Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32.Trojan.Yspy


  • This topic is locked This topic is locked

#331
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts
Right click on ComboFix.exe and select Delete. Empty your Recycle Bin. Then download the latest version from here
  • 0

Advertisements


#332
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
I think what I did last night with ComboFix messed up my computer a bit when things got rough, when it restarted. Today I did a defrag, and it nearly shut the computer down, very slow at the end. Last night I was running Ad Aware and it gave me the blue screen, which it has never done before. I ran a av check on home computer Kaspersky AV, and it showed no infections on the scan.
  • 0

#333
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts

I think what I did last night with ComboFix messed up my computer a bit when things got rough, when it restarted. Today I did a defrag, and it nearly shut the computer down, very slow at the end. Last night I was running Ad Aware and it gave me the blue screen, which it has never done before. I ran a av check on home computer Kaspersky AV, and it showed no infections on the scan.

That must be pure coincidence. The program wont do anything like that
  • 0

#334
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
alright I will go offline and do the thing again...have to let the dog out first, then I will start it...THANKS.
  • 0

#335
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts

I think what I did last night with ComboFix messed up my computer a bit when things got rough, when it restarted. Today I did a defrag, and it nearly shut the computer down, very slow at the end. Last night I was running Ad Aware and it gave me the blue screen, which it has never done before. I ran a av check on home computer Kaspersky AV, and it showed no infections on the scan.

That must be pure coincidence. The program wont do anything like that

I thought it was because of the problems I had pulling that file in, and it started the program with everything active. There must of been close to a hundred firewall warnings, or av, cannot remember now...and it almost shut down the computer before I stopped all the firewall, av, and malware stuff. Maybe it was a coincidence...I have no idea. All I know is it was rough. I didn't know what to do, but decided I'd better do something fast. Now I know what to expect...hehehe. Anyway, will start it quickly as I can.
  • 0

#336
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts
Sometimes when you suspend a program things may go wrong. The program can backup and kill some processes for its own benefit. If should then restore those entries prior to its final process. If you suspend the program in the midle of it, it may not recover those changes. If it worked on the first run, it should also run on the second, third,.... and so forth. Don't click on or close Combofix unless it hangs. Let it do what ever it needs to do.
  • 0

#337
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
ComboFix 08-07-24.6 - Kelly 2008-07-25 19:34:56.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.587 [GMT -5:00]
Running from: C:\Documents and Settings\Kelly\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kelly\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\avexport.bat
C:\cleanup.bat
C:\cleanup.exe
C:\DOCUME~1\Kelly\LOCALS~1\Temp\OYKNVASYNG.exe
C:\install.bat
C:\Program Files\wt3d.ini
C:\WINDOWS\system32\20.tmp
C:\WINDOWS\TEMP\mc21.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.bat
.
---- Previous Run -------
.
C:\avexport.bat
C:\cleanup.bat
C:\cleanup.exe
C:\Program Files\wt3d.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Legacy_OYKNVASYNG
-------\Service_MEMSWEEP2
-------\Service_OYKNVASYNG
-------\Legacy_MCHINJDRV
-------\Service_mchInjDrv


((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-22 20:51 . 2008-07-22 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-19 14:37 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-17 21:50 . 2008-07-17 21:51 <DIR> d-------- C:\Program Files\FlySim
2008-07-15 09:08 . 2008-07-15 09:08 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-15 09:08 . 2008-07-25 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 09:08 . 2008-07-25 19:43 9,388,320 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-15 09:08 . 2008-07-25 19:41 126,788 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-15 09:08 . 2008-07-25 19:42 118,816 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-15 09:08 . 2008-07-24 08:58 96,559 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-15 09:08 . 2008-07-24 08:58 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-15 09:08 . 2008-07-25 19:41 12,164 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-15 09:06 . 2008-07-15 09:06 <DIR> d-------- C:\kav
2008-07-11 10:24 . 2008-07-11 10:24 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\abelhadigital.com
2008-07-11 10:24 . 2008-07-11 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\abelhadigital.com
2008-07-11 10:21 . 2008-07-13 15:00 6,735,942 --a------ C:\backup.reg
2008-07-09 18:45 . 2008-07-09 18:45 <DIR> d-------- C:\Program Files\Tall Emu
2008-07-09 18:45 . 2008-07-25 19:45 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\OnlineArmor
2008-07-09 18:45 . 2008-07-25 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-07-09 18:45 . 2008-07-09 19:05 75,776 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-07-09 18:45 . 2008-04-17 05:22 28,872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-07-09 18:45 . 2008-07-09 19:05 25,600 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-07-09 09:55 . 2008-06-20 06:51 361,600 --------- C:\WINDOWS\system32\drivers\tcpip.sys
2008-07-09 09:55 . 2008-06-20 06:08 225,856 --------- C:\WINDOWS\system32\drivers\tcpip6.sys
2008-07-09 09:55 . 2008-06-20 06:40 138,496 --------- C:\WINDOWS\system32\drivers\afd.sys
2008-07-04 14:02 . 2008-07-04 14:02 <DIR> d-------- C:\Program Files\HostsMan
2008-07-03 22:34 . 2008-07-03 22:34 <DIR> d-------- C:\Program Files\HD Tune
2008-07-01 01:04 . 2008-07-01 01:04 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-01 01:04 . 2008-07-01 01:04 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-01 01:04 . 2008-07-01 01:04 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-01 01:04 . 2008-07-01 01:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-01 01:02 . 2008-07-01 01:04 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-01 00:48 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-06-28 14:40 . 2008-06-28 14:40 <DIR> d-------- C:\Program Files\ESET
2008-06-28 14:40 . 2008-06-28 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-28 11:59 . 2008-06-28 11:59 39,424 --a------ C:\WINDOWS\zipinst.exe
2008-06-27 23:32 . 2008-06-27 23:32 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-27 23:32 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 00:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-25 21:04 --------- d-----w C:\Program Files\OpenTalk
2008-07-24 23:44 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 23:31 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-24 23:28 --------- d-----w C:\Program Files\SpywareGuard
2008-07-24 01:09 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-21 15:14 --------- d-----w C:\Program Files\Lavasoft
2008-07-21 15:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-16 10:29 118,784 ----a-w C:\WINDOWS\SeaMonkeyUninstall.exe
2008-07-16 10:29 118,784 ----a-w C:\WINDOWS\GREUninstall.exe
2008-07-15 14:16 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-14 16:08 --------- d-----w C:\Program Files\Java
2008-07-10 02:00 --------- d-----w C:\Program Files\HP
2008-07-10 01:52 --------- d-----w C:\Program Files\kontiki
2008-07-10 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-04 15:59 --------- d-----w C:\Program Files\SpeedFan
2008-07-02 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-02 16:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-29 23:15 --------- d-----w C:\Program Files\Napster
2008-06-29 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\RunOff
2008-06-29 15:55 --------- d-----w C:\Program Files\MSECache
2008-06-28 22:03 --------- d-----w C:\Program Files\Yahoo!
2008-06-28 22:03 --------- d-----w C:\Program Files\SureThing
2008-06-28 22:03 --------- d-----w C:\Program Files\QuickTime
2008-06-28 22:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 22:02 --------- d-----w C:\Program Files\Logitech
2008-06-28 22:02 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-28 22:02 --------- d-----w C:\Program Files\GemMaster
2008-06-28 22:02 --------- d-----w C:\Program Files\Common Files\aolshare
2008-06-28 22:02 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-28 22:02 --------- d-----w C:\Program Files\CD to MP3 Freeware
2008-06-28 22:02 --------- d-----w C:\Program Files\BitComet
2008-06-28 22:02 --------- d-----w C:\Program Files\Audible
2008-06-28 19:34 --------- d-----w C:\Documents and Settings\Kelly\Application Data\SUPERAntiSpyware.com
2008-06-28 19:24 --------- d-----w C:\Program Files\DrWeb
2008-06-28 17:09 --------- d-----w C:\Program Files\WinUpdatesList
2008-06-28 05:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-24 23:57 --------- d-----w C:\Program Files\Shockwave.com
2008-06-16 20:01 2,869,536 ----a-w C:\spywareblastersetup41.exe
2008-06-16 02:31 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-16 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 20:36 --------- d-----w C:\Program Files\iTunes
2008-06-12 20:36 --------- d-----w C:\Documents and Settings\Kelly\Application Data\Apple Computer
2008-06-12 20:35 --------- d-----w C:\Program Files\iPod
2008-06-12 20:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-12 20:29 --------- d-----w C:\Program Files\Apple Software Update
2008-06-12 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-06 13:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-06 13:55 23,454,528 ----a-w C:\AdbeRdr812_en_US.exe
2008-06-06 04:32 --------- d-----w C:\Documents and Settings\Kelly\Application Data\Malwarebytes
2008-06-06 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-06 04:30 1,756,760 ----a-w C:\mbam-setup.exe
2008-06-05 00:37 --------- d-----w C:\Program Files\Trend Micro
2008-06-05 00:25 --------- d-----w C:\Program Files\7-Zip
2008-06-04 19:37 142,096 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-29 04:22 --------- d-----w C:\Documents and Settings\Kelly\Application Data\AdobeUM
2008-05-28 19:39 --------- d-----w C:\Program Files\MTV Virtual World
2007-12-17 15:57 1,646 ----a-w C:\Documents and Settings\Kayla\Application Data\wklnhst.dat
2006-11-28 05:00 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( [email protected]_18.23.03.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-07-24 02:09:25 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-25 14:24:25 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-24 02:09:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-25 14:24:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-24 02:09:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-25 14:24:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 19:12 1695232]
"HostsMan"="C:\Program Files\HostsMan\hm.exe" [2008-06-16 04:19 2847232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2006-11-20 23:59 3920384]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 17:50 7311360]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2008-04-17 05:22 5606464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 19:12 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Kayla\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-07-31 20:44:35 27136]

C:\Documents and Settings\Kelly\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll" [2008-04-17 05:22 671432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
--------- 2006-11-23 17:12 851968 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2006-02-16 00:34 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2006-11-28 12:47 1040832 C:\Program Files\kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-05-09 17:50 7311360 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PwrUpTweakMe]
--a------ 2005-09-12 11:36 45056 C:\WINDOWS\system32\puxptwks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2005-07-23 00:14 237568 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-03-11 19:47 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--------- 2005-08-03 01:19 77312 C:\WINDOWS\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1164757353\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"C:\\Program Files\\kontiki\\KService.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20566:TCP"= 20566:TCP:BitComet 20566 TCP
"20566:UDP"= 20566:UDP:BitComet 20566 UDP

R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-07-09 19:05]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-07-09 19:05]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-17 05:22]
R2 SvcOnlineArmor;Online Armor;C:\Program Files\Tall Emu\Online Armor\oasrv.exe [2008-04-17 05:22]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 13:47]

*Newly Created Service* - MCHINJDRV
.
Contents of the 'Scheduled Tasks' folder
"2008-07-25 20:42:54 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-26 00:43:46 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exeA
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 19:43:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-25 19:52:40 - machine was rebooted [Kelly]
ComboFix-quarantined-files.txt 2008-07-26 00:52:31
ComboFix2.txt 2008-07-24 23:24:04

Pre-Run: 193,000,161,280 bytes free
Post-Run: 192,988,532,736 bytes free

290 --- E O F --- 2008-07-09 18:55:03
  • 0

#338
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
I had trouble this time running ComboFix. It gave me an error message as follows..
NirCmd.cfexe-Application Error
exception unknown software exception (0x0eedfade) occured in the application 0x7o812aeb

Then it gave Runtime Error 217 at 00982714

After I clicked ok to these two things, it ran. All the things that were supposed to be cut off, were. Whether or not the program did what it was should of, I don't know. (ComboFix)
  • 0

#339
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts
Seems clear now. You have un-cheked Services and Programs in the configuration system. I can remove those for good, but it is your option.

How is the computer doing?
  • 0

#340
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
I do not know what that means. What do you suggest?
I had to run to the store, and do not know how it is running. You mean I am finally CLEAR of infections???
:)

Edited by kelkay, 25 July 2008 - 07:57 PM.

  • 0

Advertisements


#341
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
As far as how the computer is running...I have been browsing just to see. The browsing part is great, MUCH FASTER. It is close to the speed it used to run loading pages. One thing I noticed that was odd, is the IOBit defrag said I was on medium need to defrag today. So I defragged. Well, after the ComboFix job I restarted, and now oddly, IOBit said I needed to defrag. So I decided just to do the C drive this time. Now my optimization is Excellent once again. I found that odd. Otherwise the computer is running very well from what I have done. This is exciting. It has been a long road to get here, and I couldn't of done it without the awesome people here. I will run a HiJack This so you can take a peek, and see what you think. As far as that thing you mentioned tonight...please explain that to me, I have no idea what you were talking about, I don't even know what program it belonged to. (unchecked)What configuration system I mean...

Edited by kelkay, 25 July 2008 - 08:23 PM.

  • 0

#342
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:24:37, on 7/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\HostsMan\hm.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HostsMan] "C:\Program Files\HostsMan\hm.exe" -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {127CE7BA-AD89-4108-A913-C52EFC037C36} (OMN Player Support) - http://kdx.omn.org/s...ayerSupport.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2776DDE9-D4B2-4BF7-9F98-ADC1A1B80AF5} (OMN Media Publisher) - http://kdx.omn.org/s...iaPublisher.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave...h2.1.0.0.67.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1165348971449
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15030/CTPID.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 8726 bytes
  • 0

#343
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts
Hi, kelkay :)

The logs show no sign of malware.

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

That should take care of an orphan entry by Panda. (If your Security complaints, allow this change)

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, Regfix.reg . Once extracted, open the folder and double click on the Regfix.reg file and select Yes when prompted to merge it into the registry.

Restart the computer

That should take care of the disabled Services that were part of Norton. (If your Security complaints, allow this change)

If all the above goes without a hitch, the following will bring to a close our intervention:

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
Create a Restore point (If the above process fails to do so):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this one by Miekiemoes.

Best wishes! Posted Image
  • 0

#344
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
:) I am so thrilled to hear this news. You cannot imagine. I have been working on this for so long, it seemed it was never ending. To know I am at the end of the road with this, is such a relief. You have made my day....my whole month!!! I wish I could give you a hug that is how excited I am. I will do those steps asap. I already deleted the ComboFix because I was afraid that the av would attack it again. So I thought if I needed it, I could redownload it. I did have ERUNT in the past, but downloaded it and didn't know what to do with it. I don't know if it is even still on my machine or not. I may of deleted it a long time ago, because I didn't know how to use it. I will look at the other stuff you mentioned that I don't already have. THANK YOU SO MUCH.
  • 0

#345
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
I checked the file, and hit fix. Then it popped up with a screen that I will attach. The scan button was darkened. I am not sure if I should of clicked scan after that or not. Is this the way it should of worked?
Well when I tried to attach the file of the print screen, it says I did not select a file, even though I did, and I hit upload. I will do another HiJack This, and see if that file is still there.

Ok well it did delete the file. I will look at your other stuff you wanted me to do now.

Okay I did everything on the list besides investigate the programs you mentioned. I have a question though. What about the reg.fix and regfix.zip files on my desktop, what do I do with them?

Edited by kelkay, 26 July 2008 - 12:20 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP