Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

WinIFixer has messed up my computer! Won't Uninstall or go awa

Started by sunny441 , May 13 2008 07:02 PM

  • This topic is locked This topic is locked

#1
sunny441
Posted 13 May 2008 - 07:02 PM

sunny441

    Member

  • Member
  • PipPipPip
  • 258 posts
Hello guys:

Once again am in a fine mess. I have no clue where this program came from or how it got installed on my computer. For a while I have been finding random files in the My documents folder. Anyway now this WINIFIXER program has installed itself and is causing all kinds of problems. Am posting my hijack this log below - hope someone can help me! Annoying windows keep popping up and asking me if i want WINIFIXER to protect my computer! Somebody please help!

thanks

Sunny

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:01:41, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\apache2triad\bin\httpd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\WINDOWS\Explorer.EXE
C:\apache2triad\mysql\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\apache2triad\mail\bin\XMail.exe
C:\apache2triad\bin\httpd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
c:\ip1yo8.exe
C:\Program Files\WinIFixer\WinIFixer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.c...oad/XUpload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Apache Software Foundation - C:\apache2triad\bin\httpd.exe
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2SSL) - Apache Software Foundation - C:\apache2triad\bin\httpd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:\apache2triad\mysql\bin\mysqld.exe
O23 - Service: Apache2Triad PostgreSQL Service (PgSql) - PostgreSQL Global Development Group - C:\apache2triad\pgsql\bin\pg_ctl.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Apache2Triad Xmail Service (XMail) - Unknown owner - C:\apache2triad\mail\bin\XMail.exe

--
End of file - 6641 bytes

Edited by sunny441, 13 May 2008 - 07:24 PM.

  • 0

Advertisements

#2
greyknight17
Posted 13 May 2008 - 07:52 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

WinIFixer

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

c:\ip1yo8.exe
C:\WINDOWS\system32\ctfmona.exe
C:\Program Files\WinIFixer\

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
sunny441
Posted 13 May 2008 - 07:58 PM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
GreyKnight:

THanks for your reply. While I was waiting for your reply - I ran Malawarebytes anti-malaware tool and got rid of some stuff.

However am going to do the stuff you asked and post back!

thanks

Sunny
  • 0

#4
sunny441
Posted 13 May 2008 - 08:22 PM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
Greyknight:

thanks for the prompt reply.

I did as was requested by you. However i did not find any of the directories that you wanted me to delete. I assume that malawarebytes program took care of that. Am pasting my combofix log below

thanks

ComboFix 08-05-12.1 - Sudhir J. Kamath 2008-05-13 22:04:40.1 - NTFSx86
Running from: C:\Documents and Settings\Sudhir J. Kamath\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\imglib.dll
C:\WINDOWS\SNMPAPI.DLL
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-12 15:59 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-12 15:59 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 21:20 . 2008-05-06 21:20 <DIR> d-------- C:\Program Files\GizmoPlugin
2008-05-06 20:45 . 2008-05-06 20:45 <DIR> d-------- C:\Program Files\DialIdol.com
2008-04-28 18:47 . 2008-04-28 18:55 <DIR> d-------- C:\DUKE3D
2008-04-28 18:35 . 2008-04-28 18:35 <DIR> d-------- C:\4dprince
2008-04-22 23:32 . 2008-05-03 12:13 <DIR> d-------- C:\Program Files\Oberon Media
2008-04-22 23:32 . 2008-04-22 23:32 <DIR> d-------- C:\Program Files\GamesBar
2008-04-22 23:32 . 2008-04-22 23:32 <DIR> d-------- C:\Program Files\Common Files\Oberon Media
2008-04-22 23:32 . 2008-04-24 19:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 22:19 . 2008-05-12 15:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-20 22:19 . 2008-04-20 22:19 <DIR> d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\Malwarebytes
2008-04-20 22:19 . 2008-04-20 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-20 15:34 . 2008-04-20 15:34 <DIR> d-------- C:\Program Files\CONEXANT
2008-04-15 18:13 . 2006-02-10 17:55 34,688 --a------ C:\WINDOWS\system32\drivers\samfilt.sys
2008-04-15 18:02 . 2004-03-20 03:54 929,844 --a------ C:\WINDOWS\system32\MFC42D.DLL
2008-04-15 18:02 . 2004-03-20 03:54 798,773 --a------ C:\WINDOWS\system32\MFCO42D.DLL
2008-04-15 18:02 . 2004-03-20 03:54 401,484 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2008-04-15 18:02 . 2001-07-30 17:40 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 01:05 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\.gaim
2008-05-13 01:05 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\BitTorrent
2008-05-12 22:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-07 01:35 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\Skype
2008-05-03 19:08 --------- d-----w C:\Program Files\DOSBox-0.72
2008-05-01 15:40 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-23 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-04-15 21:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 23:21 --------- d-----w C:\Program Files\KeyNote
2008-04-12 23:20 --------- d-----w C:\Program Files\Numericon
2008-04-12 23:19 --------- d-----w C:\Program Files\Minitab 15
2008-04-12 23:16 --------- d-----w C:\Program Files\Panda Security
2008-04-10 02:11 --------- d-----w C:\Program Files\Trend Micro
2008-04-09 21:20 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-09 21:17 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-07 03:12 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\U3
2008-04-03 12:58 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\AVG7
2008-03-26 01:58 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-25 04:36 --------- d-----w C:\Program Files\Windows Live
2008-03-25 04:35 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-25 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-24 22:44 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-24 20:01 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-03-23 02:31 127 ---ha-w C:\Documents and Settings\All Users\Application Data\emopts.dat
2008-03-23 02:31 --------- d--h--w C:\Documents and Settings\All Users\Application Data\sacache
2008-03-21 20:09 --------- d-----w C:\Program Files\Nexus
2008-03-20 06:30 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 04:25 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\Microsoft Games
2008-03-18 21:57 --------- d-----w C:\Program Files\Microsoft Games
2008-03-12 05:45 39,888 ----a-w C:\Documents and Settings\Sudhir J. Kamath\Application Data\GDIPFONTCACHEV1.DAT
2008-02-21 06:14 1,984 ----a-w C:\WINDOWS\system32\tmp.reg
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 19:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 19:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 19:10 114688]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 13:48 1392640]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 21:09 579584]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-04 00:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\K1RFD\\EchoLink\\EchoLink.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Gizmo Plugin;Gizmo VoIP Service;"C:\Program Files\GizmoPlugin\GizmoPlugin.exe" [2008-05-06 21:20]
R2 XMail;Apache2Triad Xmail Service;C:\apache2triad\mail\bin\XMail.exe [2007-04-19 01:13]
S3 Apache2SSL;Apache2Triad Apache2 Service with SSL;"C:\apache2triad\bin\httpd.exe" -D SSL -n Apache2SSL -k runservice []
S3 PgSql;Apache2Triad PostgreSQL Service;"C:\apache2triad\pgsql\bin\pg_ctl.exe" runservice -N PgSql -D C:\apache2triad\pgsql\data\ []
S3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys [2006-07-21 12:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caee2460-c11e-11db-950b-000f1fb14a4f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f226da10-54f6-11dc-957f-000f1fb14a4f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 22:12:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\apache2triad\mysql\bin\mysqld.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-05-13 22:18:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 02:17:42

Pre-Run: 8,218,591,232 bytes free
Post-Run: 8,146,628,608 bytes free

167 --- E O F --- 2008-05-09 15:07:50
  • 0

#5
greyknight17
Posted 14 May 2008 - 05:46 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
These seem to have adware in them. I suggest uninstalling them via the Add/Remove Programs panel and then delete their folders if they still exist:

C:\Program Files\Oberon Media
C:\Program Files\GamesBar
C:\Program Files\Common Files\Oberon Media

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#6
sunny441
Posted 14 May 2008 - 07:15 PM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
Thanks for your reply.

NOw i have another problem! I have I-Worm/Roron found on my computer.

My anti-virus (AVG) finds random files in my documents folder. Most of them are sound like [bleep] videos or executable files!
repeated scans do not find anything or any virus on the computer!
please help me!

Edited by sunny441, 14 May 2008 - 07:16 PM.

  • 0

#7
greyknight17
Posted 15 May 2008 - 06:31 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download Deckard's System Scanner at http://deckard.geekstogo.com/dss.exe or http://www.techsuppo...Deckard/dss.exe and save it to your desktop.

- Close all applications and windows.
- Double-click on DSS.exe to run it, and follow the prompts.
- When the scan is complete, two text files will open - Main.txt and Extra.txt

Post the main.txt (copy and paste it in your reply) and extra.txt (attach it in your next reply) from the C:\Deckard\System Scanner folder into your next reply.
  • 0

#8
sunny441
Posted 15 May 2008 - 09:11 PM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
thanks for the reply for some reason DSS opened up mozilla firefox for some reason! anyway there was some problem with hijack this or something anyway am posting the log below and attaching the file!

Deckard's System Scanner v20071014.68
Run by Sudhir J. Kamath on 2008-05-15 23:06:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-05-16 03:06:32 UTC - RP444 - Deckard's System Scanner Restore Point
3: 2008-05-16 02:43:25 UTC - RP443 - System Checkpoint
2: 2008-05-15 01:50:29 UTC - RP442 - 15th May
1: 2008-05-15 01:50:11 UTC - RP441 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as Sudhir J. Kamath.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:07:49, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\apache2triad\bin\httpd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\apache2triad\mysql\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\apache2triad\bin\httpd.exe
C:\apache2triad\mail\bin\XMail.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Sudhir J. Kamath\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sudhir J. Kamath.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.c...oad/XUpload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Apache Software Foundation - C:\apache2triad\bin\httpd.exe
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2SSL) - Apache Software Foundation - C:\apache2triad\bin\httpd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:\apache2triad\mysql\bin\mysqld.exe
O23 - Service: Apache2Triad PostgreSQL Service (PgSql) - PostgreSQL Global Development Group - C:\apache2triad\pgsql\bin\pg_ctl.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Apache2Triad Xmail Service (XMail) - Unknown owner - C:\apache2triad\mail\bin\XMail.exe

--
End of file - 6671 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080513-220136-791 O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
backup-20080513-220136-874 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

-- File Associations -----------------------------------------------------------

.js - jsfile - DefaultIcon - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe",7
.js - jsfile - shell\open\command - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 SAMFILT - c:\windows\system32\drivers\samfilt.sys <Not Verified; Dolphin, Inc.; Dolphin Keyboard Filter>
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 PID_PEPI (Logitech QuickCam IM(PID_PEPI)) - c:\windows\system32\drivers\lv302v32.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>
S3 tifm - c:\windows\system32\drivers\tifm.sys <Not Verified; Texas Instruments; Texas Instruments PCIxx20 UltraMedia>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apache2 (Apache2Triad Apache2 Service) - "c:\apache2triad\bin\httpd.exe" -n apache2 -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Diskeeper - "c:\program files\executive software\diskeeper\dkservice.exe" <Not Verified; Executive Software International, Inc.; Diskeeper ™ Disk Defragmenter>
R2 Gizmo Plugin (Gizmo VoIP Service) - "c:\program files\gizmoplugin\gizmoplugin.exe" <Not Verified; SIPphone, Inc.; Gizmo Plugin VOIP Service>
R2 MySql (Apache2Triad MySql Service) - c:\apache2triad\mysql\bin\mysqld.exe
R2 XMail (Apache2Triad Xmail Service) - c:\apache2triad\mail\bin\xmail.exe

S3 Apache2SSL (Apache2Triad Apache2 Service with SSL) - "c:\apache2triad\bin\httpd.exe" -d ssl -n apache2ssl -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 PgSql (Apache2Triad PostgreSQL Service) - "c:\apache2triad\pgsql\bin\pg_ctl.exe" runservice -n pgsql -d c:\apache2triad\pgsql\data\ <Not Verified; PostgreSQL Global Development Group; PostgreSQL>
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; NetGroup - Politecnico di Torino; Remote Packet Capture Daemon>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\4F4AB100811F0F00
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\4F4AB100811F0F00
Service: NIC1394

Class GUID:
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_AC8F&SUBSYS_018D1028&REV_00\4&16793A72&0&23F0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_AC8F&SUBSYS_018D1028&REV_00\4&16793A72&0&23F0
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth PAN Network Adapter
Device ID: ROOT\NET\0000
Manufacturer: IVT Corporation
Name: Bluetooth PAN Network Adapter
PNP Device ID: ROOT\NET\0000
Service: BT


-- Files created between 2008-04-15 and 2008-05-15 -----------------------------

2008-05-15 09:53:28 0 d-------- C:\WINDOWS\LastGood
2008-05-06 21:20:38 0 d-------- C:\Program Files\GizmoPlugin
2008-05-06 20:45:30 0 d-------- C:\Program Files\DialIdol.com
2008-04-28 18:47:41 0 d-------- C:\DUKE3D
2008-04-28 18:35:32 0 d-------- C:\4dprince
2008-04-22 23:32:54 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 22:19:11 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\Malwarebytes
2008-04-20 22:19:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-20 22:19:00 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-20 15:34:07 0 d-------- C:\Program Files\CONEXANT
2008-04-15 18:13:32 34688 --a------ C:\WINDOWS\system32\drivers\samfilt.sys <Not Verified; Dolphin, Inc.; Dolphin Keyboard Filter>


-- Find3M Report ---------------------------------------------------------------

2008-05-15 23:00:44 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\.gaim
2008-05-15 21:40:02 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\BitTorrent
2008-05-14 21:53:46 0 d-------- C:\Program Files\Panda Security
2008-05-14 21:07:17 0 d-------- C:\Program Files\Common Files
2008-05-06 21:35:55 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\Skype
2008-05-03 15:08:29 0 d-------- C:\Program Files\DOSBox-0.72
2008-05-01 11:40:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-22 23:33:08 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\Macromedia
2008-04-15 17:49:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-12 19:21:16 0 d-------- C:\Program Files\KeyNote
2008-04-12 19:20:47 0 d-------- C:\Program Files\Numericon
2008-04-12 19:19:14 0 d-------- C:\Program Files\Minitab 15
2008-04-10 17:16:36 1364 --a------ C:\WINDOWS\checkip.dat
2008-04-09 22:11:13 0 d-------- C:\Program Files\Trend Micro
2008-04-09 17:20:24 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-09 17:17:36 0 d-------- C:\Program Files\Microsoft.NET
2008-04-06 23:12:55 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\U3
2008-04-05 21:04:47 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\Adobe
2008-04-03 08:58:18 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\AVG7
2008-03-25 21:58:29 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-25 00:36:55 0 d-------- C:\Program Files\Windows Live
2008-03-25 00:35:42 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-24 18:44:42 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-22 22:31:07 640 --ah----- C:\WINDOWS\saopts.dat
2008-03-21 16:09:46 0 d-------- C:\Program Files\Nexus
2008-03-20 02:30:44 0 d-------- C:\Program Files\MSXML 4.0
2008-03-19 00:25:23 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\Microsoft Games
2008-03-18 17:57:22 0 d-------- C:\Program Files\Microsoft Games
2008-03-12 01:45:04 39888 --a------ C:\Documents and Settings\Sudhir J. Kamath\Application Data\GDIPFONTCACHEV1.DAT
2008-02-21 02:14:23 1984 --a------ C:\WINDOWS\system32\tmp.reg


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [07/19/2005 19:09]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [07/19/2005 19:06]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [07/19/2005 19:10]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [11/01/2006 13:48]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/17/2008 21:09]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [07/19/2005 18:32]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 22:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [09/11/2006 04:40]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeStartMenu"=0 (0x0)
"NoLogOff"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 03/04/2008 00:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caee2460-c11e-11db-950b-000f1fb14a4f}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f226da10-54f6-11dc-957f-000f1fb14a4f}]
AutoRun\command- G:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-05-15 23:08:19 ------------

Attached Files


  • 0

#9
greyknight17
Posted 16 May 2008 - 04:46 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What's I-Worm/Roron on your computer? Is it still detected? If so, where is it located now?
  • 0

#10
sunny441
Posted 16 May 2008 - 06:43 PM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
greyknight:

thanks for the reply.

That is the exact problem with this virus. I cannot find anything when i scan the computer. But when am surfing or just doing some work all of a sudden AVG will pop up a screen and say that IWORM RORON32 found!! and will say that some random .exe file was found in My documents and what do i want to do. once i hit heal - the file is gone and then things go along as if nothing had happened, till the next time I see the AVG window come up! I looked in the folders and found nothing - it's as if the file just appears randomly and then disappears!

hope that helps!
  • 0

Advertisements

#11
greyknight17
Posted 17 May 2008 - 01:05 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download SDFix at http://downloads.and...Tools/SDFix.exe and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum.

Run a new Combofix scan and post the log here.

Does Panda find anything?
  • 0

#12
sunny441
Posted 17 May 2008 - 11:37 PM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
GREYKNIGHT:

I did run SDFIX am posting the log below. However there is one item at the very end - and am not sure where and how that item got there. "C:\Program Files\ZakFromAnotherPlanet\VBRunDLL\Setup.exe" is the item in question and I have no idea about it!
Also i am posting the COMBOFIX new log here. I did run panda scan and it found the usual bunch of junk on the computer like tracking cookies and such but nothing about the IWORM/RORON32. :)

SDFix: Version 1.183
Run by Sudhir J. Kamath on Sat 05/17/2008 at 23:29

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 23:43:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:256fc6f8
"s2"=dword:0ae0ace3
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:7a,50,de,c8,5e,c4,e5,3c,f6,e5,4d,02,57,5a,d5,93,af,46,79,7a,ef,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,02,45,9c,37,7b,bd,14,41,d6,6a,aa,79,22,f2,d3,f4,b4,..
"khjeh"=hex:23,38,08,fd,c1,7d,58,14,e0,14,b6,40,48,77,19,dd,de,18,70,39,ec,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:46,0c,b7,73,43,be,86,b8,90,7b,ee,74,3d,c9,61,1f,53,d0,cc,91,91,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:7a,50,de,c8,5e,c4,e5,3c,f6,e5,4d,02,57,5a,d5,93,af,46,79,7a,ef,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,02,45,9c,37,7b,bd,14,41,d6,6a,aa,79,22,f2,d3,f4,b4,..
"khjeh"=hex:23,38,08,fd,c1,7d,58,14,e0,14,b6,40,48,77,19,dd,de,18,70,39,ec,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:46,0c,b7,73,43,be,86,b8,90,7b,ee,74,3d,c9,61,1f,53,d0,cc,91,91,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"="C:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe:*:Enabled:Rise of Nations"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\K1RFD\\EchoLink\\EchoLink.exe"="C:\\Program Files\\K1RFD\\EchoLink\\EchoLink.exe:*:Enabled:EchoLink"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 22 Feb 2008 49 ...H. --- "C:\Documents and Settings\All Users\Application Data\aoexp.tmp"
Fri 2 May 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 2 May 2008 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Thu 12 Apr 2007 50,688 ..SHR --- "C:\Program Files\ZakFromAnotherPlanet\VBRunDLL\Setup.exe"
Thu 10 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT1.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Sudhir J. Kamath\Application Data\U3\temp\Launchpad Removal.exe"

Finished!



ComboFix 08-05-15.3 - Sudhir J. Kamath 2008-05-18 1:24:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.133 [GMT -4:00]
Running from: C:\Documents and Settings\Sudhir J. Kamath\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-17 23:25 . 2008-05-17 23:25 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-17 23:16 . 2008-05-17 23:46 <DIR> d-------- C:\SDFix
2008-05-12 15:59 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-12 15:59 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 20:45 . 2008-05-06 20:45 <DIR> d-------- C:\Program Files\DialIdol.com
2008-04-22 23:32 . 2008-04-24 19:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 22:19 . 2008-05-12 15:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-20 22:19 . 2008-04-20 22:19 <DIR> d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\Malwarebytes
2008-04-20 22:19 . 2008-04-20 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-20 15:34 . 2008-04-20 15:34 <DIR> d-------- C:\Program Files\CONEXANT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 03:06 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\.gaim
2008-05-18 02:13 --------- d-----w C:\Program Files\FileZilla
2008-05-18 02:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-18 02:11 --------- d-----w C:\Program Files\Panda Security
2008-05-18 02:11 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\InstallShield
2008-05-17 17:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-16 01:40 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\BitTorrent
2008-05-07 01:35 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\Skype
2008-05-03 19:08 --------- d-----w C:\Program Files\DOSBox-0.72
2008-05-01 15:40 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-23 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-04-12 23:21 --------- d-----w C:\Program Files\KeyNote
2008-04-12 23:20 --------- d-----w C:\Program Files\Numericon
2008-04-12 23:19 --------- d-----w C:\Program Files\Minitab 15
2008-04-10 02:11 --------- d-----w C:\Program Files\Trend Micro
2008-04-09 21:20 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-09 21:17 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-07 03:12 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\U3
2008-04-03 12:58 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\AVG7
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 01:58 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-25 04:36 --------- d-----w C:\Program Files\Windows Live
2008-03-25 04:35 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-25 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-24 22:44 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-24 20:01 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-03-23 02:31 127 ---ha-w C:\Documents and Settings\All Users\Application Data\emopts.dat
2008-03-23 02:31 --------- d--h--w C:\Documents and Settings\All Users\Application Data\sacache
2008-03-21 20:09 --------- d-----w C:\Program Files\Nexus
2008-03-20 06:30 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 04:25 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\Microsoft Games
2008-03-12 05:45 39,888 ----a-w C:\Documents and Settings\Sudhir J. Kamath\Application Data\GDIPFONTCACHEV1.DAT
2008-02-21 06:14 1,984 ----a-w C:\WINDOWS\system32\tmp.reg
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 19:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 19:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 19:10 114688]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 13:48 1392640]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 21:09 579584]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-04 00:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\K1RFD\\EchoLink\\EchoLink.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys [2006-07-21 12:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caee2460-c11e-11db-950b-000f1fb14a4f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f226da10-54f6-11dc-957f-000f1fb14a4f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 01:27:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-18 1:29:06
ComboFix-quarantined-files.txt 2008-05-18 05:28:50
ComboFix2.txt 2008-05-14 02:18:02

Pre-Run: 9,286,832,128 bytes free
Post-Run: 9,275,953,152 bytes free

122 --- E O F --- 2008-05-16 05:09:50
  • 0

#13
greyknight17
Posted 18 May 2008 - 08:45 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you run a full scan with AVG yet? If not, check for updates and then run the full virus scan to see if it can pick up anything else. If so, see if they are in the same location.
  • 0

#14
sunny441
Posted 19 May 2008 - 04:45 AM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
Yes:

I have updated and run AVG several times. In fact everytime i get the popup window with the notification of the bad file, I have run AVG and each time the result is the same- nothing was found!
  • 0

#15
greyknight17
Posted 19 May 2008 - 07:44 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Can you give me a few of the files it found in that location (you said My Documents folder right)? Go into the AVG virus vault and give me the files listed there. Are they all detected as the I-Worm infection?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP