Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

"VIRUS ALERT" in the toolbar, Spyware&Malware protector,

Started by RedTsunami , Jul 12 2008 10:44 AM

  • This topic is locked This topic is locked

#16
Mike
Posted 17 July 2008 - 04:04 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Do this before the runscanner step. Your giving me a lot of practice with doing stuff manually :)

  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
please open Notepad by going to Start > Run and typing Notepad.exe in the window that pops up. Press enter and in the notepad window that appears Copy (Ctrl+C) and Paste (Ctrl+P) the following:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoToolbarCustomize"=-
"NoDrives"=-
"StartMenuLogoff"=-
"NoStartMenuMorePrograms"=-
"NoSetFolders"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
"NoDispCPL"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Note: it is important to copy this with the spacing left as it is, also make sure "REGEDIT4" is the first thing in Notepad (No spaces ahead or anything).

In Notepad click on the "File" menu > Save As... Under "File name" type Fix.reg and Change "Save as type" to All Files
Posted Image
Now double click Fix.reg. A pop-up will appear asking you if you want to import this to your registry click yes.

Then,

Download the attached text file. Open the file with Notepad.

In Notepad click on the "File" menu > Save As... Under "File name" type fix.bat and Change "Save as type" to All Files, save it to a place you will remember.

Posted Image

Double click on fix.bat.

A notepad file looksee.txt will appear - post the results.

Go ahead with the other steps please.
  • 0

Advertisements

#17
RedTsunami
Posted 20 July 2008 - 02:49 AM

RedTsunami

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ugh...crud...when I try to open "fix.reg" I get a message that says:

"Registry Editing has been disabled by your administrator"

Other then that, though, the steps before it were successful.
  • 0

#18
Mike
Posted 20 July 2008 - 04:03 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Continue with the rest please :)
  • 0

#19
Mike
Posted 20 July 2008 - 04:07 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Also... see if you can get ComboFix to run by re-naming it to Combo-Fix
  • 0

#20
RedTsunami
Posted 20 July 2008 - 05:08 PM

RedTsunami

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
In "looksee" it says...

"File not found
File not deleted
File not found"

And also, I can't believe it, but your suggestion for renaming combofix actually worked. But it says:

"Roughly 1/100 machines failed to make it through the disinfection process !!
Are you sure you want to do this??"

I hit no, becuase I'm not sure what this means, and I don't really want to kill my comp.

ALSO, it's odd: I ran combofix once, and hit no at the message, but the icon "disapeared" from my desktop. I downloaded it again, and tryed to put it on the desktop, but it treated it as a shortcut and didn't work. Then I just ran it straight from my flash drive and it worked.
  • 0

#21
Mike
Posted 21 July 2008 - 04:24 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there click yes to that disclamer(s) and let combofix run - if you can get combofix to run that is the best choice.
  • 0

#22
RedTsunami
Posted 21 July 2008 - 02:42 PM

RedTsunami

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
All right! I ran ComboFix (finally). It went through pretty smoothly. Now I can see the other icons in my start menu, and I can go online! Awesome! Also, the big "VIRUS ALERT!" warning next to my time and date is gone.

The only thing I can notice right now that hasn't been fixed is that my time is still in military, and my date is completely gone. I don't think this is too important to fix, but is there a way I can easilly fix this? I'll post the log from combofix too, just cause. There might be other things that don't work, but I haven't noticed them, so I'll just let ya know if anything comes up.

Other then that, though, you've been a great help! Thanks!







ComboFix 08-07-20.A0 - Mikael Myggen 2008-07-21 12:58:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.150 [GMT -7:00]
Running from: G:\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mikael Myggen\Start Menu\Programs\Startup\.lnk
C:\Documents and Settings\Mikael Myggen\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Mikael Myggen\Start Menu\Programs\Startup\think-adz.lnk
C:\Temp\fse
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\eswa.exe
C:\WINDOWS\gpefaowr.exe
C:\WINDOWS\system32\acwdbgic.dll
C:\WINDOWS\system32\adoaickm.dll
C:\WINDOWS\system32\adpmfxna.ini
C:\WINDOWS\system32\anxfmpda.dll
C:\WINDOWS\system32\aopyjr.dll
C:\WINDOWS\system32\byXNdaxu.dll
C:\WINDOWS\system32\ceborm.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbdll.old
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\crykar.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\dsnodpqy.ini
C:\WINDOWS\system32\eahoxngv.ini
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f12WtR
C:\WINDOWS\system32\fccBuVMf.dll
C:\WINDOWS\system32\fMVuBccf.ini
C:\WINDOWS\system32\fMVuBccf.ini2
C:\WINDOWS\system32\hjxdetlu.ini
C:\WINDOWS\system32\indtvmno.dll
C:\WINDOWS\system32\jcdjlz.dll
C:\WINDOWS\system32\jryyjsce.ini
C:\WINDOWS\system32\kjlgpl.dll
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mvrqeudx.dll
C:\WINDOWS\system32\onmvtdni.ini
C:\WINDOWS\system32\oywpar.dll
C:\WINDOWS\system32\peqpsnus.dll
C:\WINDOWS\system32\pmkkcn.dll
C:\WINDOWS\system32\pnggdk.dll
C:\WINDOWS\system32\qywfbcab.ini
C:\WINDOWS\system32\sckvvhrl.ini
C:\WINDOWS\system32\skbdapvh.dll
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\trkaqpss.dll
C:\WINDOWS\system32\tuvWopnm.dll
C:\WINDOWS\system32\ubqeqcan.dll
C:\WINDOWS\system32\ujjnfs.dll
C:\WINDOWS\system32\vashmuby.dll
C:\WINDOWS\system32\weenghfa.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wwhmwbop.ini
C:\WINDOWS\system32\xmvirmpr.dll
C:\WINDOWS\system32\ysdcxtyv.ini
C:\WINDOWS\system32\zulxrn.dll
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_DOMAINSERVICE
-------\Legacy_OHCIUSB
-------\Service_DomainService
-------\Service_ohciusb


((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-20 01:36 . 2008-07-20 01:37 <DIR> d-------- C:\Program Files\ERUNT
2008-07-16 12:37 . 2008-07-16 12:37 <DIR> d-------- C:\Deckard
2008-07-12 01:50 . 2008-07-12 02:17 2,092 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-12 01:47 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-12 01:47 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-12 01:47 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-12 01:47 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-12 01:47 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-12 01:47 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-12 01:47 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-12 01:47 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-12 01:47 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-12 01:04 . 2008-07-12 00:50 1,478,367 --a------ C:\SmitfraudFix.exe
2008-07-12 01:03 . 2008-07-12 01:03 <DIR> d-------- C:\Documents and Settings\Administrator.MIKAEL
2008-07-12 00:26 . 2008-07-12 00:26 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-11 23:53 . 2003-03-31 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-09 13:15 . 2008-07-21 13:15 <DIR> d-------- C:\Program Files\Steam
2008-06-28 15:15 . 2008-07-16 01:31 <DIR> d-------- C:\Documents and Settings\Mikael Myggen\Application Data\SPORE Creature Creator
2008-06-28 15:03 . 2008-06-28 15:03 <DIR> dr-h----- C:\Documents and Settings\Mikael Myggen\Application Data\SecuROM
2008-06-28 14:20 . 2008-06-28 14:54 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-06-28 14:15 . 2008-06-28 14:15 <DIR> d-------- C:\Documents and Settings\Mikael Myggen\Application Data\DAEMON Tools
2008-06-28 14:15 . 2008-06-28 14:15 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 06:55 --------- d-----w C:\Documents and Settings\Mikael Myggen\Application Data\uTorrent
2008-07-10 23:46 --------- d-----w C:\Documents and Settings\Mikael Myggen\Application Data\LimeWire
2008-07-04 15:13 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-04 15:13 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-06-29 05:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 22:02 1,628 ----a-w C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-18 19:40 --------- d-----w C:\Program Files\AVG
2008-06-18 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-06-18 07:00 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-18 06:59 --------- d-----w C:\Program Files\Electronic Arts
2008-06-18 06:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 01:25 --------- d-----w C:\Program Files\StepMania
2008-05-31 03:52 --------- d-----w C:\Program Files\MySpace
2008-05-31 03:52 --------- d-----w C:\Documents and Settings\Mikael Myggen\Application Data\MySpace
2008-05-27 03:07 --------- d-----w C:\Program Files\LimeWire
2008-05-24 20:09 --------- d-----w C:\Documents and Settings\Mikael Myggen\Application Data\U3
2008-05-21 22:34 --------- d-----w C:\Program Files\Guitar Pro 5
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-17 07:21 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
"EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [2008-05-16 18:16 2732032]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 02:39 486856]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-07-09 13:16 1271032]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 00:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48 1388544]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-06-29 00:43 8466432]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-06-29 00:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
"BJLaunchEXE"="C:\Program Files\Canon\BJCard\BJLaunch.exe" [2003-08-04 14:16 716800]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 08:13 1232152]
"nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 16:27 9117696]

C:\Documents and Settings\Mikael Myggen\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-09-11 22:14:42 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-21 23:57:51 113664]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-11-27 22:13:51 114688]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Adobe\\Adobe Flash CS3\\Flash.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 08:13]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 08:13]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 14:38]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 15:59]
S3 MTK;Media Technology Kernel Driver;C:\WINDOWS\system32\Drivers\mtk.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.bat
.
Contents of the 'Scheduled Tasks' folder
"2008-07-08 03:30:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-mschkdsk.exe - C:\WINDOWS\System32\mschkdsk.exe
HKCU-Run-MsnMsgr - C:\Program Files\MSN Messenger\MsnMsgr.Exe
HKLM-Run-28bb82fe - C:\WINDOWS\system32\anxfmpda.dll
Notify-comprf - comprf.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 13:12:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-21 13:29:14 - machine was rebooted [Mikael Myggen]
ComboFix-quarantined-files.txt 2008-07-21 20:28:16

Pre-Run: 29,147,308,032 bytes free
Post-Run: 28,971,536,384 bytes free

235 --- E O F --- 2008-07-21 20:28:42
  • 0

#23
Mike
Posted 21 July 2008 - 03:10 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Well I waited way to long to try that.. live and learn I guess, this nasty bugger was stopping us from running the tools: CLBDRIVER

First off please move combofix from your flashdrive to your desktop.

You have viewpoint installed, I recommend you uninstall it as it doesn't have a good reputation.

Delete these folders if present:

C:\Program Files\Viewpoint
C:\Documents and Settings\Administrator.MIKAEL\Viewpoint

I would like you to install the Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

Click NO when it asks you to scan for malware.

After you have done this proceed with the next steps.

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
FileLook::
D:\autorun.bat

File::
D:\autorun.bat

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.


Then,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Post back with the logs along with a hijack this log please.
  • 0

#24
RedTsunami
Posted 22 July 2008 - 03:41 PM

RedTsunami

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I didn't even know I HAD viewpoint installed. I was able to delete the one in program files, and there was nothing in the documents and settings folder I could delete.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:37, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\PSIService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Mikael Myggen\Desktop\Virus fixing stuff\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [BJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189476189375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189967518687
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 8590 bytes









ComboFix 08-07-20.A0 - Mikael Myggen 2008-07-22 12:48:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.108 [GMT -7:00]Running from: C:\Documents and Settings\Mikael Myggen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mikael Myggen\Desktop\CFScript.txt
* Created a new restore point

FILE ::
D:\autorun.bat
.

((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.

2008-07-22 12:35 . 2008-07-22 12:39 <DIR> d-------- C:\Combo-Fix
2008-07-20 01:36 . 2008-07-20 01:37 <DIR> d-------- C:\Program Files\ERUNT
2008-07-16 12:37 . 2008-07-16 12:37 <DIR> d-------- C:\Deckard
2008-07-12 01:50 . 2008-07-12 02:17 2,092 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-12 01:47 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-12 01:47 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-12 01:47 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-12 01:47 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-12 01:47 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-12 01:47 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-12 01:47 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-12 01:47 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-12 01:47 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-12 01:04 . 2008-07-12 00:50 1,478,367 --a------ C:\SmitfraudFix.exe
2008-07-12 01:03 . 2008-07-12 01:03 <DIR> d-------- C:\Documents and Settings\Administrator.MIKAEL
2008-07-12 00:26 . 2008-07-12 00:26 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-11 23:53 . 2003-03-31 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-09 13:15 . 2008-07-21 15:12 <DIR> d-------- C:\Program Files\Steam
2008-06-28 15:15 . 2008-07-16 01:31 <DIR> d-------- C:\Documents and Settings\Mikael Myggen\Application Data\SPORE Creature Creator
2008-06-28 15:03 . 2008-06-28 15:03 <DIR> dr-h----- C:\Documents and Settings\Mikael Myggen\Application Data\SecuROM
2008-06-28 14:20 . 2008-06-28 14:54 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-06-28 14:15 . 2008-06-28 14:15 <DIR> d-------- C:\Documents and Settings\Mikael Myggen\Application Data\DAEMON Tools
2008-06-28 14:15 . 2008-06-28 14:15 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 20:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-21 20:47 --------- d-----w C:\Documents and Settings\Mikael Myggen\Application Data\uTorrent
2008-07-21 20:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-10 23:46 --------- d-----w C:\Documents and Settings\Mikael Myggen\Application Data\LimeWire
2008-07-04 15:13 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-29 05:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 19:40 --------- d-----w C:\Program Files\AVG
2008-06-18 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-06-18 06:59 --------- d-----w C:\Program Files\Electronic Arts
2008-06-18 06:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 01:25 --------- d-----w C:\Program Files\StepMania
2008-05-31 03:52 --------- d-----w C:\Program Files\MySpace
2008-05-31 03:52 --------- d-----w C:\Documents and Settings\Mikael Myggen\Application Data\MySpace
2008-05-27 03:07 --------- d-----w C:\Program Files\LimeWire
2008-05-24 20:09 --------- d-----w C:\Documents and Settings\Mikael Myggen\Application Data\U3
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\autorun.bat -- Invalid filepath or file no longer exist


((((((((((((((((((((((((((((( snapshot@2008-07-21_13.27.20.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-16 12:08:32 100,352 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\6to4svc.dll
+ 2008-06-20 10:44:08 138,368 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys
+ 2008-06-20 17:36:11 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\dnsapi.dll
+ 2008-06-20 17:36:11 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll
+ 2008-06-20 10:44:42 360,960 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
+ 2008-06-20 09:32:39 225,920 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip6.sys
+ 2008-06-20 11:40:08 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys
+ 2008-06-20 17:46:57 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\dnsapi.dll
+ 2008-06-20 17:46:57 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll
+ 2008-06-20 11:51:12 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
+ 2008-06-20 11:08:27 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip6.sys
+ 2008-06-20 11:48:03 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
+ 2008-06-20 17:43:05 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\dnsapi.dll
+ 2008-06-20 17:43:05 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll
+ 2008-06-20 11:59:02 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
+ 2008-06-20 11:16:44 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip6.sys
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\updspapi.dll
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-07-21\ERDNT.EXE
+ 2008-07-21 20:16:30 3,514,368 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-07-21\Users\00000001\ntuser.dat
+ 2008-07-21 20:16:32 151,552 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-07-21\Users\00000002\UsrClass.dat
+ 2006-10-27 03:42:36 8,423,224 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.4518\OARTCONV.DLL
- 2008-05-19 04:54:09 1,165,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-07-21 20:28:37 1,165,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
- 2008-05-19 04:54:11 20,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-07-21 20:28:38 20,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-05-19 04:54:11 217,864 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2008-07-21 20:28:38 217,864 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
- 2008-05-19 04:54:11 18,704 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-07-21 20:28:38 18,704 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-05-19 04:54:11 35,088 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-07-21 20:28:38 35,088 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-05-19 04:54:10 845,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-07-21 20:28:38 845,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2008-05-19 04:54:11 922,384 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-07-21 20:28:38 922,384 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
- 2008-05-19 04:54:11 272,648 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-07-21 20:28:38 272,648 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
- 2008-05-19 04:54:11 888,080 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-07-21 20:28:38 888,080 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-05-19 04:54:10 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-07-21 20:28:38 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-06-20 10:44:38 138,368 -c----w C:\WINDOWS\system32\dllcache\afd.sys
- 2008-02-20 05:32:43 148,992 -c----w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 245,248 -c----w C:\WINDOWS\system32\dllcache\mswsock.dll
- 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c----w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-04 07:56:44 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
+ 2008-06-20 17:41:10 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
- 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-07-21 20:12:14 12,941 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-07-21 22:11:46 12,941 ----a-w C:\WINDOWS\system32\tablet.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-17 07:21 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
"EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [2008-05-16 18:16 2732032]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 02:39 486856]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-07-09 13:16 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48 1388544]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-06-29 00:43 8466432]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-06-29 00:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
"BJLaunchEXE"="C:\Program Files\Canon\BJCard\BJLaunch.exe" [2003-08-04 14:16 716800]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 08:13 1232152]
"nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 16:27 9117696]

C:\Documents and Settings\Mikael Myggen\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-09-11 22:14:42 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-21 23:57:51 113664]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-11-27 22:13:51 114688]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Adobe\\Adobe Flash CS3\\Flash.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 08:13]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 08:13]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 15:59]
S2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe []
S3 MTK;Media Technology Kernel Driver;C:\WINDOWS\system32\Drivers\mtk.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-22 03:30:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 12:56:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-22 13:13:18
ComboFix-quarantined-files.txt 2008-07-22 20:11:51
ComboFix2.txt 2008-07-21 20:29:17

Pre-Run: 28,744,101,888 bytes free
Post-Run: 28,839,784,448 bytes free

195 --- E O F --- 2008-07-21 20:28:42







Malwarebytes' Anti-Malware 1.22
Database version: 980
Windows 5.1.2600 Service Pack 2

2:35:26 PM 7/22/2008
mbam-log-7-22-2008 (14-35-26).txt

Scan type: Quick Scan
Objects scanned: 42703
Time elapsed: 5 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarerefer...=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#25
Mike
Posted 23 July 2008 - 03:13 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Looks good,

Let's get an online scan to weed out any leftovers...

Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Once done, uninstall any older versions of Java through add or remove programs.

Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

  • 0

Advertisements

#26
Mike
Posted 27 July 2008 - 03:25 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP