Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Alcan Worm [RESOLVED]


  • This topic is locked This topic is locked

#1
anewzero

anewzero

    Member

  • Member
  • PipPip
  • 11 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:58 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: NavigationProgram - {D93B3CA5-6552-0DAA-353B-FB9D4F20B168} - C:\Program Files\NavigationProgram\NavigationProgram-1.dll
O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207166006994
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 6186 bytes
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

NavigationProgram

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: NavigationProgram - {D93B3CA5-6552-0DAA-353B-FB9D4F20B168} - C:\Program Files\NavigationProgram\NavigationProgram-1.dll
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Program Files\NavigationProgram\
C:\WINDOWS\Fonts\svchost.exe


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

  • 0

#3
anewzero

anewzero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
did not have svchost.exe in my "Fonts" folder.

did, however, find svchost.exe in "system32" folder in "WINDOWS" folder.

do i need to delete that?
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No, don't touch those. Proceed with the remaining steps....
  • 0

#5
anewzero

anewzero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ComboFix 08-04-15.1 - N1N3TY51X 2008-04-15 22:27:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.110 [GMT -7:00]
Running from: C:\Documents and Settings\N1N3TY51X\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Setup.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-12 20:47 . 2008-04-12 22:44 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-04-12 20:46 . 2008-04-12 20:46 <DIR> d-------- C:\Program Files\Red Kawa
2008-04-12 20:23 . 2008-04-12 20:23 <DIR> d-------- C:\Documents and Settings\N1N3TY51X\Application Data\AVS4YOU
2008-04-12 20:23 . 2008-04-12 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-04-12 20:19 . 2008-04-12 20:28 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-04-12 20:18 . 2008-04-12 20:30 <DIR> d-------- C:\Program Files\AVS4YOU
2008-04-12 20:18 . 2007-02-27 19:36 638,976 --a------ C:\WINDOWS\system32\divx.dll
2008-04-12 20:18 . 2007-02-27 19:36 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-04-12 20:18 . 2007-02-27 19:36 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2008-04-12 20:18 . 2007-02-27 19:36 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2008-04-12 20:18 . 2007-02-27 19:36 221,215 --a------ C:\WINDOWS\system32\divxdec.ax
2008-04-12 20:18 . 2007-02-27 19:36 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-12 20:18 . 2007-02-27 19:36 82,944 --a------ C:\WINDOWS\system32\vct3216.acm
2008-04-12 20:18 . 2007-02-27 19:36 81,920 --a------ C:\WINDOWS\system32\AC3ACM.acm
2008-04-12 20:18 . 2007-02-27 19:36 38,912 --a------ C:\WINDOWS\system32\alf2cd.acm
2008-04-12 20:18 . 2007-02-27 19:36 13,239 --a------ C:\WINDOWS\system32\Scg726.acm
2008-04-12 01:34 . 2008-04-12 01:36 185 --a------ C:\WINDOWS\wininit.ini
2008-04-09 22:07 . 2008-04-09 22:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 20:50 . 2008-04-09 20:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-09 20:50 . 2008-04-09 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 21:41 . 2008-04-08 21:41 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-08 21:34 . 2008-04-12 22:10 <DIR> d-------- C:\Program Files\FBrowsingAdvisor
2008-04-08 21:23 . 2008-04-08 21:23 <DIR> d-------- C:\Program Files\321Studios
2008-04-08 20:52 . 1999-09-10 12:06 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-04-08 20:52 . 1999-09-10 12:06 25,244 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-04-08 20:52 . 1999-09-10 12:06 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-04-08 20:52 . 1999-09-10 12:06 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-04-08 20:41 . 2008-04-08 20:41 <DIR> d-------- C:\ConverterOutput
2008-04-08 20:40 . 2008-04-08 20:40 <DIR> d-------- C:\Program Files\Cucusoft
2008-04-08 20:40 . 2007-03-25 00:51 3,049,984 --a------ C:\WINDOWS\system32\libavcodec.dll
2008-04-08 20:40 . 2007-03-25 21:40 2,174,976 --a------ C:\WINDOWS\system32\ffdshow.ax
2008-04-08 20:40 . 2007-03-25 00:51 404,480 --a------ C:\WINDOWS\system32\libmplayer.dll
2008-04-08 20:40 . 2007-01-01 05:30 200,704 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-04-08 20:40 . 2007-03-25 00:51 114,688 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2008-04-08 20:40 . 2007-02-27 19:36 53,248 --a------ C:\WINDOWS\system32\xvid.ax
2008-04-08 20:40 . 2004-09-10 13:50 34,820 --a------ C:\WINDOWS\system32\ffdshow.reg
2008-04-08 20:39 . 2008-04-08 20:39 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-05 20:16 . 2004-08-04 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-05 20:14 . 2008-04-05 20:14 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-05 20:06 . 2008-04-05 20:06 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-05 20:06 . 2008-04-05 20:11 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-03 15:19 . 2008-04-03 15:19 <DIR> d-------- C:\WINDOWS\Sun
2008-04-03 06:43 . 2008-04-09 12:02 <DIR> d-------- C:\Documents and Settings\N1N3TY51X\Application Data\LimeWire
2008-04-03 00:41 . 2008-03-01 06:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-03 00:41 . 2007-06-30 20:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-03 00:41 . 2007-06-30 20:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-03 00:41 . 2008-03-01 06:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-03 00:41 . 2008-03-01 06:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-03 00:41 . 2008-03-01 06:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-03 00:41 . 2008-03-01 06:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-03 00:41 . 2008-03-01 06:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-03 00:41 . 2008-02-22 03:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-03 00:33 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-03 00:15 . 2008-04-03 00:33 <DIR> d-------- C:\Program Files\Java
2008-04-03 00:15 . 2008-04-03 00:15 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-03 00:13 . 2008-04-09 12:02 <DIR> d-------- C:\Program Files\LimeWire
2008-04-02 23:53 . 2008-04-02 23:53 1,158 --a------ C:\WINDOWS\mozver.dat
2008-04-02 23:50 . 2008-04-02 23:50 <DIR> d-------- C:\Documents and Settings\N1N3TY51X\Application Data\Talkback
2008-04-02 23:50 . 2008-04-02 23:50 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-02 23:27 . 2008-04-02 23:27 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-02 19:31 . 2008-04-02 19:32 <DIR> d-------- C:\Documents and Settings\N1N3TY51X\Application Data\Yahoo!
2008-04-02 19:31 . 2008-04-02 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-02 19:24 . 2008-04-02 19:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-02 19:23 . 2008-04-02 19:24 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-02 13:28 . 2008-04-15 22:22 7,300 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-02 13:26 . 2006-03-03 12:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-02 13:21 . 2008-02-06 10:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-02 13:21 . 2007-06-25 15:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-02 13:21 . 2007-06-25 11:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-02 13:21 . 2007-06-25 11:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-02 13:21 . 2007-06-25 11:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-02 13:20 . 2007-03-02 15:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-02 13:16 . 2008-04-02 13:17 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-02 13:16 . 2008-04-02 13:33 <DIR> d-------- C:\Program Files\McAfee
2008-04-02 13:16 . 2008-04-02 13:26 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-02 13:08 . 2008-04-02 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-02 12:57 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-02 12:56 . 2008-04-08 15:31 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-02 12:53 . 2007-07-30 20:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-04-02 12:53 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-02 12:53 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-02 12:53 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-02 12:53 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-02 12:22 . 2008-04-02 12:22 <DIR> d-------- C:\Program Files\support.com
2008-04-02 12:22 . 2008-04-02 12:22 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-04-02 12:22 . 2008-04-02 12:22 1,000 --a------ C:\net_save.dna
2008-03-29 20:33 . 2008-03-29 20:33 94,208 --a------ C:\WINDOWS\ScUnin.exe
2008-03-29 20:33 . 2008-03-29 20:33 13,044 --a------ C:\WINDOWS\scunin.dat
2008-03-29 20:33 . 2008-03-29 20:33 967 --a------ C:\WINDOWS\ScUnin.pif

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 03:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-05 06:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 21:15 --------- d-----w C:\Program Files\HP
2008-03-06 03:51 --------- d-----w C:\Program Files\Common Files\HP
2008-03-06 03:49 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-22 01:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-22 01:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-21 21:05 --------- d-----w C:\Program Files\Dirct x
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-12-14 09:07 176128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^N1N3TY51X^Start Menu^Programs^Startup^Backyard Skateboarding Registration.lnk]
path=C:\Documents and Settings\N1N3TY51X\Start Menu\Programs\Startup\Backyard Skateboarding Registration.lnk
backup=C:\WINDOWS\pss\Backyard Skateboarding Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
-----c--- 2002-05-02 08:57 98304 C:\Program Files\ATI Multimedia\main\launchpd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2002-11-01 11:28 294912 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2004-09-13 15:49 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
-----c--- 2005-02-10 17:00 1937408 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2001-10-10 23:51]
S2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS []
S3 MaRdPnp;MaRdPnp;C:\WINDOWS\system32\DRIVERS\MaRdP2K.sys [2004-09-12 20:11]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 20:17:27 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-02 20:17:24 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 22:30:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-15 22:32:38
ComboFix-quarantined-files.txt 2008-04-16 05:32:33

Pre-Run: 4,770,041,856 bytes free
Post-Run: 4,841,197,568 bytes free
.
2008-04-14 15:10:51 --- E O F ---
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Attach the C:\WINDOWS\system32\wininet.dll file to your next reply....

Did you run Panda yet? We need to see the log.
  • 0

#7
anewzero

anewzero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-04-16 09:25:29
PROTECTIONS: 1
MALWARE: 25
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
McAfee VirusScan Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Cookies\[email protected][1].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.trafficmp.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.atdmt.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.tribalfusion.com/]
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.ccbill.com/]
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.ccbill.com/]
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.ccbill.com/]
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.ccbill.com/]
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.ccbill.com/]
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.ccbill.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Cookies\[email protected][1].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.yadro.ru/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Cookies\[email protected][1].txt
00167724 Cookie/HotLog TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.hotlog.ru/]
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.azjmp.com/]
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.azjmp.com/]
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.azjmp.com/]
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Cookies\[email protected][1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.azjmp.com/]
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Cookies\[email protected][1].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.toplist.cz/]
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.perf.overture.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[ad.yieldmanager.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.bs.serving-sys.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.advertising.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.ads.pointroll.com/]
00170549 Cookie/FortuneCity TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.fortunecity.com/]
00170549 Cookie/FortuneCity TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.fortunecity.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.questionmarket.com/]
00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Cookies\[email protected][1].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.adultfriendfinder.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\N1N3TY51X\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\cookies.txt[.atwola.com/]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\N1N3TY51X\Local Settings\Application Data\Mozilla\Firefox\Profiles\8w0cu6eo.default\Cache\C2152591d01[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\N1N3TY51X\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
02649837 Application/Playmp3z HackTools No 0 Yes No C:\System Volume Information\_restore{D9553709-F3B0-48EB-BF37-C08917E75A31}\RP82\A0016923.exe
02902643 Adware/DollarRevenue Adware No 1 Yes No C:\System Volume Information\_restore{D9553709-F3B0-48EB-BF37-C08917E75A31}\RP79\A0016746.exe
02902643 Adware/DollarRevenue Adware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\Fonts\Setup.exe.vir
02902643 Adware/DollarRevenue Adware No 1 Yes No C:\System Volume Information\_restore{D9553709-F3B0-48EB-BF37-C08917E75A31}\RP85\A0017508.exe
02902643 Adware/DollarRevenue Adware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir[Setup.exe]
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location J
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description J
;===============================================================================
=================================================================================
===================
170904 HIGH MS07-043 J
;===============================================================================
=================================================================================
===================
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Where's the C:\WINDOWS\system32\wininet.dll file?

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Do you still have alcan detected? If so, what's detecting it and does it specify what file is infected?
  • 0

#9
anewzero

anewzero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
tried to attach "wininet.dll".

got response, "Error Upload failed. You are not permitted to upload this type of file"
  • 0

#10
anewzero

anewzero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ran the ATF cleaner and now my Firefox browser is displaying (at least) this webpage much differently than it was before i ran ATF cleaner. forum looks VERY archaic.

i do not believe i have alcan on my pc anymore. nothing seems to be detecting it.

however, i don't understand any of the logs i posted for you. do the logs point out anything i can't notice myself?

or am i good?
  • 0

Advertisements


#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Zip up that C:\WINDOWS\system32\wininet.dll file and then try attaching it. Should allow it now.

Nothing much stands out besides a bunch of temp files you have. If the symptoms are not showing anymore, it's probably removed :)

For the webpage display problem, try holding down the Ctrl key on your keyboard and the click on the Refresh button to see if it fixes the issue.
  • 0

#12
anewzero

anewzero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ok thanks a lot for everything.

here's the zipped dll file

can i remove HJT and COMBOFIX or do i still need those?

as far as my temporary inet files, i can't figure out how to manually clear that stuff with firefox.

should i just keep ATF to do that for me?

also can i take my cpu out of the "restore" mode?

Attached Files


  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
We always reserver the combofix removal as a last step :)

I guess it's about that time now. Go to Start->Run and type in Combofix /u and hit OK to remove it. You can uninstall HJT via the Add/Remove Programs panel.

Keep ATF Cleaner. Yes, you may use that to clear the Firefox temp/cookie files also.

Restore mode? Please clarify.
  • 0

#14
anewzero

anewzero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
the microsoft windows recovery console

when i boot up it asks me if i want to enter recovery mode

can i disable this now?
  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, I see what you mean. Is it on the recovery console option by default or Windows XP? If it's defaulting to XP, just leave it alone. The recovery console can come in handy sometimes when disaster strikes and you have a non-bootable Windows system. So leave it there and if there are no more issues, I will close this topic :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP