Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Red Biohazard Screen problem [RESOLVED]


  • This topic is locked This topic is locked

#16
aa2

aa2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here is the log from combo fix..

ComboFix 08-05-28.2 - Big Daddy 2008-05-28 18:33:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1423 [GMT -4:00]
Running from: C:\Documents and Settings\Big Daddy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Big Daddy\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Zach\Application Data\macromedia\Flash Player\#SharedObjects\CURCNSMH\www.broadcaster.com
C:\Documents and Settings\Zach\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Zach\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aIQBaccf.ini
C:\WINDOWS\system32\lcdersuu.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\xgeheido.ini
C:\WINDOWS\system32\yvmuwwha.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-28 18:30 . 2008-05-28 18:30 1,819,505 --a------ C:\Temp\ComboFix.exe
2008-05-26 15:24 . 2008-05-26 15:24 268 --ah----- C:\sqmdata01.sqm
2008-05-26 15:24 . 2008-05-26 15:24 244 --ah----- C:\sqmnoopt01.sqm
2008-05-24 10:34 . 2008-05-24 17:49 <DIR> d-------- C:\Documents and Settings\Big Daddy\DoctorWeb
2008-05-24 10:34 . 2008-05-24 10:34 10,559,128 --a------ C:\Temp\drweb-cureit.exe
2008-05-23 21:45 . 2008-05-23 21:45 <DIR> d-------- C:\Documents and Settings\Zachary\Contacts
2008-05-21 21:46 . 2008-05-21 21:46 6,039,048 --a------ C:\Temp\Firefox Setup 2.0.0.14.exe
2008-05-21 19:59 . 2008-05-21 19:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-21 19:59 . 2008-05-21 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-21 19:56 . 2008-05-21 20:04 50,688 --a------ C:\Temp\ATF-Cleaner.exe
2008-05-18 21:49 . 2008-05-18 21:49 268 --ah----- C:\sqmdata00.sqm
2008-05-18 21:49 . 2008-05-18 21:49 244 --ah----- C:\sqmnoopt00.sqm
2008-05-18 21:24 . 2008-05-18 21:24 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-05-18 21:11 . 2008-05-28 18:10 13,764 --a------ C:\logfile
2008-05-18 21:05 . 2008-05-18 21:05 <DIR> d-------- C:\Program Files\Kodak
2008-05-18 21:01 . 2008-05-18 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2008-05-18 20:52 . 2008-05-18 20:52 <DIR> d-------- C:\Documents and Settings\Zachary\Zach
2008-05-18 20:41 . 2008-05-18 20:41 <DIR> d-------- C:\Program Files\LimeWire
2008-05-18 20:41 . 2008-05-27 18:21 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\LimeWire
2008-05-17 11:38 . 2007-06-28 14:36 401,720 --a------ C:\Big Daddy.exe
2008-05-17 11:37 . 2008-05-17 11:37 <DIR> d-------- C:\_OTMoveIt
2008-05-17 11:35 . 2008-05-17 11:35 61 --a------ C:\Temp\fix.bat
2008-05-17 11:34 . 2008-05-17 11:34 <DIR> d-------- C:\dss
2008-05-15 21:37 . 2008-05-15 21:37 <DIR> d-------- C:\Deckard
2008-05-15 21:07 . 2008-05-15 21:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-15 21:07 . 2008-05-15 21:07 <DIR> d-------- C:\Documents and Settings\Big Daddy\Application Data\Malwarebytes
2008-05-15 21:07 . 2008-05-15 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-15 21:07 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-15 21:07 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-15 20:50 . 2008-05-15 20:50 <DIR> d-------- C:\VundoFix Backups
2008-05-15 20:44 . 2008-05-15 20:44 1,649,976 --a------ C:\Temp\mbam-setup.exe
2008-05-15 20:42 . 2008-05-15 20:42 147,456 --a------ C:\Temp\VundoFix.exe
2008-05-15 20:42 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-15 20:41 . 2008-05-15 20:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-15 20:24 . 2008-05-15 20:24 <DIR> d-------- C:\Documents and Settings\Big Daddy\.SunDownloadManager
2008-05-13 15:50 . 2008-05-15 20:25 <DIR> d-------- C:\Program Files\Google
2008-05-12 21:33 . 2008-05-12 21:33 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\Apple Computer
2008-05-12 21:10 . 2008-05-12 21:10 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\Sonic
2008-05-12 21:10 . 2008-05-12 21:10 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\ATI
2008-05-12 21:09 . 2008-05-27 18:21 <DIR> d-------- C:\Documents and Settings\Zachary
2008-05-12 19:26 . 2008-05-12 19:23 291,840 --a------ C:\Temp\OTMoveIt2.exe
2008-05-12 18:55 . 2008-05-12 19:18 <DIR> d-------- C:\Temp\SmitfraudFix
2008-05-12 18:54 . 2008-05-12 18:54 <DIR> d-------- C:\backups
2008-05-12 18:51 . 2008-05-12 18:46 1,390,255 --a------ C:\Temp\SmitfraudFix.exe
2008-05-12 18:51 . 2008-05-12 18:43 318,369 --a------ C:\Temp\HiJackThis.zip
2008-05-12 09:39 . 2008-05-12 09:39 <DIR> d-------- C:\Documents and Settings\My Mom\Application Data\TmpRecentIcons
2008-05-11 18:18 . 2008-05-11 18:18 <DIR> d-------- C:\Documents and Settings\Big Daddy\Application Data\TmpRecentIcons
2008-05-11 17:24 . 2008-05-11 17:35 <DIR> d-------- C:\Documents and Settings\Zach\Application Data\TmpRecentIcons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 22:35 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-27 01:17 --------- d-----w C:\Program Files\Dl_cats
2008-05-16 00:42 --------- d-----w C:\Program Files\Java
2008-05-14 07:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-11 03:53 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2008-05-03 23:49 --------- d-----w C:\Documents and Settings\My Mom\Application Data\AdobeUM
2008-04-13 05:04 --------- d-----w C:\Program Files\iTunes
2008-04-13 05:04 --------- d-----w C:\Program Files\iPod
2008-04-13 05:03 --------- d-----w C:\Program Files\QuickTime
2008-04-06 23:38 --------- d-----w C:\Documents and Settings\Addy\Application Data\LimeWire
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-03-19 19:43 374 ----a-w C:\Documents and Settings\Zach\Application Data\internaldb6334.dat
2007-03-19 19:14 18,432 ----a-w C:\Documents and Settings\Zach\Application Data\internaldb41.dat
2007-03-19 19:13 538 ----a-w C:\Documents and Settings\Zach\Application Data\internaldb8467.dat
.
Infected C:\WINDOWS\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-03-27 04:34 53248 C:\WINDOWS\SOUNDMAN.EXE]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 10:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 20:27 85696]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2005-04-22 09:45 290816]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 18:41 69632]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"VIDC.MJPG"= jl_mjpg2.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\dlbtcoms.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\DLBTPSWX.EXE"=
"C:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"E:\\Rome - Total War\\RomeTW.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135

R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-18 05:00]
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-06-27 13:38]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys []

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 19:57:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-28 22:39:41 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 18:37:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-05-28 18:41:19 - machine was rebooted [Big Daddy]
ComboFix-quarantined-files.txt 2008-05-28 22:41:16

Pre-Run: 6,219,464,704 bytes free
Post-Run: 6,255,206,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

188 --- E O F --- 2008-05-28 20:41:43
  • 0

Advertisements


#17
aa2

aa2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
here is hijack this......

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:05 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,[email protected]
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1166555549453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 7286 bytes
  • 0

#18
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there aa2,

Combofix fixed the legitimate file that was infected :)

Let's get rid of two leftover entries

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
Driver::
JL2005

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=-
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

To speed your boottime a bit, you could fix the following uneeded items from startup through Hijack This.

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


They can be restored through the backup function in Hijack This if need be.

Post back with the log from combofix.

Are you still experiencing any problems?
  • 0

#19
aa2

aa2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
One profile still does not have a background and attempts to load the red screen yet cannot find the file. here is combo fix log.

ComboFix 08-05-28.2 - Big Daddy 2008-06-01 11:34:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1473 [GMT -4:00]
Running from: C:\Documents and Settings\Big Daddy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Big Daddy\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_JL2005


((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-28 19:39 . 2008-05-28 19:39 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-28 18:30 . 2008-05-28 18:30 1,819,505 --a------ C:\Temp\ComboFix.exe
2008-05-24 10:34 . 2008-05-24 17:49 <DIR> d-------- C:\Documents and Settings\Big Daddy\DoctorWeb
2008-05-24 10:34 . 2008-05-24 10:34 10,559,128 --a------ C:\Temp\drweb-cureit.exe
2008-05-23 21:45 . 2008-05-23 21:45 <DIR> d-------- C:\Documents and Settings\Zachary\Contacts
2008-05-21 21:46 . 2008-05-21 21:46 6,039,048 --a------ C:\Temp\Firefox Setup 2.0.0.14.exe
2008-05-21 19:59 . 2008-05-21 19:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-21 19:59 . 2008-05-21 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-21 19:56 . 2008-05-21 20:04 50,688 --a------ C:\Temp\ATF-Cleaner.exe
2008-05-18 21:24 . 2008-05-18 21:24 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-05-18 21:11 . 2008-06-01 11:28 14,828 --a------ C:\logfile
2008-05-18 21:05 . 2008-05-18 21:05 <DIR> d-------- C:\Program Files\Kodak
2008-05-18 21:01 . 2008-05-18 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2008-05-18 20:52 . 2008-05-18 20:52 <DIR> d-------- C:\Documents and Settings\Zachary\Zach
2008-05-18 20:41 . 2008-05-18 20:41 <DIR> d-------- C:\Program Files\LimeWire
2008-05-18 20:41 . 2008-05-31 11:49 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\LimeWire
2008-05-17 11:38 . 2007-06-28 14:36 401,720 --a------ C:\Big Daddy.exe
2008-05-17 11:37 . 2008-05-17 11:37 <DIR> d-------- C:\_OTMoveIt
2008-05-17 11:35 . 2008-05-17 11:35 61 --a------ C:\Temp\fix.bat
2008-05-17 11:34 . 2008-05-17 11:34 <DIR> d-------- C:\dss
2008-05-15 21:37 . 2008-05-15 21:37 <DIR> d-------- C:\Deckard
2008-05-15 21:07 . 2008-05-15 21:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-15 21:07 . 2008-05-15 21:07 <DIR> d-------- C:\Documents and Settings\Big Daddy\Application Data\Malwarebytes
2008-05-15 21:07 . 2008-05-15 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-15 21:07 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-15 21:07 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-15 20:50 . 2008-05-15 20:50 <DIR> d-------- C:\VundoFix Backups
2008-05-15 20:44 . 2008-05-15 20:44 1,649,976 --a------ C:\Temp\mbam-setup.exe
2008-05-15 20:42 . 2008-05-15 20:42 147,456 --a------ C:\Temp\VundoFix.exe
2008-05-15 20:42 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-15 20:41 . 2008-05-15 20:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-15 20:24 . 2008-05-15 20:24 <DIR> d-------- C:\Documents and Settings\Big Daddy\.SunDownloadManager
2008-05-13 15:50 . 2008-05-15 20:25 <DIR> d-------- C:\Program Files\Google
2008-05-12 21:33 . 2008-05-12 21:33 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\Apple Computer
2008-05-12 21:10 . 2008-05-12 21:10 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\Sonic
2008-05-12 21:10 . 2008-05-12 21:10 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\ATI
2008-05-12 21:09 . 2008-05-31 13:09 <DIR> d-------- C:\Documents and Settings\Zachary
2008-05-12 19:26 . 2008-05-12 19:23 291,840 --a------ C:\Temp\OTMoveIt2.exe
2008-05-12 18:55 . 2008-05-12 19:18 <DIR> d-------- C:\Temp\SmitfraudFix
2008-05-12 18:54 . 2008-06-01 11:33 <DIR> d-------- C:\backups
2008-05-12 18:51 . 2008-05-12 18:46 1,390,255 --a------ C:\Temp\SmitfraudFix.exe
2008-05-12 18:51 . 2008-05-12 18:43 318,369 --a------ C:\Temp\HiJackThis.zip
2008-05-12 09:39 . 2008-05-12 09:39 <DIR> d-------- C:\Documents and Settings\My Mom\Application Data\TmpRecentIcons
2008-05-11 18:18 . 2008-05-11 18:18 <DIR> d-------- C:\Documents and Settings\Big Daddy\Application Data\TmpRecentIcons
2008-05-11 17:24 . 2008-05-11 17:35 <DIR> d-------- C:\Documents and Settings\Zach\Application Data\TmpRecentIcons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 15:39 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-29 14:33 --------- d-----w C:\Program Files\Dl_cats
2008-05-16 00:42 --------- d-----w C:\Program Files\Java
2008-05-14 07:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-03 23:49 --------- d-----w C:\Documents and Settings\My Mom\Application Data\AdobeUM
2008-04-13 05:04 --------- d-----w C:\Program Files\iTunes
2008-04-13 05:04 --------- d-----w C:\Program Files\iPod
2008-04-13 05:03 --------- d-----w C:\Program Files\QuickTime
2008-04-06 23:38 --------- d-----w C:\Documents and Settings\Addy\Application Data\LimeWire
2007-03-19 19:43 374 ----a-w C:\Documents and Settings\Zach\Application Data\internaldb6334.dat
2007-03-19 19:14 18,432 ----a-w C:\Documents and Settings\Zach\Application Data\internaldb41.dat
2007-03-19 19:13 538 ----a-w C:\Documents and Settings\Zach\Application Data\internaldb8467.dat
.

((((((((((((((((((((((((((((( [email protected]_18.41.06.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-28 22:36:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 15:38:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 03:21:18 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 03:21:20 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-05-29 14:39:50 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-05-25 17:26:11 60,624 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-29 14:25:32 60,624 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-25 17:26:11 400,464 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-29 14:25:32 400,464 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 10:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 20:27 85696]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 18:41 69632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"VIDC.MJPG"= jl_mjpg2.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\dlbtcoms.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\DLBTPSWX.EXE"=
"C:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"E:\\Rome - Total War\\RomeTW.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135

R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-18 05:00]
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-06-27 13:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 19:57:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-01 15:41:54 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 11:39:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
.
**************************************************************************
.
Completion time: 2008-06-01 11:43:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 15:43:05
ComboFix2.txt 2008-05-28 22:41:19

Pre-Run: 6,431,592,448 bytes free
Post-Run: 6,455,214,080 bytes free

161 --- E O F --- 2008-05-30 12:02:09
  • 0

#20
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there aa2,

Please make sure this folder is deleted: C:\Documents and Settings\Big Daddy\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine

Nothing is showing up in your logs here, would you mind going to the profile that is having trouble and post a Hijack This log from it? It is probably just a leftover entry, but we want to get rid of it anyways.
  • 0

#21
aa2

aa2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here is the hijack this when we login with my wifes profile.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:20 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,[email protected]
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Addy\LOCALS~1\Temp\winlogan.exe
O4 - HKUS\S-1-5-21-1409082233-1229272821-725345543-1004\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User '?')
O4 - HKUS\S-1-5-21-1409082233-1229272821-725345543-1004\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Addy\LOCALS~1\Temp\winlogan.exe (User '?')
O4 - HKUS\S-1-5-21-1409082233-1229272821-725345543-1004\..\Run: [Antivirus] C:\Program Files\Antivirus 2008\Antvrs.exe (User '?')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1166555549453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6936 bytes
  • 0

#22
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there aa2,

Step 1. Fixes with Hijack This

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):
Antivirus 2008

Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...amp;lid=2\
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Addy\LOCALS~1\Temp\winlogan.exe
O4 - HKUS\S-1-5-21-1409082233-1229272821-725345543-1004\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Addy\LOCALS~1\Temp\winlogan.exe (User '?')
O4 - HKUS\S-1-5-21-1409082233-1229272821-725345543-1004\..\Run: [Antivirus] C:\Program Files\Antivirus 2008\Antvrs.exe (User '?')
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm


Now please close all open windows except HJT and press "Fix checked".

Step 2. Running OTMoveIt2

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\DOCUME~1\Addy\LOCALS~1\Temp\winlogan.exe
    C:\WINDOWS\privacy_danger
    C:\Program Files\Antivirus 2008
    emptytemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step 3. Running MalwareByte's Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 4. Deckards' System Scanner

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Note:These logs may be too large to post in one reply, if so, please post extra.txt in a seperate reply.

In your next reply

Please post the log from OTMoveIt2.
Please post the log from MBAM.
Please post the log from Deckards' System Scanner (Main.txt & Extra.txt)

If the logs are to big to fit in one reply please spread them out over multiple replies.

Edited by Mike, 05 June 2008 - 04:02 AM.

  • 0

#23
aa2

aa2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ok av 2008 was not present to uninstall.

first log.......

Explorer killed successfully
File/Folder C:\DOCUME~1\Addy\LOCALS~1\Temp\winlogan.exe not found.
File/Folder C:\WINDOWS\privacy_danger not found.
File/Folder C:\Program Files\Antivirus 2008 not found.
< emptytemp >
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 06052008_211233

malware log...

Malwarebytes' Anti-Malware 1.15
Database version: 833

9:40:24 PM 6/5/2008
mbam-log-6-5-2008 (21-40-24).txt

Scan type: Quick Scan
Objects scanned: 45030
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


dss log main.txt, there was no extra txt

Deckard's System Scanner v20071014.68
Run by My Mom on 2008-06-05 21:40:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 5.11 GiB (less than 15%) free.


-- HijackThis (run as My Mom.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:23 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\dss\dss.exe
C:\My Mom.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,[email protected]
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1166555549453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 6258 bytes

-- Files created between 2008-05-05 and 2008-06-05 -----------------------------

2008-06-05 21:15:33 0 d-------- C:\Documents and Settings\My Mom\Application Data\Malwarebytes
2008-06-01 21:10:06 0 d-------- C:\Documents and Settings\My Mom\Application Data\Mozilla
2008-05-29 16:38:09 0 d-------- C:\Documents and Settings\Addy\Application Data\Mozilla
2008-05-29 10:25:11 0 d-------- C:\Documents and Settings\Zachary\Application Data\Mozilla
2008-05-28 19:39:44 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-28 18:31:26 0 d-------- C:\cmdcons
2008-05-28 18:30:35 68096 --a------ C:\WINDOWS\zip.exe
2008-05-28 18:30:35 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-28 18:30:35 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-28 18:30:35 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-28 18:30:35 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-28 18:30:35 98816 --a------ C:\WINDOWS\sed.exe
2008-05-28 18:30:35 80412 --a------ C:\WINDOWS\grep.exe
2008-05-28 18:30:35 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-23 21:45:43 0 d-------- C:\Documents and Settings\Zachary\Contacts
2008-05-21 19:59:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-21 19:59:29 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-18 21:24:17 0 d-------- C:\Program Files\Common Files\Kodak
2008-05-18 21:21:14 0 d-------- C:\Documents and Settings\My Mom\Application Data\Google
2008-05-18 21:11:19 14828 --a------ C:\logfile
2008-05-18 21:05:15 0 d-------- C:\Program Files\Kodak
2008-05-18 21:01:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2008-05-18 20:52:33 0 d-------- C:\Documents and Settings\Zachary\Zach
2008-05-18 20:41:40 0 d-------- C:\Documents and Settings\Zachary\Application Data\LimeWire
2008-05-18 20:41:23 0 d-------- C:\Program Files\LimeWire
2008-05-17 11:34:31 0 d-------- C:\dss
2008-05-15 21:07:04 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-15 21:07:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-15 20:50:28 0 d-------- C:\VundoFix Backups <VUNDOF~1>
2008-05-15 20:41:40 0 d-------- C:\Program Files\Common Files\Java
2008-05-13 18:36:47 0 d-------- C:\Documents and Settings\Addy\Application Data\Google
2008-05-13 15:52:04 0 d-------- C:\Documents and Settings\Zachary\Application Data\Google
2008-05-13 15:51:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-05-13 15:50:56 0 d-------- C:\Program Files\Google
2008-05-13 15:28:11 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-13 09:29:55 0 d-------- C:\Documents and Settings\Zachary\Application Data\Macromedia
2008-05-13 09:29:32 0 d-------- C:\Documents and Settings\Zachary\Application Data\Adobe
2008-05-12 21:33:07 0 d-------- C:\Documents and Settings\Zachary\Application Data\Apple Computer
2008-05-12 21:10:46 0 d-------- C:\Documents and Settings\Zachary\Application Data\ATI
2008-05-12 21:10:44 0 d-------- C:\Documents and Settings\Zachary\Application Data\Sonic
2008-05-12 21:10:16 0 d-------- C:\Documents and Settings\Zachary\Application Data\Identities
2008-05-12 21:09:55 0 d--h----- C:\Documents and Settings\Zachary\Templates
2008-05-12 21:09:55 0 dr------- C:\Documents and Settings\Zachary\Start Menu
2008-05-12 21:09:55 0 dr-h----- C:\Documents and Settings\Zachary\SendTo
2008-05-12 21:09:55 0 dr-h----- C:\Documents and Settings\Zachary\Recent
2008-05-12 21:09:55 0 d--h----- C:\Documents and Settings\Zachary\PrintHood
2008-05-12 21:09:55 1835008 --ah----- C:\Documents and Settings\Zachary\NTUSER.DAT
2008-05-12 21:09:55 0 d--h----- C:\Documents and Settings\Zachary\NetHood
2008-05-12 21:09:55 0 dr------- C:\Documents and Settings\Zachary\My Documents
2008-05-12 21:09:55 0 d--h----- C:\Documents and Settings\Zachary\Local Settings
2008-05-12 21:09:55 0 dr------- C:\Documents and Settings\Zachary\Favorites
2008-05-12 21:09:55 0 d-------- C:\Documents and Settings\Zachary\Desktop
2008-05-12 21:09:55 0 d--hs---- C:\Documents and Settings\Zachary\Cookies
2008-05-12 21:09:55 0 d--h----- C:\Documents and Settings\Zachary\Application Data
2008-05-12 21:09:55 0 d---s---- C:\Documents and Settings\Zachary\Application Data\Microsoft
2008-05-12 18:54:36 0 d-------- C:\backups
2008-05-12 09:39:38 0 d-------- C:\Documents and Settings\My Mom\Application Data\TmpRecentIcons
2008-05-11 20:18:23 0 d-------- C:\Documents and Settings\Administrator.SHUTTLEXP\Application Data\Macromedia
2008-05-11 20:17:56 0 d-------- C:\Documents and Settings\Administrator.SHUTTLEXP\Application Data\Adobe
2008-05-11 18:08:50 0 d-------- C:\WINDOWS\pss
2008-05-11 17:27:29 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-11 17:24:09 0 d-------- C:\Documents and Settings\Zach\Application Data\TmpRecentIcons
2008-05-10 10:32:25 0 d-------- C:\Documents and Settings\My Mom\Application Data\Help


-- Find3M Report ---------------------------------------------------------------

2008-06-04 16:41:08 0 d-------- C:\Program Files\Dl_cats
2008-06-04 16:40:21 0 d-------- C:\Documents and Settings\My Mom\Application Data\AdobeUM
2008-06-01 12:12:45 0 d-------- C:\Program Files\Symantec AntiVirus
2008-05-18 21:24:17 0 d-------- C:\Program Files\Common Files
2008-05-15 20:42:28 0 d-------- C:\Program Files\Java
2008-04-13 01:04:32 0 d-------- C:\Program Files\iTunes
2008-04-13 01:04:20 0 d-------- C:\Program Files\iPod
2008-04-13 01:03:05 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/02/2005 10:21 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06/23/2005 08:27 PM]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [11/09/2004 06:41 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 08:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [10/24/2003 12:37:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

*Newly Created Service* - GTNDIS5



-- End of Deckard's System Scanner: finished at 2008-06-05 21:41:46 ------------
  • 0

#24
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there aa2,

Your log looks fine, any problems still?

Edited by Mike, 06 June 2008 - 08:21 AM.

  • 0

#25
aa2

aa2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
looks good, thanks for the time and effort.
  • 0

Advertisements


#26
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Glad to hear it :)

Step 1. Removing ComboFix

Click START then RUN
Now type Combofix /u in the runbox and click OK
Posted Image
Notice the space between the x and / -- That needs to be there.

Now please download OTCleanIt.
  • Save it to your desktop.
  • Double Click on OTCleanIt.exe, a window will appear.
  • Please press the CleanUp! Button.
This will remove the tools we used during the process of cleaning your computer.



Step 2. Configuring Automatic Updates

Click the Automatic Updates tab. Choose the update option that best suits your needs, but be sure that Automatic Updates is not turned off. Windows XP will now notify you and download important updates and security patches as they become available.
Click "OK" to save your new settings and close the System Properties dialogue.

Step 3. Preventing future infection

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.spywarewa...uc/resource.htm

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.o...oducts/firefox/

Also make sure to run your antivirus software regularly, and to keep it up-to-date.

There are many programs that can be used for your protection, most falling within the three main categories of anti-virus, anti-spyware and firewall. Please be careful to never run more than one program of the same category in resident mode, as conflicts between the different programs can actually decrease your protection.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. :)

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.
  • 0

#27
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP