Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinantivirusPro [RESOLVED]


  • This topic is locked This topic is locked

#1
checkfire6

checkfire6

    Member

  • Member
  • PipPip
  • 22 posts
I got this malware last night, like a fool thought that if I bought this seemingly good antivirus all the pop ups would stop and computer would return to normal. Somehow I've lost access to the internet on my infected laptop and therefore can not load all the necessary software that is available to remove it.

How do I regain access to the internet to continue with the process.
  • 0

Advertisements


#2
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi checkfire6 and welcome to the forums.

My name is Dave. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can sometimes take a while to research so please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • I recommend you make a backup of any data that you have created, such as documents, pictures, music, ect... before we begin the fix.

You must have another PC to get on the internet with correct? As you are posting here. To get the internet back first try this. You can download it on a good PC and copy it to a flash drive or CD and run from there.

WinsockFix to restore internet connectivity.

http://www.spychecke...nsockxpfix.html

The Winsockfix Utility will:
· Detect your current Operating System
· Release the IP address, taking you "Offline"
· Reset the TCP stack using Netsh.exe (Windows XP only)
· Delete the current Registry TCP and Winsock Values
· Import new "Working" Registry Values
· Backup any Current "Hosts" file
· Replace the "Hosts" file with a default one
· Reboot the Computer

Instructions:
http://www.home-netw...winsockfix.html

Hopefully that will get your internet back, if so continue with the following. If not let me know and we'll go from there.

Please read through and follow the steps in the following link below. If the steps do not work then post a HijackThis log as advised at the end of the post. Post the HijackThis log back here by using the Add Reply button, do not start a new topic.

You Must Read This Before Posting A Hijackthis Log, Malware Cleaning Guide
  • 0

#3
checkfire6

checkfire6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks Dave, let me start the back-up, hopefully I won't back up any of the bad stuff, then I'll download WinsockFix to a usb drive and insert it into my infected laptop and go from there. I'll post sometime tomorrow as I have company coming over in a while.
  • 0

#4
checkfire6

checkfire6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Dave, am running the Super Anti spy software now and think I may have screwed up. See Below:

"SUPERAntiSpyware Home Edition (free version) – Download - Home Page
Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining.
Please leave the others unchecked.
Click the Close button to leave the control center screen"

when I opened the preferences there were already some of the options checked and I did not uncheck them. So, therefore there were more checked than the three you've indicated.
  • 0

#5
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
I wouldn't worry too much about it. If it hasn't finished just terminate the scan and start over. If it has completed just move on...
  • 0

#6
checkfire6

checkfire6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
OK it's been running for over 20 min and has scanned 20K files.
  • 0

#7
checkfire6

checkfire6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I can't believe this. I have done everything that you have indicated and after Panda ran the scan which took over an hour, I had to register to disinfect the two files and after clicking REGISTER that dam WinAntivirus Pro Logo came up again.

Guess I have to go through everything again.
  • 0

#8
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hold on... :)

Go ahead and follow the instructions to download, run, and post the HijackThis log. I can give you some more specific instructions to get things cleaned up.

Hang in there we'll get it.

Dave
  • 0

#9
checkfire6

checkfire6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
OK
  • 0

#10
checkfire6

checkfire6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Have done as you've said and here's the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:15 PM, on 6/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: (no name) - {C0690CA5-C80B-4F09-8DAA-31C0924AE1B9} - C:\PROGRA~1\NETFIL~1\NETFIL~1.DLL
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.aka...vex-2.2.3.0.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6063 bytes
  • 0

Advertisements


#11
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

#12
checkfire6

checkfire6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks for all your trouble:

SmitFraudFix v2.323

Scan done at 17:04:52.17, Sat 06/07/2008
Run from E:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Larry La Chapelle


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Larry La Chapelle\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\LARRYL~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#13
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
It's no trouble, like most helpers I do this because I enjoy it and enjoy the challenge.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#14
checkfire6

checkfire6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Got it and am executing now.
  • 0

#15
checkfire6

checkfire6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Does what I do automatically create a new HJT log or do I have to something else.

Here's the Combo fix log:

ComboFix 08-06-07.1 - Larry La Chapelle 2008-06-07 19:31:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.397 [GMT -4:00]
Running from: E:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\CMMGR32.EXE
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-07 17:03 . 2008-06-07 17:04 424 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-07 17:02 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-07 17:02 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-07 17:02 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-07 17:02 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-07 17:02 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-07 17:02 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-07 17:02 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-07 17:02 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-07 14:47 . 2008-06-07 14:48 <DIR> d-------- C:\Program Files\Panda Security
2008-06-07 13:35 . 2004-08-10 06:00 4,639 --a------ C:\WINDOWS\system32\dllcache\mplayer2.exe
2008-06-07 13:27 . 2008-06-07 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-07 13:26 . 2008-06-07 14:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-07 13:26 . 2008-06-07 13:26 <DIR> d-------- C:\Documents and Settings\Larry La Chapelle\Application Data\SUPERAntiSpyware.com
2008-06-07 13:25 . 2008-06-07 13:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 13:10 . 2008-06-07 13:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-07 13:10 . 2008-06-07 13:10 <DIR> d-------- C:\Documents and Settings\Larry La Chapelle\Application Data\Malwarebytes
2008-06-07 13:10 . 2008-06-07 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-07 13:10 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-07 13:10 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-07 13:09 . 2008-06-07 13:09 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-04 15:16 . 2008-06-04 15:16 <DIR> d-------- C:\Program Files\NetFilter
2008-05-29 14:43 . 2008-06-04 15:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-29 14:43 . 2008-05-29 14:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-28 06:33 . 2008-05-28 06:34 <DIR> d-------- C:\Program Files\iTunes
2008-05-28 06:33 . 2008-05-28 06:33 <DIR> d-------- C:\Program Files\iPod
2008-05-28 06:09 . 2008-05-28 06:09 <DIR> d-------- C:\Documents and Settings\Larry La Chapelle\Application Data\Sony Corporation
2008-05-19 09:38 . 2006-10-30 13:46 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys
2008-05-19 09:38 . 2006-10-30 13:46 102,220 --a------ C:\WINDOWS\system32\drivers\sonypvs1.sys
2008-05-19 09:38 . 2006-10-30 13:46 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL
2008-05-19 09:38 . 2006-10-30 13:46 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys
2008-05-19 09:38 . 2006-10-30 13:46 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys
2008-05-19 09:38 . 2006-10-30 13:46 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2008-05-19 09:38 . 2006-08-28 21:48 2,560 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-19 09:38 . 2006-08-28 21:48 2,432 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-19 09:36 . 2008-05-19 09:36 <DIR> d-------- C:\Program Files\Sony

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 20:37 --------- d-----w C:\Program Files\Trend Micro
2008-06-07 17:35 --------- d-----w C:\Program Files\NetWaiting
2008-06-07 17:35 --------- d-----w C:\Program Files\Intellimover
2008-05-28 10:51 --------- d-----w C:\Program Files\QuickTime
2008-05-28 10:41 --------- d-----w C:\Program Files\Apple Software Update
2008-05-19 13:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-19 13:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-05-02 20:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-05-02 20:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-05-02 20:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2007-02-08 19:15 88 --sh--r C:\WINDOWS\system32\753E1F8FA4.sys
2007-11-01 11:25 56 --sh--r C:\WINDOWS\system32\A48F1F3E75.sys
2007-11-01 11:26 6,580 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0690CA5-C80B-4F09-8DAA-31C0924AE1B9}]
2008-06-04 15:16 476160 --a------ C:\PROGRA~1\NETFIL~1\NETFIL~1.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-07 14:41 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]

C:\Documents and Settings\Larry La Chapelle\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-05-19 09:36:50 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-30 22:11:16 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-07 14:41 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-07 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Ashlar-Vellum\\Cobalt v7 SP2\\exe\\Cobalt.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2005-06-10 16:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{123630d0-dc7b-11da-9dd1-001422a49561}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 10:16:32 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 19:33:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-07 19:34:50
ComboFix-quarantined-files.txt 2008-06-07 23:34:23

Pre-Run: 34,905,387,008 bytes free
Post-Run: 35,254,890,496 bytes free

147 --- E O F --- 2008-05-19 22:12:56
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP