Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Msn Messenger signing out sending ppl links to a virus.[Hijack this lo


  • This topic is locked This topic is locked

#16
chung

chung

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
results from first scan......
2nd scan will be run shortly....


SDFix: Version 1.152

Run by Mark S Chung on Tue 03/04/2008 at 11:13 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 11:21:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060ae206d]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:6db77a22
"s2"=dword:42fa9aa9
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:43,1a,2e,48,28,43,7c,b5,0b,1a,14,cc,90,c9,a1,e1,4e,b9,93,50,ef,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060ae206d]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:43,1a,2e,48,28,43,7c,b5,0b,1a,14,cc,90,c9,a1,e1,4e,b9,93,50,ef,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"D:\\Microsoft Games\\Halo\\halo.exe"="D:\\Microsoft Games\\Halo\\halo.exe:*:Enabled:Halo"
"C:\\Program Files\\LimeWire\\LimeWire Pro.exe"="C:\\Program Files\\LimeWire\\LimeWire Pro.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :



Files with Hidden Attributes :

Wed 4 Aug 2004 1,667,584 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 3 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 4 Mar 2008 20,222,992 A..H. --- "C:\Documents and Settings\Mark S Chung\Local Settings\Temp\BIT3.tmp"
Sat 1 Mar 2008 2,585,864 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a2c8f709dd0237a7e496be18e0ba404e\BIT2E.tmp"
Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\Mark S Chung\Application Data\U3\temp\Launchpad Removal.exe"

Finished!
  • 0

Advertisements


#17
chung

chung

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
icesword failed error code 1
  • 0

#18
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Do this instead

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
  • Open a command window by going to Start > Run and typing: cmd
  • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  • Hit "Enter" to start the program and then close the cmd box.
  • Accept the user agreement and click "Next".
  • Click "Scan".
  • After the scan is complete, click "Next", then "Exit".
  • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  • The log will have a list of all items found. Do not choose to rename any yet!
    I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  • Exit Blacklight and post the contents of the log in your next reply.



click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt
  • 0

#19
chung

chung

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
03/04/08 12:32:48 [Info]: BlackLight Engine 1.0.67 initialized
03/04/08 12:32:48 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/04/08 12:32:48 [Note]: 7019 4
03/04/08 12:32:48 [Note]: 7005 0
03/04/08 12:33:12 [Note]: 7006 0
03/04/08 12:33:12 [Note]: 7022 0
03/04/08 12:33:12 [Note]: 7011 668
03/04/08 12:33:12 [Note]: 7026 0
03/04/08 12:33:12 [Note]: 7026 0
03/04/08 12:33:14 [Note]: FSRAW library version 1.7.1024
03/04/08 12:42:56 [Note]: 7006 0
03/04/08 12:42:56 [Note]: 7022 0
03/04/08 12:42:56 [Note]: 7011 668
03/04/08 12:42:56 [Note]: 7026 0
03/04/08 12:42:56 [Note]: 7026 0
03/04/08 12:42:58 [Note]: FSRAW library version 1.7.1024
  • 0

#20
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Leave the DSS step and do this actually

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#21
chung

chung

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
ignore that attachment.... sorry

combo fix still freezing

Attached Files


Edited by chung, 04 March 2008 - 01:03 PM.

  • 0

#22
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Try run ComboFix in normal mode

Are you sure your MSN is still sending things to people ?
  • 0

#23
chung

chung

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I'm sure that it is .....ppl still seeing messages from me.

trying combofix again.

Edited by chung, 05 March 2008 - 09:24 AM.

  • 0

#24
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Sorry I meant to say try ComboFix in Safe Mode if Normal Mode fails
  • 0

#25
chung

chung

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Finally, it works. :)


ComboFix 08-03-04.5 - Mark S Chung 2008-03-05 13:11:13.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.873 [GMT -8:00]
Running from: C:\Documents and Settings\Mark S Chung\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-04 11:11 . 2008-03-04 11:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-03 22:08 . 2008-03-03 22:08 <DIR> d-------- C:\Documents and Settings\Mark S Chung\Application Data\Sharp
2008-03-03 22:08 . 2008-03-03 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2008-03-03 22:08 . 2008-03-03 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
2008-03-03 17:42 . 2008-03-03 17:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 17:42 . 2008-03-03 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-02 12:01 . 2008-03-02 12:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 11:00 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-01 11:00 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-01 11:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-01 11:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-01 11:00 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-27 01:14 . 2008-02-27 01:14 1,693 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_NTBK_HP Compaq nx6110 (PZ891UA#ABA)_YN_0U_QCNU6030JJH_EU_46_I3088_SHP_VKBC Version 39.1E_B68DTD Ver. F.0C_T051121_WXP2_L409_M1272_J40_7Intel_8Pentium M_90.8_#080109_N14E4170C_(PZ891UA#ABA)_XMOBILE_CN10.MRK
2008-02-27 01:03 . 2004-11-08 06:10 127,744 -ra------ C:\WINDOWS\system32\drivers\aeaudio.sys
2008-02-23 23:24 . 2008-02-23 23:24 <DIR> d-------- C:\Documents and Settings\Mark S Chung\WINDOWS
2008-02-23 22:57 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-23 22:57 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-17 00:50 . 2008-02-17 00:50 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Symantec
2008-02-17 00:02 . 2008-02-17 00:02 <DIR> d-------- C:\Program Files\SymNetDrv
2008-02-16 23:39 . 2008-02-28 17:59 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-16 23:39 . 2003-11-21 08:07 82,984 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-16 23:39 . 2003-11-21 08:07 82,136 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-16 20:25 . 2008-02-16 20:25 244 --ah----- C:\sqmnoopt19.sqm
2008-02-16 20:25 . 2008-02-16 20:25 232 --ah----- C:\sqmdata19.sqm
2008-02-16 00:03 . 2008-02-16 00:03 244 --ah----- C:\sqmnoopt18.sqm
2008-02-16 00:03 . 2008-02-16 00:03 232 --ah----- C:\sqmdata18.sqm
2008-02-15 15:15 . 2008-02-15 15:15 244 --ah----- C:\sqmnoopt17.sqm
2008-02-15 15:15 . 2008-02-15 15:15 232 --ah----- C:\sqmdata17.sqm
2008-02-15 00:23 . 2008-02-15 00:23 244 --ah----- C:\sqmnoopt16.sqm
2008-02-15 00:23 . 2008-02-15 00:23 232 --ah----- C:\sqmdata16.sqm
2008-02-13 22:49 . 2008-02-13 22:49 244 --ah----- C:\sqmnoopt15.sqm
2008-02-13 22:49 . 2008-02-13 22:49 232 --ah----- C:\sqmdata15.sqm
2008-02-12 00:26 . 2008-02-12 00:26 244 --ah----- C:\sqmnoopt14.sqm
2008-02-12 00:26 . 2008-02-12 00:26 232 --ah----- C:\sqmdata14.sqm
2008-02-11 20:14 . 2008-02-11 20:14 244 --ah----- C:\sqmnoopt13.sqm
2008-02-11 20:14 . 2008-02-11 20:14 232 --ah----- C:\sqmdata13.sqm
2008-02-11 17:00 . 2008-02-11 17:00 244 --ah----- C:\sqmnoopt12.sqm
2008-02-11 17:00 . 2008-02-11 17:00 232 --ah----- C:\sqmdata12.sqm
2008-02-10 23:53 . 2008-02-10 23:53 244 --ah----- C:\sqmnoopt11.sqm
2008-02-10 23:53 . 2008-02-10 23:53 232 --ah----- C:\sqmdata11.sqm
2008-02-10 23:08 . 2008-02-10 23:08 244 --ah----- C:\sqmnoopt10.sqm
2008-02-10 23:08 . 2008-02-10 23:08 232 --ah----- C:\sqmdata10.sqm
2008-02-10 02:47 . 2008-02-10 02:47 244 --ah----- C:\sqmnoopt09.sqm
2008-02-10 02:47 . 2008-02-10 02:47 232 --ah----- C:\sqmdata09.sqm
2008-02-09 23:02 . 2008-02-09 23:02 244 --ah----- C:\sqmnoopt08.sqm
2008-02-09 23:02 . 2008-02-09 23:02 232 --ah----- C:\sqmdata08.sqm
2008-02-09 00:17 . 2008-02-09 00:17 244 --ah----- C:\sqmnoopt07.sqm
2008-02-09 00:17 . 2008-02-09 00:17 232 --ah----- C:\sqmdata07.sqm
2008-02-08 16:59 . 2008-02-08 16:59 244 --ah----- C:\sqmnoopt06.sqm
2008-02-08 16:59 . 2008-02-08 16:59 232 --ah----- C:\sqmdata06.sqm
2008-02-08 16:12 . 2008-03-03 16:16 244 --ah----- C:\sqmnoopt05.sqm
2008-02-08 16:12 . 2008-03-03 16:16 232 --ah----- C:\sqmdata05.sqm
2008-02-08 12:50 . 2008-02-08 11:00 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-08 12:50 . 2008-02-08 12:50 3,459 --a------ C:\WINDOWS\unins000.dat
2008-02-07 23:34 . 2008-02-29 13:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-07 23:34 . 2008-02-29 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 20:03 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\Azureus
2008-03-03 08:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-03 07:47 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-27 09:17 --------- d-----w C:\Program Files\InterVideo
2008-02-27 09:14 1,693 --sha-r C:\WINDOWS\system32\drivers\103C_HP_NTBK_HP Compaq nx6110 (PZ891UA#ABA)_YN_0U_QCNU6030JJH_EU_46_I3088_SHP_VKBC Version 39.1E_B68DTD Ver. F.0C_T051121_WXP2_L409_M1272_J40_7Intel_8Pentium M_90.8_#080109_N14E4170C_(PZ891UA#ABA)_XMOBILE_CN10.MRK
2008-02-27 09:12 --------- d-----w C:\Program Files\HPQ
2008-02-27 09:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 08:02 --------- d-----w C:\Program Files\Symantec
2008-02-17 07:43 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\LimeWire
2008-02-17 07:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-14 00:37 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\U3
2008-01-20 07:07 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\dvdcss
2008-01-17 20:38 --------- d-----w C:\Program Files\LimeWire
2008-01-15 06:55 --------- d-----w C:\Program Files\Winamp
2008-01-15 06:48 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-01-15 00:32 67,584 ----a-w C:\WINDOWS\system32\xanalyze.dll
2008-01-15 00:32 164,352 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2008-01-11 02:09 --------- d-----w C:\Program Files\Azureus
2008-01-11 01:12 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-01-11 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-01-10 03:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 01:38 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\Roxio
2008-01-10 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-01-10 00:27 2,320,640 ----a-w C:\WINDOWS\system32\TUKernel.exe
2008-01-10 00:21 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\TuneUp Software
2008-01-09 23:16 --------- d-----w C:\Program Files\Microsoft Works
2008-01-09 23:14 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-09 23:03 --------- d-----w C:\Program Files\MSN Messenger
2008-01-09 22:58 646,392 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-09 22:55 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\InterVideo
2008-01-09 22:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-09 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-09 22:34 --------- d-----w C:\Program Files\VideoLAN
2008-01-09 22:34 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\vlc
2008-01-09 22:33 --------- d-----w C:\Program Files\XP Codec Pack
2008-01-09 22:33 --------- d-----w C:\Program Files\Illustrate
2008-01-09 22:30 --------- d-----w C:\Program Files\IZArc
2008-01-09 22:20 --------- d-----w C:\Program Files\Roxio
2008-01-09 22:20 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-09 22:16 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\Symantec
2008-01-09 22:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\hpqwmi
2008-01-09 22:00 --------- d-----w C:\Program Files\Intel
2008-01-09 21:52 --------- d-----w C:\Program Files\Windows Media Connect
2008-01-09 21:50 --------- d-----w C:\Program Files\Java
2008-01-09 21:50 --------- d-----w C:\Program Files\HP Accessories Product Tour
2008-01-09 21:50 --------- d-----w C:\Program Files\Common Files\Java
2008-01-09 21:40 --------- d-----w C:\Program Files\Synaptics
2008-01-09 21:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-09 21:39 --------- d-----w C:\Program Files\Broadcom
2008-01-09 21:38 --------- d-----w C:\Program Files\Analog Devices
2008-01-09 21:29 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 12:41 860160]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2005-04-08 11:08 73728]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 03:50 729178]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 02:32 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-25 02:29 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 02:32 114688]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-09-07 16:28 213054]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [2008-01-09 13:50 36972]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 10:59 794624]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-03-09 14:54 184320]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 14:22 35328]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 15:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 17:45 71280]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-17 00:02 95960]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 03:20 88363 C:\WINDOWS\AGRSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2008-01-09 13:53:27 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"D:\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\LimeWire\\LimeWire Pro.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-03 15:56]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\cmo_bus.sys [2005-08-16 17:59]
S3 cmo_mdfl;Data Modem @ CDMA Filter;C:\WINDOWS\system32\DRIVERS\cmo_mdfl.sys [2005-08-16 18:02]
S3 cmo_mdm;Data Modem @ CDMA Drivers;C:\WINDOWS\system32\DRIVERS\cmo_mdm.sys [2005-08-16 18:02]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09e294a5-caaa-11dc-acb6-0014a56f13af}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef1313a7-c950-11dc-acb0-0014a56f13af}]
\Shell\Auto\command - UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 21:06:44 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 13:12:45


Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????3?8?4?8??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-05 13:13:15

Edited by chung, 05 March 2008 - 12:33 PM.

  • 0

Advertisements


#26
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09e294a5-caaa-11dc-acb6-0014a56f13af}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef1313a7-c950-11dc-acb0-0014a56f13af}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#27
chung

chung

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
ComboFix 08-03-04.5 - Mark S Chung 2008-03-05 16:23:31.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.842 [GMT -8:00]
Running from: C:\Documents and Settings\Mark S Chung\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark S Chung\Desktop\CFScript.txt.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-04 11:11 . 2008-03-04 11:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-03 22:08 . 2008-03-03 22:08 <DIR> d-------- C:\Documents and Settings\Mark S Chung\Application Data\Sharp
2008-03-03 22:08 . 2008-03-03 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2008-03-03 22:08 . 2008-03-03 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
2008-03-03 17:42 . 2008-03-03 17:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 17:42 . 2008-03-03 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-02 12:01 . 2008-03-02 12:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 11:00 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-01 11:00 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-01 11:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-01 11:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-01 11:00 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-27 01:14 . 2008-02-27 01:14 1,693 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_NTBK_HP Compaq nx6110 (PZ891UA#ABA)_YN_0U_QCNU6030JJH_EU_46_I3088_SHP_VKBC Version 39.1E_B68DTD Ver. F.0C_T051121_WXP2_L409_M1272_J40_7Intel_8Pentium M_90.8_#080109_N14E4170C_(PZ891UA#ABA)_XMOBILE_CN10.MRK
2008-02-27 01:03 . 2004-11-08 06:10 127,744 -ra------ C:\WINDOWS\system32\drivers\aeaudio.sys
2008-02-23 23:24 . 2008-02-23 23:24 <DIR> d-------- C:\Documents and Settings\Mark S Chung\WINDOWS
2008-02-23 22:57 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-23 22:57 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-17 00:50 . 2008-02-17 00:50 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Symantec
2008-02-17 00:02 . 2008-02-17 00:02 <DIR> d-------- C:\Program Files\SymNetDrv
2008-02-16 23:39 . 2008-02-28 17:59 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-16 23:39 . 2003-11-21 08:07 82,984 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-16 23:39 . 2003-11-21 08:07 82,136 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-16 20:25 . 2008-02-16 20:25 244 --ah----- C:\sqmnoopt19.sqm
2008-02-16 20:25 . 2008-02-16 20:25 232 --ah----- C:\sqmdata19.sqm
2008-02-16 00:03 . 2008-02-16 00:03 244 --ah----- C:\sqmnoopt18.sqm
2008-02-16 00:03 . 2008-02-16 00:03 232 --ah----- C:\sqmdata18.sqm
2008-02-15 15:15 . 2008-02-15 15:15 244 --ah----- C:\sqmnoopt17.sqm
2008-02-15 15:15 . 2008-02-15 15:15 232 --ah----- C:\sqmdata17.sqm
2008-02-15 00:23 . 2008-02-15 00:23 244 --ah----- C:\sqmnoopt16.sqm
2008-02-15 00:23 . 2008-02-15 00:23 232 --ah----- C:\sqmdata16.sqm
2008-02-13 22:49 . 2008-02-13 22:49 244 --ah----- C:\sqmnoopt15.sqm
2008-02-13 22:49 . 2008-02-13 22:49 232 --ah----- C:\sqmdata15.sqm
2008-02-12 00:26 . 2008-02-12 00:26 244 --ah----- C:\sqmnoopt14.sqm
2008-02-12 00:26 . 2008-02-12 00:26 232 --ah----- C:\sqmdata14.sqm
2008-02-11 20:14 . 2008-02-11 20:14 244 --ah----- C:\sqmnoopt13.sqm
2008-02-11 20:14 . 2008-02-11 20:14 232 --ah----- C:\sqmdata13.sqm
2008-02-11 17:00 . 2008-02-11 17:00 244 --ah----- C:\sqmnoopt12.sqm
2008-02-11 17:00 . 2008-02-11 17:00 232 --ah----- C:\sqmdata12.sqm
2008-02-10 23:53 . 2008-02-10 23:53 244 --ah----- C:\sqmnoopt11.sqm
2008-02-10 23:53 . 2008-02-10 23:53 232 --ah----- C:\sqmdata11.sqm
2008-02-10 23:08 . 2008-02-10 23:08 244 --ah----- C:\sqmnoopt10.sqm
2008-02-10 23:08 . 2008-02-10 23:08 232 --ah----- C:\sqmdata10.sqm
2008-02-10 02:47 . 2008-02-10 02:47 244 --ah----- C:\sqmnoopt09.sqm
2008-02-10 02:47 . 2008-02-10 02:47 232 --ah----- C:\sqmdata09.sqm
2008-02-09 23:02 . 2008-02-09 23:02 244 --ah----- C:\sqmnoopt08.sqm
2008-02-09 23:02 . 2008-02-09 23:02 232 --ah----- C:\sqmdata08.sqm
2008-02-09 00:17 . 2008-02-09 00:17 244 --ah----- C:\sqmnoopt07.sqm
2008-02-09 00:17 . 2008-02-09 00:17 232 --ah----- C:\sqmdata07.sqm
2008-02-08 16:59 . 2008-02-08 16:59 244 --ah----- C:\sqmnoopt06.sqm
2008-02-08 16:59 . 2008-02-08 16:59 232 --ah----- C:\sqmdata06.sqm
2008-02-08 16:12 . 2008-03-03 16:16 244 --ah----- C:\sqmnoopt05.sqm
2008-02-08 16:12 . 2008-03-03 16:16 232 --ah----- C:\sqmdata05.sqm
2008-02-08 12:50 . 2008-02-08 11:00 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-08 12:50 . 2008-02-08 12:50 3,459 --a------ C:\WINDOWS\unins000.dat
2008-02-07 23:34 . 2008-02-29 13:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-07 23:34 . 2008-02-29 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 00:14 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\Azureus
2008-03-03 08:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-03 07:47 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-27 09:17 --------- d-----w C:\Program Files\InterVideo
2008-02-27 09:14 1,693 --sha-r C:\WINDOWS\system32\drivers\103C_HP_NTBK_HP Compaq nx6110 (PZ891UA#ABA)_YN_0U_QCNU6030JJH_EU_46_I3088_SHP_VKBC Version 39.1E_B68DTD Ver. F.0C_T051121_WXP2_L409_M1272_J40_7Intel_8Pentium M_90.8_#080109_N14E4170C_(PZ891UA#ABA)_XMOBILE_CN10.MRK
2008-02-27 09:12 --------- d-----w C:\Program Files\HPQ
2008-02-27 09:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 08:02 --------- d-----w C:\Program Files\Symantec
2008-02-17 07:43 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\LimeWire
2008-02-17 07:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-14 00:37 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\U3
2008-01-20 07:07 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\dvdcss
2008-01-17 20:38 --------- d-----w C:\Program Files\LimeWire
2008-01-15 06:55 --------- d-----w C:\Program Files\Winamp
2008-01-15 06:48 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-01-15 00:32 67,584 ----a-w C:\WINDOWS\system32\xanalyze.dll
2008-01-15 00:32 164,352 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2008-01-11 02:09 --------- d-----w C:\Program Files\Azureus
2008-01-11 01:12 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-01-11 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-01-10 03:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 01:38 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\Roxio
2008-01-10 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-01-10 00:27 2,320,640 ----a-w C:\WINDOWS\system32\TUKernel.exe
2008-01-10 00:21 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\TuneUp Software
2008-01-09 23:16 --------- d-----w C:\Program Files\Microsoft Works
2008-01-09 23:14 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-09 23:03 --------- d-----w C:\Program Files\MSN Messenger
2008-01-09 22:58 646,392 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-09 22:55 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\InterVideo
2008-01-09 22:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-09 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-09 22:34 --------- d-----w C:\Program Files\VideoLAN
2008-01-09 22:34 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\vlc
2008-01-09 22:33 --------- d-----w C:\Program Files\XP Codec Pack
2008-01-09 22:33 --------- d-----w C:\Program Files\Illustrate
2008-01-09 22:30 --------- d-----w C:\Program Files\IZArc
2008-01-09 22:20 --------- d-----w C:\Program Files\Roxio
2008-01-09 22:20 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-09 22:16 --------- d-----w C:\Documents and Settings\Mark S Chung\Application Data\Symantec
2008-01-09 22:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\hpqwmi
2008-01-09 22:00 --------- d-----w C:\Program Files\Intel
2008-01-09 21:52 --------- d-----w C:\Program Files\Windows Media Connect
2008-01-09 21:50 --------- d-----w C:\Program Files\Java
2008-01-09 21:50 --------- d-----w C:\Program Files\HP Accessories Product Tour
2008-01-09 21:50 --------- d-----w C:\Program Files\Common Files\Java
2008-01-09 21:40 --------- d-----w C:\Program Files\Synaptics
2008-01-09 21:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-09 21:39 --------- d-----w C:\Program Files\Broadcom
2008-01-09 21:38 --------- d-----w C:\Program Files\Analog Devices
2008-01-09 21:29 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 12:41 860160]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2005-04-08 11:08 73728]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 03:50 729178]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 02:32 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-25 02:29 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 02:32 114688]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-09-07 16:28 213054]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [2008-01-09 13:50 36972]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 10:59 794624]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-03-09 14:54 184320]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 14:22 35328]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 15:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 17:45 71280]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-17 00:02 95960]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 03:20 88363 C:\WINDOWS\AGRSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2008-01-09 13:53:27 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"D:\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\LimeWire\\LimeWire Pro.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-03 15:56]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\cmo_bus.sys [2005-08-16 17:59]
S3 cmo_mdfl;Data Modem @ CDMA Filter;C:\WINDOWS\system32\DRIVERS\cmo_mdfl.sys [2005-08-16 18:02]
S3 cmo_mdm;Data Modem @ CDMA Drivers;C:\WINDOWS\system32\DRIVERS\cmo_mdm.sys [2005-08-16 18:02]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-03-06 00:17:39 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 16:24:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????3?8?4?8??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-05 16:25:01
ComboFix2.txt 2008-03-05 21:13:15
  • 0

#28
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\system32\SpoonUninstall.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.


Also tell me if msn is still doing it
  • 0

#29
chung

chung

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
File SpoonUninstall.exe received on 03.05.2008 21:57:25 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.05 -
AntiVir 7.6.0.73 2008.03.05 -
Authentium 4.93.8 2008.03.04 -
Avast 4.7.1098.0 2008.03.05 -
AVG 7.5.0.516 2008.03.05 -
BitDefender 7.2 2008.03.05 -
CAT-QuickHeal 9.50 2008.03.05 -
ClamAV 0.92.1 2008.03.05 -
DrWeb 4.44.0.09170 2008.03.05 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5590 2008.03.05 -
Ewido 4.0 2008.03.05 -
FileAdvisor 1 2008.03.05 -
Fortinet 3.14.0.0 2008.03.05 -
F-Prot 4.4.2.54 2008.03.04 -
F-Secure 6.70.13260.0 2008.03.05 -
Ikarus T3.1.1.20 2008.03.05 -
Kaspersky 7.0.0.125 2008.03.05 -
McAfee 5245 2008.03.05 -
Microsoft 1.3301 2008.03.05 -
NOD32v2 2923 2008.03.05 -
Norman 5.80.02 2008.03.05 -
Panda 9.0.0.4 2008.03.05 -
Prevx1 V2 2008.03.05 -
Rising 20.34.22.00 2008.03.05 -
Sophos 4.27.0 2008.03.05 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.05 -
TheHacker 6.2.92.233 2008.03.04 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.05 -
Webwasher-Gateway 6.6.2 2008.03.05 -

Additional information
File size: 164352 bytes
MD5: 9182f30bc806e652d35946f24f8f8c44
SHA1: 4289f3098e41b276c10a2996bc218ba1a05f5517
PEiD: Armadillo v1.71
<table border="1"><tr><td colspan="4">File SpoonUninstall.exe received on 03.05.2008 21:57:25 (CET)</td></tr><tr><td>Antivirus</td><td>Version</td><td>Last Update</td><td>Result</td</tr><tr><td>AhnLab-V3</td><td>2008.3.4.0</td><td>2008.03.05</td><td>-</td</tr><tr><td>AntiVir</td><td>7.6.0.73</td><td>2008.03.05</td><td>-</td</tr><tr><td>Authentium</td><td>4.93.8</td><td>2008.03.04</td><td>-</td</tr><tr><td>Avast</td><td>4.7.1098.0</td><td>2008.03.05</td><td>-</td</tr><tr><td>AVG</td><td>7.5.0.516</td><td>2008.03.05</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2008.03.05</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>9.50</td><td>2008.03.05</td><td>-</td</tr><tr><td>ClamAV</td><td>0.92.1</td><td>2008.03.05</td><td>-</td</tr><tr><td>DrWeb</td><td>4.44.0.09170</td><td>2008.03.05</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.15.0</td><td>2008.02.28</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>31.3.5590</td><td>2008.03.05</td><td>-</td</tr><tr><td>Ewido</td><td>4.0</td><td>2008.03.05</td><td>-</td</tr><tr><td>FileAdvisor</td><td>1</td><td>2008.03.05</td><td>-</td</tr><tr><td>Fortinet</td><td>3.14.0.0</td><td>2008.03.05</td><td>-</td</tr><tr><td>F-Prot</td><td>4.4.2.54</td><td>2008.03.04</td><td>-</td</tr><tr><td>F-Secure</td><td>6.70.13260.0</td><td>2008.03.05</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.20</td><td>2008.03.05</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2008.03.05</td><td>-</td</tr><tr><td>McAfee</td><td>5245</td><td>2008.03.05</td><td>-</td</tr><tr><td>Microsoft</td><td>1.3301</td><td>2008.03.05</td><td>-</td</tr><tr><td>NOD32v2</td><td>2923</td><td>2008.03.05</td><td>-</td</tr><tr><td>Norman</td><td>5.80.02</td><td>2008.03.05</td><td>-</td</tr><tr><td>Panda</td><td>9.0.0.4</td><td>2008.03.05</td><td>-</td</tr><tr><td>Prevx1</td><td>V2</td><td>2008.03.05</td><td>-</td</tr><tr><td>Rising</td><td>20.34.22.00</td><td>2008.03.05</td><td>-</td</tr><tr><td>Sophos</td><td>4.27.0</td><td>2008.03.05</td><td>-</td</tr><tr><td>Sunbelt</td><td>3.0.930.0</td><td>2008.03.05</td><td>-</td</tr><tr><td>Symantec</td><td>10</td><td>2008.03.05</td><td>-</td</tr><tr><td>TheHacker</td><td>6.2.92.233</td><td>2008.03.04</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.6.2</td><td>2008.03.05</td><td>-</td</tr><tr><td>VirusBuster</td><td>4.3.26:9</td><td>2008.03.05</td><td>-</td</tr><tr><td>Webwasher-Gateway</td><td>6.6.2</td><td>2008.03.05</td><td>-</td</tr><tr><td colspan="4">&nbsp;</td></tr><tr><td colspan="4">Additional information</td></tr><tr><td colspan="4">File size: 164352 bytes</td></tr><tr><td colspan="4">MD5: 9182f30bc806e652d35946f24f8f8c44</td></tr><tr><td colspan="4">SHA1: 4289f3098e41b276c10a2996bc218ba1a05f5517</td></tr><tr><td colspan="4">PEiD: Armadillo v1.71</td></tr></table>
Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.05 -
AntiVir 7.6.0.73 2008.03.05 -
Authentium 4.93.8 2008.03.04 -
Avast 4.7.1098.0 2008.03.05 -
AVG 7.5.0.516 2008.03.05 -
BitDefender 7.2 2008.03.05 -
CAT-QuickHeal 9.50 2008.03.05 -
ClamAV 0.92.1 2008.03.05 -
DrWeb 4.44.0.09170 2008.03.05 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5590 2008.03.05 -
Ewido 4.0 2008.03.05 -
FileAdvisor 1 2008.03.05 -
Fortinet 3.14.0.0 2008.03.05 -
F-Prot 4.4.2.54 2008.03.04 -
F-Secure 6.70.13260.0 2008.03.05 -
Ikarus T3.1.1.20 2008.03.05 -
Kaspersky 7.0.0.125 2008.03.05 -
McAfee 5245 2008.03.05 -
Microsoft 1.3301 2008.03.05 -
NOD32v2 2923 2008.03.05 -
Norman 5.80.02 2008.03.05 -
Panda 9.0.0.4 2008.03.05 -
Prevx1 V2 2008.03.05 -
Rising 20.34.22.00 2008.03.05 -
Sophos 4.27.0 2008.03.05 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.05 -
TheHacker 6.2.92.233 2008.03.04 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.05 -
Webwasher-Gateway 6.6.2 2008.03.05 -

Additional information
File size: 164352 bytes
MD5: 9182f30bc806e652d35946f24f8f8c44
SHA1: 4289f3098e41b276c10a2996bc218ba1a05f5517
PEiD: Armadillo v1.71



Also, my contacts have not gotten any links thus far.

Edited by chung, 05 March 2008 - 03:10 PM.

  • 0

#30
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Post a new DSS log please
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP