINDOWS\ggcpwmfh\1.png
C:\WINDOWS\ggcpwmfh\2.png
C:\WINDOWS\ggcpwmfh\3.png
C:\WINDOWS\ggcpwmfh\4.png
C:\WINDOWS\ggcpwmfh\5.png
C:\WINDOWS\ggcpwmfh\6.png
C:\WINDOWS\ggcpwmfh\7.png
C:\WINDOWS\ggcpwmfh\8.png
C:\WINDOWS\ggcpwmfh\9.png
C:\WINDOWS\ggcpwmfh\bottom-rc.gif
C:\WINDOWS\ggcpwmfh\config.png
C:\WINDOWS\ggcpwmfh\content.png
C:\WINDOWS\ggcpwmfh\download.gif
C:\WINDOWS\ggcpwmfh\frame-bg.gif
C:\WINDOWS\ggcpwmfh\frame-bottom-left.gif
C:\WINDOWS\ggcpwmfh\frame-h1bg.gif
C:\WINDOWS\ggcpwmfh\head.png
C:\WINDOWS\ggcpwmfh\icon.png
C:\WINDOWS\ggcpwmfh\indexwp.html
C:\WINDOWS\ggcpwmfh\main.css
C:\WINDOWS\ggcpwmfh\memory-prots.png
C:\WINDOWS\ggcpwmfh\net.png
C:\WINDOWS\ggcpwmfh\pc-mag.gif
C:\WINDOWS\ggcpwmfh\pc.gif
C:\WINDOWS\ggcpwmfh\poloska1.png
C:\WINDOWS\ggcpwmfh\poloska2.png
C:\WINDOWS\ggcpwmfh\poloska3.png
C:\WINDOWS\ggcpwmfh\reg.png
C:\WINDOWS\ggcpwmfh\repair.png
C:\WINDOWS\ggcpwmfh\scr-1.png
C:\WINDOWS\ggcpwmfh\scr-2.png
C:\WINDOWS\ggcpwmfh\start.png
C:\WINDOWS\ggcpwmfh\styles.css
C:\WINDOWS\ggcpwmfh\Thumbs.db
C:\WINDOWS\ggcpwmfh\top-rc.gif
C:\WINDOWS\ggcpwmfh\vline.gif
C:\WINDOWS\ggcpwmfh\wp.png
C:\WINDOWS\system32\4fdw.dll
C:\WINDOWS\system32\winfrun32.bin

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-14 22:26 . 2004-08-10 04:00 388,608 --a------ C:\kmd.exe
2008-02-14 11:10 . 2008-02-14 13:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-12 20:05 . 2008-02-12 20:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-12 15:51 . 2008-02-12 17:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware(2)
2008-02-12 15:50 . 2008-02-12 15:50 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-02-12 14:30 . 2008-02-12 14:30 <DIR> d-------- C:\Documents and Settings\Justin Gaines\Application Data\Malwarebytes
2008-02-12 14:30 . 2008-02-12 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-11 15:16 . 2008-02-11 15:16 <DIR> d-------- C:\Documents and Settings\Justin Gaines\Application Data\Grisoft
2008-02-10 23:29 . 2008-02-12 17:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 23:29 . 2008-02-12 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 21:40 . 2008-02-10 21:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 18:34 . 2008-02-10 18:34 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-09 15:17 . 2008-02-09 15:17 244 --ah----- C:\sqmnoopt06.sqm
2008-02-09 15:17 . 2008-02-09 15:17 232 --ah----- C:\sqmdata06.sqm
2008-02-09 15:16 . 2008-02-09 15:16 244 --ah----- C:\sqmnoopt05.sqm
2008-02-09 15:16 . 2008-02-09 15:16 232 --ah----- C:\sqmdata05.sqm
2008-02-09 15:09 . 2008-02-09 15:09 244 --ah----- C:\sqmnoopt04.sqm
2008-02-09 15:09 . 2008-02-09 15:09 244 --ah----- C:\sqmnoopt03.sqm
2008-02-09 15:09 . 2008-02-09 15:09 232 --ah----- C:\sqmdata04.sqm
2008-02-09 15:09 . 2008-02-09 15:09 232 --ah----- C:\sqmdata03.sqm
2008-02-09 14:27 . 2008-02-09 14:27 244 --ah----- C:\sqmnoopt02.sqm
2008-02-09 14:27 . 2008-02-09 14:27 232 --ah----- C:\sqmdata02.sqm
2008-02-09 14:06 . 2008-02-09 14:06 244 --ah----- C:\sqmnoopt01.sqm
2008-02-09 14:06 . 2008-02-09 14:06 232 --ah----- C:\sqmdata01.sqm
2008-01-18 20:43 . 2008-01-18 20:43 65,848 --a------ C:\Documents and Settings\Justin Gaines\g2ax_customer_downloadhelper_win32_x86.exe
2008-01-16 11:26 . 2008-01-16 11:26 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 17:41 --------- d-----w C:\Documents and Settings\Justin Gaines\Application Data\Skype
2008-02-10 02:56 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-02-09 19:58 --------- d-----w C:\Program Files\World of Warcraft
2008-02-01 18:35 --------- d-----w C:\Program Files\DIGStream
2008-01-30 06:13 --------- d-----w C:\Program Files\DivX
2008-01-19 03:04 --------- d-----w C:\Program Files\McAfee
2008-01-19 01:43 --------- d-----w C:\Program Files\Citrix
2008-01-16 16:26 --------- d-----w C:\Program Files\iTunes
2008-01-16 16:23 --------- d-----w C:\Program Files\QuickTime
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-08 17:59 --------- d-----w C:\Program Files\Game_Maker7
2007-12-26 21:37 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
2007-11-08 05:16 88 --sh--r C:\WINDOWS\system32\18113F8536.sys
2007-11-08 05:16 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 17:20 20058152]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 01:28 68856]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 19:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 19:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 19:50 114688]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 14:30 58992]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 15:05 1537696]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-09-08 23:35 169984]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2006-06-13 21:58 167936]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-06-13 04:20 127036]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 14:49 1121280]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2006-11-01 00:04 321088]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 07:49 86100]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 15:40 1884160]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 13:21 198184]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2007-11-06 19:09 166304]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2004-08-10 04:00 388608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-08 23:22:56 24576]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40 18432]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 21:07:32 81920]
Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\CineTray.exe [2006-05-26 01:01:00 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
C:\Program Files\Citrix\GoToAssist Express Customer\48\g2ax_winlogon.dll 2008-01-18 20:43 45368 C:\Program Files\Citrix\GoToAssist Express Customer\48\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 15:13 49152 C:\PROGRA~1\COMMON~1\stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 18:55]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-06 18:58]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-06 19:09]
S1 4fdw;4fdw;C:\WINDOWS\system32\4fdw.dll []
S3 GoToAssist Express Customer;GoToAssist Express Customer;"C:\Program Files\Citrix\GoToAssist Express Customer\48\g2ax_service.exe" Start=service []
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 04:00]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-06 19:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-04 20:30:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-15 06:28:03 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-01 06:00:55 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-02-15 17:46:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 12:47:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Citrix\GoToAssist Express Customer\48\g2ax_winlogon.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopDeskbar2.dll
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopHyper.dll
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopResources_en.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
c:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
.
**************************************************************************
.
Completion time: 2008-02-15 12:58:22 - machine was rebooted [Justin Gaines]
ComboFix-quarantined-files.txt 2008-02-15 17:58:16
ComboFix2.txt 2008-02-15 03:38:32
ComboFix3.txt 2008-02-13 00:33:19
ComboFix4.txt 2008-02-11 19:20:11
ComboFix5.txt 2008-02-11 03:41:05
.
2008-02-13 08:07:00 --- E O F ---
  • 0

#20
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Looks like ComboFix may have burped along the way,so for saftey sakes,Im gonna use a script for a simple process just to be sure we dont leave behind any leftovers.

Copy the text below to notepad and save it to the desktop with the name CFScript

Driver::
4fdw

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log.


After posting the new log,Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

  • 0

#21
Komamura

Komamura

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here is the new combofix log

ComboFix 08-02-16.2 - Justin Gaines 2008-02-16 5:47:19.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.516 [GMT -5:00]
Running from: C:\Documents and Settings\Justin Gaines\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Justin Gaines\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-15 22:59 . 2004-08-10 04:00 388,608 --a------ C:\kmd.exe
2008-02-14 11:10 . 2008-02-14 13:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-12 20:05 . 2008-02-12 20:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-12 15:51 . 2008-02-12 17:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware(2)
2008-02-12 15:50 . 2008-02-12 15:50 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-02-12 14:30 . 2008-02-12 14:30 <DIR> d-------- C:\Documents and Settings\Justin Gaines\Application Data\Malwarebytes
2008-02-12 14:30 . 2008-02-12 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-11 15:16 . 2008-02-11 15:16 <DIR> d-------- C:\Documents and Settings\Justin Gaines\Application Data\Grisoft
2008-02-10 23:29 . 2008-02-12 17:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 23:29 . 2008-02-12 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 21:40 . 2008-02-10 21:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 18:34 . 2008-02-10 18:34 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-09 15:17 . 2008-02-09 15:17 244 --ah----- C:\sqmnoopt06.sqm
2008-02-09 15:17 . 2008-02-09 15:17 232 --ah----- C:\sqmdata06.sqm
2008-02-09 15:16 . 2008-02-09 15:16 244 --ah----- C:\sqmnoopt05.sqm
2008-02-09 15:16 . 2008-02-09 15:16 232 --ah----- C:\sqmdata05.sqm
2008-02-09 15:09 . 2008-02-09 15:09 244 --ah----- C:\sqmnoopt04.sqm
2008-02-09 15:09 . 2008-02-09 15:09 244 --ah----- C:\sqmnoopt03.sqm
2008-02-09 15:09 . 2008-02-09 15:09 232 --ah----- C:\sqmdata04.sqm
2008-02-09 15:09 . 2008-02-09 15:09 232 --ah----- C:\sqmdata03.sqm
2008-02-09 14:27 . 2008-02-09 14:27 244 --ah----- C:\sqmnoopt02.sqm
2008-02-09 14:27 . 2008-02-09 14:27 232 --ah----- C:\sqmdata02.sqm
2008-02-09 14:06 . 2008-02-09 14:06 244 --ah----- C:\sqmnoopt01.sqm
2008-02-09 14:06 . 2008-02-09 14:06 232 --ah----- C:\sqmdata01.sqm
2008-01-18 20:43 . 2008-01-18 20:43 65,848 --a------ C:\Documents and Settings\Justin Gaines\g2ax_customer_downloadhelper_win32_x86.exe
2008-01-16 11:26 . 2008-01-16 11:26 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 10:52 --------- d-----w C:\Documents and Settings\Justin Gaines\Application Data\Skype
2008-02-10 02:56 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-02-09 19:58 --------- d-----w C:\Program Files\World of Warcraft
2008-02-01 18:35 --------- d-----w C:\Program Files\DIGStream
2008-01-30 06:13 --------- d-----w C:\Program Files\DivX
2008-01-19 03:04 --------- d-----w C:\Program Files\McAfee
2008-01-19 01:43 --------- d-----w C:\Program Files\Citrix
2008-01-16 16:26 --------- d-----w C:\Program Files\iTunes
2008-01-16 16:23 --------- d-----w C:\Program Files\QuickTime
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-08 17:59 --------- d-----w C:\Program Files\Game_Maker7
2007-12-26 21:37 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
2007-11-08 05:16 88 --sh--r C:\WINDOWS\system32\18113F8536.sys
2007-11-08 05:16 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 17:20 20058152]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 01:28 68856]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 19:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 19:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 19:50 114688]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 14:30 58992]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 15:05 1537696]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-09-08 23:35 169984]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2006-06-13 21:58 167936]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-06-13 04:20 127036]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 14:49 1121280]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2006-11-01 00:04 321088]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 07:49 86100]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 15:40 1884160]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 13:21 198184]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2007-11-06 19:09 166304]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2004-08-10 04:00 388608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-08 23:22:56 24576]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40 18432]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 21:07:32 81920]
Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\CineTray.exe [2006-05-26 01:01:00 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
C:\Program Files\Citrix\GoToAssist Express Customer\48\g2ax_winlogon.dll 2008-01-18 20:43 45368 C:\Program Files\Citrix\GoToAssist Express Customer\48\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 15:13 49152 C:\PROGRA~1\COMMON~1\stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 18:55]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-06 18:58]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-06 19:09]
S3 GoToAssist Express Customer;GoToAssist Express Customer;"C:\Program Files\Citrix\GoToAssist Express Customer\48\g2ax_service.exe" Start=service []
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 04:00]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-06 19:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-04 20:30:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-15 06:28:03 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-01 06:00:55 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-02-16 17:26:38 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 12:27:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Citrix\GoToAssist Express Customer\48\g2ax_winlogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
c:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-02-16 12:32:53 - machine was rebooted [Justin Gaines]
ComboFix-quarantined-files.txt 2008-02-16 17:32:48
ComboFix2.txt 2008-02-15 17:58:22
ComboFix3.txt 2008-02-15 03:38:32
ComboFix4.txt 2008-02-13 00:33:19
ComboFix5.txt 2008-02-11 19:20:11
.
2008-02-13 08:07:00 --- E O F ---
  • 0

#22
Komamura

Komamura

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
D= i've tried to run the scan a few times. It gets about halfway thru and then tells me that i've run out of memory and need to close some programs. the problem is IE is the only program thats running
  • 0

#23
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Try this one and tell me what happens please.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#24
Komamura

Komamura

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ok this one worked




-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 19, 2008 1:09:03 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/02/2008
Kaspersky Anti-Virus database records: 572594
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 195935
Number of viruses found: 7
Number of infected objects: 21
Number of suspicious objects: 12
Duration of the scan process: 04:04:31

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{5BC28881-D3B3-419D-A620-A661029AFA46}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02102008-183523.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\Log\logfile.nmsrvc_exe.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak11.zip/kvnab.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak17.zip/hcwprn.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak17.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak37.zip/hcwprn.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak37.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC21.zip/vxddsk.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC21.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip/wml.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip/msole32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\SupportSoft\ddoctorv2\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Carolyn Gaines\Application Data\Roxio\MediaManager8\Album.ldb Object is locked skipped
C:\Documents and Settings\Carolyn Gaines\Application Data\Roxio\MediaManager8\Album.psod Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\acccore\nss\cert8.db Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\acccore\nss\key3.db Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Mozilla\Firefox\Profiles\qk6ej33n.default\cert8.db Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Mozilla\Firefox\Profiles\qk6ej33n.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Mozilla\Firefox\Profiles\qk6ej33n.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Mozilla\Firefox\Profiles\qk6ej33n.default\history.dat Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Mozilla\Firefox\Profiles\qk6ej33n.default\key3.db Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Mozilla\Firefox\Profiles\qk6ej33n.default\parent.lock Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Mozilla\Firefox\Profiles\qk6ej33n.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Mozilla\Firefox\Profiles\qk6ej33n.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Roxio\MediaManager8\Album.ldb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Roxio\MediaManager8\Album.psod Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\call256.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\chat1024.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\chat2048.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\chat512.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\chatmsg16384.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\chatmsg32768.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\chatmsg4096.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\chatmsg8192.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\index2.dat Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\profile16384.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\transfer512.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\user1024.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\user16384.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\user256.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Application Data\Skype\komamura_sajin\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\AOL OCP\AIM\Storage\data\dragonfyir\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_80D8_907C_D890_71E0\dfsr.db Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_80D8_907C_D890_71E0\fsr.log Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_80D8_907C_D890_71E0\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_80D8_907C_D890_71E0\tmp.edb Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Mozilla\Firefox\Profiles\qk6ej33n.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Mozilla\Firefox\Profiles\qk6ej33n.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Mozilla\Firefox\Profiles\qk6ej33n.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Application Data\Mozilla\Firefox\Profiles\qk6ej33n.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Temp\~DF91F5.tmp Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Temp\~DF920E.tmp Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Temp\~DFE847.tmp Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Temp\~DFE85A.tmp Object is locked skipped
C:\Documents and Settings\Justin Gaines\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Justin Gaines\My Documents\My Music\iTunes 1\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\Justin Gaines\My Documents\My Music\[[ fingertips-14 14.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\Justin Gaines\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Justin Gaines\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kenneth Gaines\Application Data\Roxio\MediaManager8\Album.ldb Object is locked skipped
C:\Documents and Settings\Kenneth Gaines\Application Data\Roxio\MediaManager8\Album.psod Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Zune\ZuneNSSStore.sdf Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\setup.exe/data0005/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.n skipped
C:\Downloads\setup.exe/data0005/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.n skipped
C:\Downloads\setup.exe/data0005 Infected: not-a-virus:AdWare.Win32.TrafficSol.n skipped
C:\Downloads\setup.exe/data0006/stream/data0004 Infected: not-a-virus:AdWare.Win32.BHO.ha skipped
C:\Downloads\setup.exe/data0006/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.lq skipped
C:\Downloads\setup.exe/data0006/stream Infected: not-a-virus:AdWare.Win32.BHO.lq skipped
C:\Downloads\setup.exe/data0006 Infected: not-a-virus:AdWare.Win32.BHO.lq skipped
C:\Downloads\setup.exe NSIS: infected - 7 skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\LOG\ERRORLOG Object is locked skipped
C:\QooBox\Quarantine\catchme2008-02-15_124744.34.zip/4fdw.dll Infected: Trojan.Win32.Agent.fcn skipped
C:\QooBox\Quarantine\catchme2008-02-15_124744.34.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe/data0005/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.n skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe/data0005/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.n skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe/data0005 Infected: not-a-virus:AdWare.Win32.TrafficSol.n skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe/data0006/stream/data0004 Infected: not-a-virus:AdWare.Win32.BHO.ha skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe/data0006/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.lq skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe/data0006/stream Infected: not-a-virus:AdWare.Win32.BHO.lq skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe/data0006 Infected: not-a-virus:AdWare.Win32.BHO.lq skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0046387.exe NSIS: infected - 7 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP346\A0049496.dll Infected: Trojan-PSW.Win32.Agent.yt skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP347\A0050747.dll Infected: Trojan-PSW.Win32.Agent.yt skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP354\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CC136143-031E-4AAE-81C5-82B94336CDFE}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETED0F.tmp Object is locked skipped
C:\WINDOWS\Temp\mcafee_A5PgWVQ8WnPvy3o Object is locked skipped
C:\WINDOWS\Temp\mcmsc_GEAZCLiTzgVIxc9 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_oSp40JDcHU3dQMv Object is locked skipped
C:\WINDOWS\Temp\mcmsc_QlerFeGtpEFHvIC Object is locked skipped
C:\WINDOWS\Temp\mcmsc_sznB1FGPagtW6XB Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_924.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_960.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_a18.dat Object is locked skipped
C:\WINDOWS\Temp\~ROMFN_00000AA8 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
  • 0

#25
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Delete these 2 please:

C:\Downloads\setup.exe
C:\Documents and Settings\Justin Gaines\My Documents\My Music\[[ fingertips-14 14.wma

Now we need to reset System Restore and Clear out all the old infected restore points.

  • Click Start
  • Right-Click "My Computer" and Select Properties.
  • Click on the "System Restore" tab.
  • Place a checkmark in the box for "Turn off System Restore" and Click "Apply."
  • Restart the Computer.
  • Return to System Restore and Uncheck the box for "Turn off System Restore" and Click "Apply."
  • A fresh Restore Point will be created.

How is the machine running today?
  • 0

Advertisements


#26
Komamura

Komamura

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Done XD and the computer is running great. no bugs or mucky pop-up
  • 0

#27
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Very nice to hear someones computer is acting better today.. :)

Some ideas for you to raise your level of computer security.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

If you have trouble with Windows Update, you still can get all the Critical Updates, Security Fixes and Service Packs. Below are a few links to bookmark.

Microsoft Security Bulletins
http://www.microsoft...ty/current.aspx

Office downloads
http://office.micros...te/default.aspx

Download Center
http://www.microsoft...ads/search.aspx

Microsoft Security Advisories
http://www.microsoft...ry/default.mspx

Recently Published
http://www.microsoft...nt/default.mspx

Programs that may help you in keeping the PC clean

MalwareBytes Anti-Malware can be found Here or Here
  • The full version provides a degree of real-time protection along with other solutions against spyware that is a great addition to any computer.
  • The free version can be updated and used for scanning your computer weekly for new malware.
ERUNT(The Emergency Recovery Utility for NT) can be found Here or Here
  • You can use this utility as a primary registry backup utility, apart from System Restore.
  • Two methods of registry backup ( System Restore and using ERUNT ) is often recommended.
  • Detailed usage can be found Here
It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://forum.malware...pic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://forum.malware...pic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

Additional Information

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

A very nice collection of tutorials is available at Bleeping Computer
http://www.bleepingc....com/tutorials/

Finally, after following up on all these recommendations, run Jason Levine's Browser Security Tests ?
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.
http://www.jasons-to...rowserSecurity/

Other Security checks and more sites relating to computer security are listed below, take the time to visit these when you have time.
Symantec Security Check
Gibson Research Corporation Home Page (Look for the Hot Spots Section)
McAfee SiteAdvisor
LinkScanner
GFI Email Security Testing Zone
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP