Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan help: Trojan-Spy.Win32.KeyLogger.aa, Trojan-Spy.Win32.KeyLogger


  • This topic is locked This topic is locked

#16
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

After that, Reboot


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\ProgramData\srvmonapl
C:\ProgramData\AdmMntCmd
C:\Users\All Users\AdmMntCmd
C:\Users\All Users\srvmonapl
C:\Users\All Users\genactdb
C:\ProgramData\genactdb

DirLook::
C:\Users\Karen\Documents\Downloads


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Double Click on Malwarebytes' Anti-Malware.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

Advertisements


#17
tsukihoshi

tsukihoshi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I don't know if I did this right - I started the computer on safe mode like you said and drag the CFScript to ComboFix and it did its thing, but at some points I could see on the window that some processes were denied because it wanted me to run it as administrator. Please see if I've done this correctly. Thanks.

-------------------------------------------------------------------------------

ComboFix 08-08-23.03 - Karen 2008-08-25 21:53:57.4 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2701 [GMT -4:00]
Running from: C:\Users\Karen\Desktop\ComboFix.exe
Command switches used :: C:\Users\Karen\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\AdmMntCmd
C:\ProgramData\AdmMntCmd\vyvmfyju.exe
C:\ProgramData\genactdb
C:\ProgramData\genactdb\tsjirgfy.exe
C:\ProgramData\srvmonapl
C:\ProgramData\srvmonapl\dobgbibk.exe
C:\Users\All Users\AdmMntCmd\vyvmfyju.exe
C:\Users\All Users\genactdb\tsjirgfy.exe
C:\Users\All Users\srvmonapl\dobgbibk.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 01:47 --------- d-----w C:\Users\Karen\AppData\Roaming\DMCache
2008-08-26 01:40 --------- d-----w C:\Program Files\Java
2008-08-25 01:25 --------- d-----w C:\ProgramData\Google Updater
2008-08-24 22:35 --------- d-----w C:\ProgramData\HlpCmdSh
2008-08-24 05:46 --------- d-----w C:\ProgramData\Roxio
2008-08-24 04:51 --------- d-----w C:\Users\Karen\AppData\Roaming\dvdcss
2008-08-22 02:51 --------- d-----w C:\Program Files\Winamp
2008-08-20 00:36 --------- d-----w C:\ProgramData\webmsginfo
2008-08-16 03:47 --------- d-----w C:\ProgramData\DVD Shrink
2008-08-16 03:47 --------- d-----w C:\Program Files\DVD Shrink
2008-08-16 03:36 --------- d-----w C:\Program Files\Trend Micro
2008-08-16 03:23 --------- d-----w C:\Users\Karen\AppData\Roaming\Malwarebytes
2008-08-16 03:23 --------- d-----w C:\ProgramData\Malwarebytes
2008-08-16 03:23 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-08-16 03:22 --------- d-----w C:\Users\Karen\AppData\Roaming\Download Manager
2008-08-16 03:10 --------- d-----w C:\Users\Karen\AppData\Roaming\Winamp
2008-08-16 03:10 --------- d-----w C:\ProgramData\FLEXnet
2008-08-16 01:27 5,790 ----a-w C:\Windows\System32\tmp.reg
2008-08-16 01:25 --------- d-----w C:\Users\Karen\AppData\Roaming\IDM
2008-08-15 06:59 --------- d-----w C:\ProgramData\NVIDIA
2008-08-15 04:56 --------- d-----w C:\Program Files\Megaupload Downloader
2008-08-15 02:53 --------- d-----w C:\Program Files\Google
2008-08-15 01:52 82,432 ----a-w C:\Windows\System32\IEDFix.C.exe
2008-08-14 07:05 --------- d-----w C:\Program Files\Windows Mail
2008-08-09 19:37 82,432 ----a-w C:\Windows\System32\404Fix.exe
2008-08-09 07:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-09 07:47 --------- d-----w C:\Program Files\Bonjour
2008-08-09 03:57 --------- d-----w C:\Program Files\PowerISO
2008-08-04 22:36 --------- d-----w C:\Program Files\TagRename
2008-07-31 00:07 38,472 ----a-w C:\Windows\system32\drivers\mbamswissarmy.sys
2008-07-31 00:07 17,144 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-07-27 01:38 27,335 ----a-w C:\Users\Karen\AppData\Roaming\nvModes.dat
2008-07-25 23:33 --------- d-----w C:\Program Files\Internet Download Manager
2008-07-23 02:55 --------- d-----w C:\Program Files\Free Download Manager
2008-07-16 01:32 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-07-14 23:38 --------- d-----w C:\ProgramData\WindowsSearch
2008-07-13 04:49 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-07-13 04:20 --------- d-----w C:\Program Files\CAPCOM
2008-07-10 02:02 --------- d-----w C:\Program Files\SiteAdvisor
2008-07-08 02:46 --------- d-----w C:\Program Files\DVD Identifier
2008-07-07 05:44 --------- d-----w C:\Program Files\McAfee
2008-07-07 01:43 --------- d-----w C:\Users\Karen\AppData\Roaming\SiteAdvisor
2008-07-07 00:31 --------- d-----w C:\ProgramData\SiteAdvisor
2008-07-07 00:31 --------- d-----w C:\ProgramData\McAfee
2008-07-07 00:30 --------- d-----w C:\Program Files\McAfee.com
2008-07-07 00:30 --------- d-----w C:\Program Files\Common Files\McAfee
2008-07-06 20:19 --------- d-----w C:\Program Files\SiteAdvisor(55)
2008-07-05 07:26 --------- d-----w C:\Users\Karen\AppData\Roaming\Thinstall
2008-06-27 05:11 --------- d-----w C:\ProgramData\ACD Systems
2008-06-27 05:11 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-06-27 05:10 --------- d-----w C:\Program Files\ACD Systems
2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-19 03:31 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-29 13:35 86,528 ----a-w C:\Windows\System32\VACFix.exe
2008-05-27 23:24 174 --sha-w C:\Program Files\desktop.ini
2008-05-27 21:55 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-27 21:55 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll
2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll
2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll
2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll
2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin
2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-03-16 15:07 74 --sh--r C:\Windows\CT4CET.bin
2008-04-01 20:44 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-01 20:44 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-01 20:44 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Users\Karen\Documents\Downloads ----

2008-08-15 21:23 1486171 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix.exe
2008-08-15 00:55 616066 --a------ C:\Users\Karen\Documents\Downloads\Programs\Setup_Megaupload_Downloader_2008.exe
2008-08-15 00:05 1848318 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\SmitfraudFix.cmd
2008-08-14 22:51 1018584 --a------ C:\Users\Karen\Documents\Downloads\Programs\Google Updater.exe
2008-08-14 21:52 82432 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\IEDFix.C.exe
2008-08-09 15:37 82432 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\404Fix.exe
2008-08-07 16:27 4080 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\beep_2K_original.sys
2008-07-22 12:27 82432 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\GenericRenosFix.exe
2008-07-16 22:35 2459088 --a------ C:\Users\Karen\Documents\Downloads\Programs\FileZilla_Server-0_9_26.exe
2008-07-09 23:43 9032208 --a------ C:\Users\Karen\Documents\Downloads\Programs\winamp554_full_emusic-7plus_en-us.exe
2008-06-15 23:36 3788336 --a------ C:\Users\Karen\Documents\Downloads\Programs\Driveway10000setup.exe
2008-05-29 09:35 86528 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\VACFix.exe
2008-05-29 00:26 90253 --a------ C:\Users\Karen\Documents\Downloads\Programs\winroll-2.0.exe
2008-05-27 23:17 3584 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\Policies.exe
2008-05-18 21:40 82944 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\IEDFix.exe
2008-05-04 04:11 736095 --a------ C:\Users\Karen\Documents\Downloads\Programs\SetupKHTV3.06.exe
2008-05-04 02:19 4974107 --a------ C:\Users\Karen\Documents\Downloads\Programs\kiwi-0.9.7.exe
2008-05-04 01:33 1495112 --a------ C:\Users\Karen\Documents\Downloads\Programs\install_flash_player.exe
2008-03-02 23:38 77312 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\UIFix.exe
2007-10-04 00:36 25600 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\WS2Fix.exe
2007-09-06 00:22 289144 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\VCCLSID.exe
2007-08-21 08:00 1536 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\exit.exe
2007-03-28 18:38 77824 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\HostsChk.exe
2006-12-01 06:20 79360 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\swxcacls.exe
2006-09-19 22:13 20480 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\SmiUpdate.exe
2006-09-15 00:34 167936 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\unzip.exe
2006-08-29 19:43 135168 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\swreg.exe
2006-04-27 17:49 288417 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\SrchSTS.exe
2006-03-07 22:45 16384 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\restart.exe
2006-01-09 10:36 40960 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\swsc.exe
2005-01-13 21:41 24576 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\Reboot.exe
2004-07-31 18:50 51200 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\dumphive.exe
2003-06-05 21:13 53248 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\Process.exe
2001-08-28 14:00 4224 --a------ C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\beep_XP_original.sys


((((((((((((((((((((((((((((( [email protected]_22.05.07.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-22 01:56:58 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-26 01:51:51 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-26 01:51:51 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-08-22 01:56:58 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-26 01:51:51 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-26 01:51:51 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-08-22 01:56:27 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-26 01:47:25 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-22 01:56:27 81,920 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-26 01:47:25 81,920 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-22 01:56:27 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-26 01:47:25 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-22 01:52:49 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-08-25 00:25:01 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-02-22 05:23:35 135,168 ----a-w C:\Windows\System32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\Windows\System32\java.exe
- 2008-02-22 05:23:39 135,168 ----a-w C:\Windows\System32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\Windows\System32\javaw.exe
- 2008-02-22 06:33:32 139,264 ----a-w C:\Windows\System32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\Windows\System32\javaws.exe
- 2008-08-20 03:16:32 105,852 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-08-26 01:57:18 104,658 ----a-w C:\Windows\System32\perfc009.dat
- 2008-08-20 03:16:32 600,378 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-08-26 01:57:18 598,782 ----a-w C:\Windows\System32\perfh009.dat
- 2008-08-22 01:58:34 8,098 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1345769177-2316361058-2631478649-1000_UserData.bin
+ 2008-08-26 01:49:17 8,106 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1345769177-2316361058-2631478649-1000_UserData.bin
- 2008-08-22 01:58:33 62,002 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-26 01:49:16 62,086 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-20 03:12:57 51,862 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-08-26 01:49:14 52,366 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-08-22 01:32:09 253,112 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2008-08-26 01:34:29 254,484 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 00:13 721408 --a------ C:\Program Files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 00:13 721408 --a------ C:\Program Files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Scheduler"="C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe" [2007-12-02 17:30 308464]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 19:56 202544]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-07-06 21:00 2594224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 02:03 17920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 03:00 857648]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-12-03 01:58 36864]
"VolPanel"="C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 10:14 180224]
"UpdReg"="C:\Windows\UpdReg.EXE" [2000-05-11 02:00 90112]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 17:43 118784]
"PSQLLauncher"="C:\Program Files\Fingerprint Reader Suite\launcher.exe" [2007-04-16 23:50 49168]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-16 11:20 1838592]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 19:57 16384]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-11-01 16:39 189736]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-08-03 19:02 36352]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 19:56 202544]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 17:57 36640]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-04 21:24 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-04 21:24 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-10-04 21:24 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-10-04 21:24 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-20 19:13:26 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 00:04 86528 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"= C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F86430DE-CF8F-4BCB-BD80-5EB812AB449A}"= C:\Program Files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{A3956BCC-9895-4B4B-8E74-036D94C0036D}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{31043A6D-AF7E-4416-9F64-872ABE578709}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{3F27E2D6-D258-4C52-982C-3489E84321A9}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{2DD59FD8-2A7D-49BC-89C5-E6B0AB90EE07}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{D5190660-187A-4C71-865A-7E53CDDABDAB}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{C29B27A2-DB63-4438-AC0D-3B2A5930A34A}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{A6C3E698-ADED-4D90-A42F-BE90C578317D}C:\\program files\\keyholetv\\keyholetv.exe"= UDP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"UDP Query User{9949E4C4-8286-4FD9-829B-9B80BB870C70}C:\\program files\\keyholetv\\keyholetv.exe"= TCP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"TCP Query User{9C6D6266-F1EA-44D7-B67F-009DFB6CCCDB}C:\\users\\karen\\desktop\\hfs.exe"= UDP:C:\users\karen\desktop\hfs.exe:hfs.exe
"UDP Query User{3E383C3A-56CB-4E02-B332-A327EA68C804}C:\\users\\karen\\desktop\\hfs.exe"= TCP:C:\users\karen\desktop\hfs.exe:hfs.exe
"TCP Query User{D0A7B4B8-AD22-4877-8984-FD750EFF762E}C:\\program files\\keyholetv\\keyholetv.exe"= UDP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"UDP Query User{9386816D-AD72-4364-AACC-8DDACB37B312}C:\\program files\\keyholetv\\keyholetv.exe"= TCP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"TCP Query User{11BEA281-33B2-4C72-BCEB-B92530D22AD4}C:\\program files\\flashfxp\\flashfxp.exe"= UDP:C:\program files\flashfxp\flashfxp.exe:FlashFXP
"UDP Query User{5C56AA88-85DD-4819-BCAF-AF66E6CAEBE5}C:\\program files\\flashfxp\\flashfxp.exe"= TCP:C:\program files\flashfxp\flashfxp.exe:FlashFXP
"{2AF6D983-395E-457B-8F7C-B6112B196372}"= Profile=Private|Profile=Public|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\System\\winnet32.exe"= C:\Program Files\Common Files\System\winnet32.exe:*:Enabled:Windows Update
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"= C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

S2 AESTFilters;Andrea ST Filters Service;C:\Windows\system32\aestsrv.exe [2008-01-01 23:44]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-24 08:35]
S3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-12-03 01:58]
S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-12-03 01:59]

*Newly Created Service* - CATCHME
*Newly Created Service* - ECACHE
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\Windows\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-01 C:\Windows\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-06-09 C:\Windows\Tasks\Uniblue SpyEraser.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2008-01-08 09:14]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 21:57:28
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-25 21:59:04
ComboFix-quarantined-files.txt 2008-08-26 01:58:06
ComboFix2.txt 2008-08-25 00:28:55
ComboFix3.txt 2008-08-23 04:47:56
ComboFix4.txt 2008-08-22 02:06:34
ComboFix5.txt 2008-08-26 01:53:41

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 122,840,137,728 bytes free

298 --- E O F --- 2008-08-23 06:24:05
  • 0

#18
tsukihoshi

tsukihoshi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Malwarebytes' Anti-Malware 1.25
Database version: 1087
Windows 6.0.6001 Service Pack 1

10:19:46 PM 25/08/2008
mbam-log-08-25-2008 (22-19-46).txt

Scan type: Quick Scan
Objects scanned: 42858
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#19
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Your log looks clean, great job! :)

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image


Now for some cleanup..
Please download OTCleanIt and save it to Desktop.
  • Please make sure you are connecting to the Internet
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

  • 0

#20
tsukihoshi

tsukihoshi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thank you so much, SpySentinel! I think my laptop is ok now as I don't see those popups anymore.

I have followed most of the tips you provided in your last post (some I've already done previously).

If we are finished with the cleaning, what becomes of this thread? Does someone close it?

I'll be back here posting again if something goes wrong! (Which I hope won't happen...)

Once again, thank you! Your help was greatly appreciated.
  • 0

#21
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts

Thank you so much, SpySentinel! I think my laptop is ok now as I don't see those popups anymore.
I have followed most of the tips you provided in your last post (some I've already done previously).


Your welcome, Glad I could help you solve your computer problem!


If we are finished with the cleaning, what becomes of this thread? Does someone close it?
I'll be back here posting again if something goes wrong! (Which I hope won't happen...)


Yes, a GeekU Teacher will close this thread. If you have any other problems or questions, please feel free to ask me.


Once again, thank you! Your help was greatly appreciated.


Your welcome, glad I could help :)

Edited by SpySentinel, 28 August 2008 - 03:53 PM.

  • 0

#22
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP