Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

IE Redirect / Trojan? [RESOLVED]


  • This topic is locked This topic is locked

#16
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Sorry I didn't post this last night. My wifi was acting up.

I'm not sure if it's related but the sound does not work on this machine either. I'm guessing the driver got damaged.



C:\WINDOWS\system32\blphc3vtj0epa1.scr
C:\WINDOWS\system32\lphc3vtj0epa1.exe
C:\WINDOWS\system32\phc3vtj0epa1.bmp
C:\Documents and Settings\Candy\Application Data\tvmuknwrd.dll
C:\Documents and Settings\Candy\Application Data\tvmknwrd.dll
c:\docume~1\candy\locals~1\temp\msbb.exe
C:\WINDOWS\System32\requester.10.exe
C:\WINDOWS\satmat.exe
C:\DOCUME~1\Candy\APPLIC~1\DVDBOR~1\Dent setup seek.exe

Folder::
C:\Program Files\MBKWBar
C:\Documents and Settings\Candy\Application Data\shc5vtj0epa1
C:\Program Files\CSBB
C:\Program Files\HookUpFinder
C:\Program Files\Nkgxtn
C:\PROGRA~1\COMMON~1\zzuq
C:\Program Files\Hotbar
C:\Program Files\CashBack
C:\Program Files\Ebates_MoeMoneyMaker
C:\Program Files\NaviSearch

Driver::
ISEXEng

Suspect::[1]
C:\WINDOWS\{1AECDE68-1081-45C8-9BEA-C9481A24AD53}.dat
C:\WINDOWS\system32\16k0z.exe
C:\WINDOWS\system32\7xf2inu.dll
C:\WINDOWS\system32\f1tlarb.sys
C:\WINDOWS\system32\plivib6.exe
C:\WINDOWS\system32\{DDCA5DCC-AA28-48CB-B6F3-DEF1BA15A743}.dat
C:\WINDOWS\f1tlarb.sys

Collect::[1]
C:\Program Files\z16roskn
C:\WINDOWS\system32\tzm.dll
C:\WINDOWS\System32\pifmgr.exe
C:\WINDOWS\System32\laesbpfl.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00855933-F2CA-4D03-913C-BA6AF2D20D49}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{134F95DD-1F11-4BE7-BD49-715BEB12F8EB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18417486-220A-4F8E-8190-4E9C08CB0D15}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1AB08EBF-917D-4DA5-B753-9C9E99F6F82E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{230EDB2E-D555-46F3-B434-F746AADBB37E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2909C652-7E5F-41F1-915C-DE62390381B7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BBAECC3-6C41-486B-BF8F-88B6290F3F60}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37B0A6A0-FC0D-4ACC-9939-EF7CC35E084D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F820870-E549-4728-B391-397E47B82DA1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{401F7A17-0E47-4F50-9F65-9EF2C176E666}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4548BEED-6968-4849-9434-003BD236D591}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49C03043-39EE-4CBF-8FA9-D1EEFBD50A34}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A25D449-2BAA-4426-A992-D18CA70CF5A9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{533246BC-F554-41CB-BCE3-E682CA36E43D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6086F842-66F5-4700-936F-FD1AC3B88E68}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C902F78-5FF1-4A20-A89C-F072E811F939}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{819D0A6D-1AFF-49E4-B0C3-03349B1F3AC8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8251C34F-BFEC-46A5-9330-706F0531DA14}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89658AFA-5D60-474C-B94B-E4B1D1681500}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C930571-B657-49E8-871F-DC6589E3CBE7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9006DCAF-FC1E-4A71-92D9-CAC45EBA3D94}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93D7A4BE-9DFA-4E04-AAF4-65F48EBDD42A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95E4AFD9-4F86-4E7D-9104-068EEE0E9614}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A5A5F23-B4AD-4323-9C4D-E55C4120E1CC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C148EE5-3AF6-43F7-9317-0F743E480636}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B425796A-D395-4CDE-A985-2DE2ECC83957}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7191A3A-51BB-4122-882F-2962B178DB57}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B952ADBC-AC73-4FAC-A4FE-E9C169352C62}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE5500D7-96BC-4455-8D89-EF80C00A4483}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D36763E2-E97E-42BF-ABEB-ED2675D0FBE4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DE1E8E8F-9AD3-4BA3-A3EA-6B2C5EFD703E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E15F0656-969A-4C56-9EC4-8E2A4494DDCA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2A071A7-A4B8-496D-BE15-B62B5F7BE6FF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6410C9F-6195-4B55-A4C0-440CBA6BF155}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF914DE2-23AA-4743-9CC0-0E5B8A9D098F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA8B79BA-1BE9-4D31-89D7-8312E7AE160F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE3DDC41-B10B-4BB6-ACA1-CD557B02B129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE6D51F3-CE99-4741-BA5F-A9DD581D40CF}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhenUSave"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ujlisy"=-
"HookUpFinder"=-
"lphc3vtj0epa1"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
"NoDispScrSavPage"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CashBack]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hotbar]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NaviSearch]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pifmgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rckajmyvyvudp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\requester]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\satmat]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TickSlow]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z16roskn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzuq]
  • 0

Advertisements


#17
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Can you post me the combofix log please? You'll find it at C:\combofix.txt
  • 0

#18
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Oops. Sorry wrong file.

ComboFix 08-08-17.01 - Candy 2008-08-17 15:03:47.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.228 [GMT -4:00]
Running from: C:\Documents and Settings\Candy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Candy\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Application Data\microsoft
C:\Documents and Settings\Application Data\microsoft\Internet Explorer\Quick Launch\MySpaceIM.lnk
C:\Documents and Settings\Candy\UserData
C:\Documents and Settings\Candy\UserData\8TQFW1Q3\oWSA_UD[1].xml
C:\Documents and Settings\Candy\UserData\G167C163\DraftMsgData[1].xml
C:\Documents and Settings\Candy\UserData\G167C163\oWindowsUpdate[1].xml
C:\Documents and Settings\Candy\UserData\index.dat
C:\Documents and Settings\Candy\UserData\K1MFODAZ\oasUserData[1].xml
C:\Documents and Settings\Candy\UserData\S1EJOHY7\oWindowsUpdate[1].xml
C:\Documents and Settings\Candy\UserData\S1EJOHY7\oXMLStoreUnit[1].xml
C:\PROGRA~1\COMMON~1\zzuq
C:\PROGRA~1\COMMON~1\zzuq\zzuqa.lck
C:\PROGRA~1\COMMON~1\zzuq\zzuqh
C:\PROGRA~1\COMMON~1\zzuq\zzuql.lck
C:\PROGRA~1\COMMON~1\zzuq\zzuqm.lck
C:\PROGRA~1\COMMON~1\zzuq\zzuqp.lck
C:\Program Files\Nkgxtn

.
((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
.

2008-08-14 16:13 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 16:02 . 2008-08-14 16:02 <DIR> d-------- C:\Program Files\ERUNT
2008-08-14 11:02 . 2008-08-14 11:02 37 --a------ C:\WINDOWS\wwwbatch.ini
2008-08-12 13:30 . 2008-08-11 03:44 <DIR> d-------- C:\SDFix
2008-08-11 20:15 . 2008-08-11 20:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-07 16:42 . 2008-08-07 16:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-07 15:28 . 2008-08-07 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-07 15:27 . 2008-08-14 16:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-07 15:27 . 2008-08-07 15:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 15:27 . 2008-08-07 15:27 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\SUPERAntiSpyware.com
2008-08-07 13:21 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-07 13:21 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-07 13:21 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-07 13:21 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-07 13:21 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-07 13:21 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-07 13:21 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-07 13:21 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-07 12:20 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-17 18:40 --------- d-----w C:\Program Files\CallWave
2008-08-14 21:09 --------- d-----w C:\Program Files\PokerStars
2008-08-11 16:03 --------- d-----w C:\Program Files\MSN Messenger
2008-08-11 13:22 --------- d-----w C:\Program Files\fsupport
2008-08-07 19:31 --------- d-----w C:\Program Files\Norton AntiVirus
2008-08-07 19:31 --------- d-----w C:\Program Files\Napster
2008-08-07 17:23 2,752 ----a-w C:\WINDOWS\system32\tmp.reg
2008-08-07 16:21 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 00:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2005-05-12 02:06 42 ----a-w C:\Documents and Settings\Candy\Application Data\tvmuknwrd.dll
2004-12-18 17:57 0 ---ha-w C:\Documents and Settings\Candy\hpothb07.dat
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2003-04-29 20:00 32 --sha-w C:\WINDOWS\{1AECDE68-1081-45C8-9BEA-C9481A24AD53}.dat
2003-04-29 20:00 32 --sha-w C:\WINDOWS\system32\{DDCA5DCC-AA28-48CB-B6F3-DEF1BA15A743}.dat
.

((((((((((((((((((((((((((((( snapshot_2008-08-16_21.12.52.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-17-2008\ERDNT.EXE
+ 2008-08-17 18:40:32 4,587,520 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-17-2008\Users\00000001\NTUSER.DAT
+ 2008-08-17 18:40:32 499,712 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-17-2008\Users\00000002\UsrClass.dat
- 2008-08-13 12:23:18 53,634 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-17 02:27:19 53,634 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-13 12:23:18 381,930 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-17 02:27:19 381,930 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08 4670968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43 472632]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-30 09:37 185632]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 16:32 126976]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-30 20:36 57344]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2008-08-07 15:31 0]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]

C:\Documents and Settings\Candy\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CallWave.lnk - C:\Program Files\CallWave\IAM.exe [2003-09-20 16:25:23 1415248]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-04-27 13:09:52 54776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 16:51 192512]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Internet Answering Machine.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Internet Answering Machine.lnk
backup=C:\WINDOWS\pss\Internet Answering Machine.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
C:\Program Files\ISP50\BIN\PPCOLink -STATION [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
--a------ 2003-04-15 23:01 258048 C:\WINDOWS\system32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2002-12-25 17:38 159744 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2002-12-13 15:47 54512 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2002-12-13 15:47 58616 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
--a------ 2002-08-20 13:29 40960 C:\WINDOWS\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 03:07 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-04-07 03:19 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2003-01-02 20:16 172032 C:\Program Files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2004-05-28 18:22 4882432 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
--a------ 2003-01-17 23:26 458752 C:\Program Files\Toshiba\ConfigFree\NDSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2002-10-17 16:21 159744 C:\TOSHIBA\Ivp\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PmProxy]
--a------ 2003-02-28 22:54 40960 C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-09-30 09:38 214296 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-ra------ 2003-08-27 17:20 94208 C:\WINDOWS\SM1bg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
--a------ 2003-01-21 21:00 126976 C:\Program Files\Toshiba\TouchED\TouchED.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSysSMon]
--a------ 2003-02-25 20:03 49152 c:\TOSHIBA\SysStability\TSysSMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
--a------ 2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
--a------ 2001-08-03 20:08 73728 C:\WINDOWS\system32\TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
--a------ 2002-12-10 13:49 237568 C:\WINDOWS\system32\TPWRTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\CallWave\\IAM.exe"=

R3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys [2002-06-28 19:29]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\system32\DRIVERS\cben5.sys [2001-08-17 08:13]
.
Contents of the 'Scheduled Tasks' folder

2008-08-17 C:\WINDOWS\Tasks\ADAB310F91B8A80B.job
- c:\progra~1\dvdbor~1\USER DRAW PROC.exe []

2007-12-26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]

2005-07-10 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1065242033.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 03:52]

2008-07-19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
- C:\PROGRA~1\NORTON~1\NAVW32.exe [2008-08-07 15:31]

2003-09-25 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 12:04]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-17 15:06:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-17 15:09:35
ComboFix-quarantined-files.txt 2008-08-17 19:09:26
ComboFix2.txt 2008-08-17 01:13:37
ComboFix3.txt 2008-08-13 19:47:19
ComboFix4.txt 2008-08-13 00:56:52
ComboFix5.txt 2008-08-17 18:55:22

Pre-Run: 25,063,886,848 bytes free
Post-Run: 25,069,592,576 bytes free

215 --- E O F --- 2008-08-17 00:41:14
  • 0

#19
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there :)

Once again we need other logs, did you run combofix twice with the CFScript?
Also did you install PokerStars? If not uninstall it and delete this folder C:\Program Files\PokerStars

Please attach these two logs:

C:\qoobox\ComboFix-quarantined-files.txt
C:\qoobox\ComboFix2.txt

To attach a file, do the following:* Click Add Reply
* Under the reply panel is the Attachments Panel
* Browse for the attachment file you want to upload, then click the green Upload button
* Once it has uploaded, click the Manage Current Attachments drop down box
* Click on Posted Image to insert the attachment into your post

Then,


Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
File::
C:\Documents and Settings\Candy\Application Data\tvmuknwrd.dll
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

And,


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Edited by Mike, 18 August 2008 - 10:50 AM.

  • 0

#20
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Attached File  ComboFix5.txt   22.33KB   128 downloadsAttached File  ComboFix_quarantined_files.txt   7.73KB   155 downloads
  • 0

#21
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
ComboFix 08-08-17.01 - Candy 2008-08-18 12:48:20.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.238 [GMT -4:00]
Running from: C:\Documents and Settings\Candy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Candy\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-14 16:13 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 16:02 . 2008-08-14 16:02 <DIR> d-------- C:\Program Files\ERUNT
2008-08-14 11:02 . 2008-08-14 11:02 37 --a------ C:\WINDOWS\wwwbatch.ini
2008-08-12 13:30 . 2008-08-11 03:44 <DIR> d-------- C:\SDFix
2008-08-11 20:15 . 2008-08-11 20:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-07 16:42 . 2008-08-07 16:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-07 15:28 . 2008-08-07 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-07 15:27 . 2008-08-14 16:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-07 15:27 . 2008-08-07 15:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 15:27 . 2008-08-07 15:27 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\SUPERAntiSpyware.com
2008-08-07 13:21 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-07 13:21 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-07 13:21 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-07 13:21 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-07 13:21 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-07 13:21 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-07 13:21 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-07 13:21 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-07 12:20 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 15:04 --------- d-----w C:\Program Files\CallWave
2008-08-11 16:03 --------- d-----w C:\Program Files\MSN Messenger
2008-08-11 13:22 --------- d-----w C:\Program Files\fsupport
2008-08-07 19:31 --------- d-----w C:\Program Files\Norton AntiVirus
2008-08-07 19:31 --------- d-----w C:\Program Files\Napster
2008-08-07 17:23 2,752 ----a-w C:\WINDOWS\system32\tmp.reg
2008-08-07 16:21 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 00:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2005-05-12 02:06 42 ----a-w C:\Documents and Settings\Candy\Application Data\tvmuknwrd.dll
2004-12-18 17:57 0 ---ha-w C:\Documents and Settings\Candy\hpothb07.dat
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2003-04-29 20:00 32 --sha-w C:\WINDOWS\{1AECDE68-1081-45C8-9BEA-C9481A24AD53}.dat
2003-04-29 20:00 32 --sha-w C:\WINDOWS\system32\{DDCA5DCC-AA28-48CB-B6F3-DEF1BA15A743}.dat
.

((((((((((((((((((((((((((((( snapshot_2008-08-16_21.12.52.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-17-2008\ERDNT.EXE
+ 2008-08-17 18:40:32 4,587,520 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-17-2008\Users\00000001\NTUSER.DAT
+ 2008-08-17 18:40:32 499,712 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-17-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-18-2008\ERDNT.EXE
+ 2008-08-18 15:04:52 4,587,520 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-18-2008\Users\00000001\NTUSER.DAT
+ 2008-08-18 15:04:52 499,712 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-18-2008\Users\00000002\UsrClass.dat
- 2008-08-13 12:23:18 53,634 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-17 02:27:19 53,634 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-13 12:23:18 381,930 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-17 02:27:19 381,930 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08 4670968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43 472632]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-30 09:37 185632]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 16:32 126976]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-30 20:36 57344]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2008-08-07 15:31 0]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]

C:\Documents and Settings\Candy\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CallWave.lnk - C:\Program Files\CallWave\IAM.exe [2003-09-20 16:25:23 1415248]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-04-27 13:09:52 54776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 16:51 192512]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Internet Answering Machine.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Internet Answering Machine.lnk
backup=C:\WINDOWS\pss\Internet Answering Machine.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
C:\Program Files\ISP50\BIN\PPCOLink -STATION [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
--a------ 2003-04-15 23:01 258048 C:\WINDOWS\system32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2002-12-25 17:38 159744 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2002-12-13 15:47 54512 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2002-12-13 15:47 58616 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
--a------ 2002-08-20 13:29 40960 C:\WINDOWS\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 03:07 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-04-07 03:19 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2003-01-02 20:16 172032 C:\Program Files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2004-05-28 18:22 4882432 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
--a------ 2003-01-17 23:26 458752 C:\Program Files\Toshiba\ConfigFree\NDSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2002-10-17 16:21 159744 C:\TOSHIBA\Ivp\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PmProxy]
--a------ 2003-02-28 22:54 40960 C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-09-30 09:38 214296 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-ra------ 2003-08-27 17:20 94208 C:\WINDOWS\SM1bg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
--a------ 2003-01-21 21:00 126976 C:\Program Files\Toshiba\TouchED\TouchED.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSysSMon]
--a------ 2003-02-25 20:03 49152 c:\TOSHIBA\SysStability\TSysSMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
--a------ 2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
--a------ 2001-08-03 20:08 73728 C:\WINDOWS\system32\TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
--a------ 2002-12-10 13:49 237568 C:\WINDOWS\system32\TPWRTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\CallWave\\IAM.exe"=

R3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys [2002-06-28 19:29]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\system32\DRIVERS\cben5.sys [2001-08-17 08:13]
.
Contents of the 'Scheduled Tasks' folder

2008-08-18 C:\WINDOWS\Tasks\ADAB310F91B8A80B.job
- c:\progra~1\dvdbor~1\USER DRAW PROC.exe []

2005-07-10 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1065242033.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 03:52]

2008-07-19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
- C:\PROGRA~1\NORTON~1\NAVW32.exe [2008-08-07 15:31]

2003-09-25 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 12:04]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 13:00:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-18 13:08:16
ComboFix-quarantined-files.txt 2008-08-18 17:07:41
ComboFix2.txt 2008-08-17 19:09:36
ComboFix3.txt 2008-08-17 01:13:37
ComboFix4.txt 2008-08-13 19:47:19
ComboFix5.txt 2008-08-18 16:45:27

Pre-Run: 25,017,700,352 bytes free
Post-Run: 25,007,456,256 bytes free

195 --- E O F --- 2008-08-17 00:41:14
  • 0

#22
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
How is the MBAM scan going?
  • 0

#23
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

2:06:24 PM 8/18/2008
mbam-log-08-18-2008 (14-06-24).txt

Scan type: Quick Scan
Objects scanned: 46113
Time elapsed: 13 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bgrqfetx.bwpr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#24
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there :)

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
Extra::
File::
C:\WINDOWS\Tasks\ADAB310F91B8A80B.job
C:\Documents and Settings\Candy\Application Data\tvmuknwrd.dll

Folder::
c:\progra~1\dvdbor~1
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Then,


Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Once done, uninstall any older versions of Java through add or remove programs.

Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

  • 0

#25
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Here is the Combofix. ComboFix 08-08-17.01 - Candy 2008-08-18 16:44:04.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.217 [GMT -4:00]
Running from: C:\Documents and Settings\Candy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Candy\Desktop\CFScript.txt

FILE ::
C:\DOCUME~1\Candy\APPLIC~1\DVDBOR~1\Dent setup seek.exe
c:\docume~1\candy\locals~1\temp\msbb.exe
C:\Documents and Settings\Candy\Application Data\tvmknwrd.dll
C:\Documents and Settings\Candy\Application Data\tvmuknwrd.dll
C:\WINDOWS\satmat.exe
C:\WINDOWS\system32\blphc3vtj0epa1.scr
C:\WINDOWS\system32\lphc3vtj0epa1.exe
C:\WINDOWS\system32\phc3vtj0epa1.bmp
C:\WINDOWS\System32\requester.10.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Candy\Application Data\tvmuknwrd.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-14 16:13 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 16:02 . 2008-08-14 16:02 <DIR> d-------- C:\Program Files\ERUNT
2008-08-14 11:02 . 2008-08-14 11:02 37 --a------ C:\WINDOWS\wwwbatch.ini
2008-08-12 13:30 . 2008-08-11 03:44 <DIR> d-------- C:\SDFix
2008-08-11 20:15 . 2008-08-11 20:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-07 16:42 . 2008-08-07 16:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-07 15:28 . 2008-08-07 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-07 15:27 . 2008-08-14 16:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-07 15:27 . 2008-08-07 15:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 15:27 . 2008-08-07 15:27 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\SUPERAntiSpyware.com
2008-08-07 13:21 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-07 13:21 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-07 13:21 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-07 13:21 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-07 13:21 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-07 13:21 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-07 13:21 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-07 13:21 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-07 12:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 17:17 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 15:04 --------- d-----w C:\Program Files\CallWave
2008-08-17 19:01 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-11 16:03 --------- d-----w C:\Program Files\MSN Messenger
2008-08-11 13:22 --------- d-----w C:\Program Files\fsupport
2008-08-07 19:31 --------- d-----w C:\Program Files\Norton AntiVirus
2008-08-07 19:31 --------- d-----w C:\Program Files\Napster
2008-08-07 17:23 2,752 ----a-w C:\WINDOWS\system32\tmp.reg
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2004-12-18 17:57 0 ---ha-w C:\Documents and Settings\Candy\hpothb07.dat
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2003-04-29 20:00 32 --sha-w C:\WINDOWS\{1AECDE68-1081-45C8-9BEA-C9481A24AD53}.dat
2003-04-29 20:00 32 --sha-w C:\WINDOWS\system32\{DDCA5DCC-AA28-48CB-B6F3-DEF1BA15A743}.dat
.

((((((((((((((((((((((((((((( snapshot_2008-08-16_21.12.52.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-17-2008\ERDNT.EXE
+ 2008-08-17 18:40:32 4,587,520 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-17-2008\Users\00000001\NTUSER.DAT
+ 2008-08-17 18:40:32 499,712 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-17-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-18-2008\ERDNT.EXE
+ 2008-08-18 15:04:52 4,587,520 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-18-2008\Users\00000001\NTUSER.DAT
+ 2008-08-18 15:04:52 499,712 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-18-2008\Users\00000002\UsrClass.dat
- 2008-08-13 12:23:18 53,634 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-17 02:27:19 53,634 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-13 12:23:18 381,930 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-17 02:27:19 381,930 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08 4670968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43 472632]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-30 09:37 185632]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 16:32 126976]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-30 20:36 57344]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2008-08-07 15:31 0]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]

C:\Documents and Settings\Candy\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CallWave.lnk - C:\Program Files\CallWave\IAM.exe [2003-09-20 16:25:23 1415248]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-04-27 13:09:52 54776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 16:51 192512]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Internet Answering Machine.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Internet Answering Machine.lnk
backup=C:\WINDOWS\pss\Internet Answering Machine.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
C:\Program Files\ISP50\BIN\PPCOLink -STATION [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
--a------ 2003-04-15 23:01 258048 C:\WINDOWS\system32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2002-12-25 17:38 159744 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2002-12-13 15:47 54512 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2002-12-13 15:47 58616 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
--a------ 2002-08-20 13:29 40960 C:\WINDOWS\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 03:07 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-04-07 03:19 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2003-01-02 20:16 172032 C:\Program Files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2004-05-28 18:22 4882432 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
--a------ 2003-01-17 23:26 458752 C:\Program Files\Toshiba\ConfigFree\NDSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2002-10-17 16:21 159744 C:\TOSHIBA\Ivp\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PmProxy]
--a------ 2003-02-28 22:54 40960 C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-09-30 09:38 214296 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-ra------ 2003-08-27 17:20 94208 C:\WINDOWS\SM1bg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
--a------ 2003-01-21 21:00 126976 C:\Program Files\Toshiba\TouchED\TouchED.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSysSMon]
--a------ 2003-02-25 20:03 49152 c:\TOSHIBA\SysStability\TSysSMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
--a------ 2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
--a------ 2001-08-03 20:08 73728 C:\WINDOWS\system32\TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
--a------ 2002-12-10 13:49 237568 C:\WINDOWS\system32\TPWRTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\CallWave\\IAM.exe"=

S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\system32\DRIVERS\cben5.sys [2001-08-17 08:13]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-18 C:\WINDOWS\Tasks\ADAB310F91B8A80B.job
- c:\progra~1\dvdbor~1\USER DRAW PROC.exe []

2005-07-10 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1065242033.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 03:52]

2008-07-19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
- C:\PROGRA~1\NORTON~1\NAVW32.exe [2008-08-07 15:31]

2003-09-25 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 12:04]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 16:55:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-18 17:03:01
ComboFix-quarantined-files.txt 2008-08-18 21:02:50
ComboFix2.txt 2008-08-18 17:08:23
ComboFix3.txt 2008-08-17 19:09:36
ComboFix4.txt 2008-08-17 01:13:37
ComboFix5.txt 2008-08-18 20:40:00

Pre-Run: 24,998,703,104 bytes free
Post-Run: 24,991,719,424 bytes free

209 --- E O F --- 2008-08-17 00:41:14


I'm still working on the other scan.
  • 0

Advertisements


#26
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
You used the wrong CFScript, run this one please http://www.geekstogo...37#entry1310137

The other scan takes a long time, so go out for a drink and it should be done :)
  • 0

#27
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Mike, the scan won't run for some reason. It says I don't have Java but I downloaded it and it's in my toolbar.

This was about the Kaspersky scan.

Edited by pewee, 18 August 2008 - 04:02 PM.

  • 0

#28
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Sorry about that


ComboFix 08-08-18.01 - Candy 2008-08-18 21:08:22.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.241 [GMT -4:00]
Running from: C:\Documents and Settings\Candy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Candy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Candy\Application Data\tvmuknwrd.dll
C:\WINDOWS\Tasks\ADAB310F91B8A80B.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Candy\Cookies\candy@specificclick[2].txt
c:\progra~1\dvdbor~1
C:\WINDOWS\Tasks\ADAB310F91B8A80B.job

.
((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.

2008-08-14 16:13 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 16:02 . 2008-08-14 16:02 <DIR> d-------- C:\Program Files\ERUNT
2008-08-14 11:02 . 2008-08-14 11:02 37 --a------ C:\WINDOWS\wwwbatch.ini
2008-08-12 13:30 . 2008-08-11 03:44 <DIR> d-------- C:\SDFix
2008-08-11 20:15 . 2008-08-11 20:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-07 16:42 . 2008-08-07 16:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-07 15:28 . 2008-08-07 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-07 15:27 . 2008-08-14 16:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-07 15:27 . 2008-08-07 15:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 15:27 . 2008-08-07 15:27 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\SUPERAntiSpyware.com
2008-08-07 13:21 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-07 13:21 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-07 13:21 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-07 13:21 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-07 13:21 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-07 13:21 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-07 13:21 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-07 13:21 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-07 12:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 00:58 --------- d-----w C:\Program Files\CallWave
2008-08-18 21:29 --------- d-----w C:\Program Files\Java
2008-08-18 17:17 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 19:01 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-11 16:03 --------- d-----w C:\Program Files\MSN Messenger
2008-08-11 13:22 --------- d-----w C:\Program Files\fsupport
2008-08-07 19:31 --------- d-----w C:\Program Files\Norton AntiVirus
2008-08-07 19:31 --------- d-----w C:\Program Files\Napster
2008-08-07 17:23 2,752 ----a-w C:\WINDOWS\system32\tmp.reg
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2004-12-18 17:57 0 ---ha-w C:\Documents and Settings\Candy\hpothb07.dat
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2003-04-29 20:00 32 --sha-w C:\WINDOWS\{1AECDE68-1081-45C8-9BEA-C9481A24AD53}.dat
2003-04-29 20:00 32 --sha-w C:\WINDOWS\system32\{DDCA5DCC-AA28-48CB-B6F3-DEF1BA15A743}.dat
.

((((((((((((((((((((((((((((( snapshot_2008-08-16_21.12.52.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-17-2008\ERDNT.EXE
+ 2008-08-17 18:40:32 4,587,520 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-17-2008\Users\00000001\NTUSER.DAT
+ 2008-08-17 18:40:32 499,712 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-17-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-18-2008\ERDNT.EXE
+ 2008-08-18 15:04:52 4,587,520 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-18-2008\Users\00000001\NTUSER.DAT
+ 2008-08-18 15:04:52 499,712 ----a-w C:\WINDOWS\ERDNT\AutoBackup\8-18-2008\Users\00000002\UsrClass.dat
- 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-08-13 12:23:18 53,634 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-17 02:27:19 53,634 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-13 12:23:18 381,930 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-17 02:27:19 381,930 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08 4670968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43 472632]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-30 09:37 185632]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 16:32 126976]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-30 20:36 57344]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2008-08-07 15:31 0]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]

C:\Documents and Settings\Candy\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CallWave.lnk - C:\Program Files\CallWave\IAM.exe [2003-09-20 16:25:23 1415248]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-04-27 13:09:52 54776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 16:51 192512]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Internet Answering Machine.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Internet Answering Machine.lnk
backup=C:\WINDOWS\pss\Internet Answering Machine.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
C:\Program Files\ISP50\BIN\PPCOLink -STATION [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
--a------ 2003-04-15 23:01 258048 C:\WINDOWS\system32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2002-12-25 17:38 159744 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2002-12-13 15:47 54512 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2002-12-13 15:47 58616 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
--a------ 2002-08-20 13:29 40960 C:\WINDOWS\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 03:07 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-04-07 03:19 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2003-01-02 20:16 172032 C:\Program Files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2004-05-28 18:22 4882432 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
--a------ 2003-01-17 23:26 458752 C:\Program Files\Toshiba\ConfigFree\NDSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2002-10-17 16:21 159744 C:\TOSHIBA\Ivp\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PmProxy]
--a------ 2003-02-28 22:54 40960 C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-09-30 09:38 214296 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-ra------ 2003-08-27 17:20 94208 C:\WINDOWS\SM1bg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
--a------ 2003-01-21 21:00 126976 C:\Program Files\Toshiba\TouchED\TouchED.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSysSMon]
--a------ 2003-02-25 20:03 49152 c:\TOSHIBA\SysStability\TSysSMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
--a------ 2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
--a------ 2001-08-03 20:08 73728 C:\WINDOWS\system32\TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
--a------ 2002-12-10 13:49 237568 C:\WINDOWS\system32\TPWRTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\CallWave\\IAM.exe"=

R3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys [2002-06-28 19:29]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\system32\DRIVERS\cben5.sys [2001-08-17 08:13]
.
Contents of the 'Scheduled Tasks' folder

2007-12-26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]

2005-07-10 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1065242033.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 03:52]

2008-07-19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
- C:\PROGRA~1\NORTON~1\NAVW32.exe [2008-08-07 15:31]

2003-09-25 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 12:04]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Candy\Application Data\Mozilla\Firefox\Profiles\9p9irjz1.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 21:12:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-18 21:16:16
ComboFix-quarantined-files.txt 2008-08-19 01:15:24
ComboFix2.txt 2008-08-18 21:03:05
ComboFix3.txt 2008-08-18 17:08:23
ComboFix4.txt 2008-08-17 19:09:36
ComboFix5.txt 2008-08-19 01:05:25

Pre-Run: 25,053,863,936 bytes free
Post-Run: 25,046,106,112 bytes free

218 --- E O F --- 2008-08-17 00:41:14
  • 0

#29
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient

  • 0

#30
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Scanning Report
Tuesday, August 19, 2008 08:15:27 - 10:41:29
Computer name: TOSHIBA-USER
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 3 malware found
AdTool.Win32.MyWebSearch (spyware)
System
Rogue:W32/IeDefender.CT (spyware)
System
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 55900
System: 4678
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 3
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{86176342-C0AA-4786-B824-9D7E7B324CE3}.BIN
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP