Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32/Adware.Virtumonde & Win32/PrivacyRemover.M64 [RESOLVED]


  • This topic is locked This topic is locked

#1
steve_rogers

steve_rogers

    New Member

  • Member
  • Pip
  • 8 posts
[08/17/2008, 19:28:36] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Steve Rogers\Desktop\VirtumundoBeGone.exe" )
[08/17/2008, 19:28:43] - Detected System Information:
[08/17/2008, 19:28:43] - Windows Version: 5.1.2600, Service Pack 2
[08/17/2008, 19:28:43] - Current Username: Steve Rogers (Admin)
[08/17/2008, 19:28:43] - Windows is in NORMAL mode.
[08/17/2008, 19:28:43] - Searching for Browser Helper Objects:
[08/17/2008, 19:28:43] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/17/2008, 19:28:43] - BHO 2: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[08/17/2008, 19:28:43] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/17/2008, 19:28:43] - Finished Searching Browser Helper Objects
[08/17/2008, 19:28:43] - Finishing up...
[08/17/2008, 19:28:43] - Nothing found! Exiting...

[08/17/2008, 19:35:51] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Steve Rogers\Desktop\VirtumundoBeGone.exe" )
[08/17/2008, 19:35:52] - User choose NOT to continue. Exiting...

[08/17/2008, 19:36:02] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Steve Rogers\Desktop\VirtumundoBeGone.exe" )
[08/17/2008, 19:36:04] - Detected System Information:
[08/17/2008, 19:36:04] - Windows Version: 5.1.2600, Service Pack 2
[08/17/2008, 19:36:04] - Current Username: Steve Rogers (Admin)
[08/17/2008, 19:36:04] - Windows is in NORMAL mode.
[08/17/2008, 19:36:04] - Searching for Browser Helper Objects:
[08/17/2008, 19:36:04] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/17/2008, 19:36:04] - BHO 2: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[08/17/2008, 19:36:04] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/17/2008, 19:36:04] - Finished Searching Browser Helper Objects
[08/17/2008, 19:36:04] - Finishing up...
[08/17/2008, 19:36:04] - Nothing found! Exiting...

[08/17/2008, 19:39:48] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Steve Rogers\Desktop\VirtumundoBeGone.exe" )
[08/17/2008, 19:39:48] - Detected System Information:
[08/17/2008, 19:39:48] - Windows Version: 5.1.2600, Service Pack 2
[08/17/2008, 19:39:48] - Current Username: Steve Rogers (Admin)
[08/17/2008, 19:39:48] - Windows is in NORMAL mode.
[08/17/2008, 19:39:48] - Searching for Browser Helper Objects:
[08/17/2008, 19:39:48] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/17/2008, 19:39:48] - BHO 2: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[08/17/2008, 19:39:48] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/17/2008, 19:39:48] - Finished Searching Browser Helper Objects
[08/17/2008, 19:39:48] - Finishing up...
[08/17/2008, 19:39:48] - Nothing found! Exiting...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:01 PM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O20 - Winlogon Notify: __c008AD9 - C:\WINDOWS\system32\__c008AD9.dat (file missing)
O20 - Winlogon Notify: __c00A0464 - C:\WINDOWS\system32\__c00A0464.dat (file missing)
O20 - Winlogon Notify: __c00FE19E - C:\WINDOWS\system32\__c00FE19E.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rtejeja.html

--
End of file - 5538 bytes

Thanks!
  • 0

Advertisements


#2
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi and welcome to the forums here at G2G! :)

First, use Use ATF Cleaner to remove temp files,
cookies, cache, ect...

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a Hijackthis log.

  • 0

#3
steve_rogers

steve_rogers

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
just so you know I was reading some other threads with my problem and I followed the same instructions. I see that you are helping Helpmeee with the same problem...Well he double posted and is being helped by Sarah... http://www.geekstogo...64-t208626.html

I followed all of those instructions...here is the latest Hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:58 PM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rtejeja.html

--
End of file - 5530 bytes

Thanks!!!!!!! :)
  • 0

#4
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi and thanks for the heads up on the double post, I'll close mine.

Can you post the log from MBAM too and let me know how it's running.

Thanks
  • 0

#5
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Also post your log from combofix.
  • 0

#6
steve_rogers

steve_rogers

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
1601-01-01 00:00:00 0 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\MCROSO~1\M?crosoft\
1980-08-17 00:00:00 25,088 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c00B0A3B.dat.vir
2003-08-13 16:08:12 36,864 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\packet.dll.vir
2003-08-13 16:08:15 135,168 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wpcap.dll.vir
2005-09-02 22:48:30 178,718 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gjjlm.bak1.vir
2005-09-07 22:05:26 180,046 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gjjlm.tmp.vir
2005-09-07 23:08:06 180,046 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gjjlm.ini.vir
2005-09-23 00:21:39 422,751 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gjjlm.bak2.vir
2005-09-23 00:25:02 423,189 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gjjlm.ini2.vir
2007-04-26 05:30:14 29,184 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\MSINET.oca.vir
2007-08-19 02:10:43 93 C:\Qoobox\Quarantine\C\WINDOWS\wr.txt.vir
2007-08-19 02:11:22 1,289 C:\Qoobox\Quarantine\C\Documents and Settings\Steve Rogers\Application Data\WinAntiSpyware 2006\Logs\update.log.vir
2007-08-19 14:12:51 1,599,402 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\npqss.bak2.vir
2007-08-20 14:12:59 1,603,306 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\npqss.bak1.vir
2007-08-20 20:20:23 424 C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2007-08-20 21:00:36 1,229,852 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\aqnxbgnt.ini.vir
2007-08-20 22:00:22 1,606,135 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\npqss.ini.vir
2008-02-10 19:53:48 84 C:\Qoobox\Quarantine\C\Documents and Settings\Steve Rogers\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol.vir
2008-03-28 03:23:57 139 C:\Qoobox\Quarantine\C\Documents and Settings\Steve Rogers\Application Data\Macromedia\Flash Player\#SharedObjects\65RCKT6H\interclick.com\ud.sol.vir
2008-08-17 05:11:12 195,072 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lphc3kej0epf1.exe.vir
2008-08-17 21:10:22 32,768 C:\Qoobox\Quarantine\C\Documents and Settings\Steve Rogers\UserData\index.dat.vir
2008-08-17 21:12:15 625,208 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\phc3kej0epf1.bmp.vir
2008-08-17 21:12:17 118,784 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\blphc3kej0epf1.scr.vir
2008-08-18 21:15:48 25,088 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c00FE19E.dat.vir
2008-08-19 00:59:12 1,164 C:\Qoobox\Quarantine\C\Documents and Settings\Steve Rogers\Cookies\[email protected][1].txt.vir
2008-08-19 01:00:12 1,805 C:\Qoobox\Quarantine\C\Documents and Settings\Steve Rogers\Cookies\[email protected][2].txt.vir
2008-08-19 01:29:38 1,629 C:\Qoobox\Quarantine\C\Documents and Settings\Steve Rogers\Cookies\[email protected][2].txt.vir
2008-08-19 01:52:36 2,262 C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
2008-08-19 01:52:46 54 C:\Qoobox\Quarantine\catchme.log
2008-08-19 01:55:34 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-08-19 01:55:34 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-08-19 01:55:34 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-08-19 01:55:38 550 C:\Qoobox\Quarantine\Registry_backups\Notify-__c008AD9.reg.dat
2008-08-19 01:55:38 554 C:\Qoobox\Quarantine\Registry_backups\Notify-__c00A0464.reg.dat
2008-08-19 01:55:38 554 C:\Qoobox\Quarantine\Registry_backups\Notify-__c00FE19E.reg.dat
2008-08-19 01:55:39 568 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ctfmon.reg.dat
2008-08-19 01:55:39 568 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-WinPop.reg.dat
2008-08-19 01:55:39 600 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ExploreUpdSched.reg.dat
2008-08-19 01:55:39 602 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-{C5-5D-D3-30-ZN}.reg.dat
2008-08-19 01:55:39 606 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Uaol.reg.dat
2008-08-19 01:55:39 618 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-meveqazi.reg.dat
2008-08-19 01:55:39 640 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MsnMsgr.reg.dat
2008-08-19 01:55:39 732 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-runner1.reg.dat


Malwarebytes' Anti-Malware 1.25
Database version: 1068
Windows 5.1.2600 Service Pack 2

10:31:22 PM 8/18/2008
mbam-log-08-18-2008 (22-31-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 94172
Time elapsed: 19 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\blphc3kej0epf1.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\umwdf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\umwdf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\umwdf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc3kej0epf1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\wdfmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\blphc3kej0epf1.scr (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\lphc3kej0epf1.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\phc3kej0epf1.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Cookies\bumo.reg (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\jababug.inf (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\uwux.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\jiceji._sy (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\esycire._dl (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Steve Rogers\Local Settings\temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Cookies\syssp.exe (Fake.Dropped.Malware) -> Delete on reboot.

Thanks!!!!
  • 0

#7
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
If you have the combofix log that would help too. It should be located at:

C:\combofix.txt

Let me know if you can't find it.
  • 0

#8
steve_rogers

steve_rogers

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
ComboFix 08-08-18.01 - Steve Rogers 2008-08-18 21:51:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2569 [GMT -4:00]
Running from: C:\Documents and Settings\Steve Rogers\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Steve Rogers\Application Data\macromedia\Flash Player\#SharedObjects\65RCKT6H\interclick.com
C:\Documents and Settings\Steve Rogers\Application Data\macromedia\Flash Player\#SharedObjects\65RCKT6H\interclick.com\ud.sol
C:\Documents and Settings\Steve Rogers\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Steve Rogers\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Steve Rogers\Application Data\WinAntiSpyware 2006
C:\Documents and Settings\Steve Rogers\Application Data\WinAntiSpyware 2006\Logs\update.log
C:\Documents and Settings\Steve Rogers\Cookies\[email protected][2].txt
C:\Documents and Settings\Steve Rogers\Cookies\[email protected][2].txt
C:\Documents and Settings\Steve Rogers\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve Rogers\UserData
C:\Documents and Settings\Steve Rogers\UserData\index.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\mbols~1
C:\WINDOWS\system32\__c00B0A3B.dat
C:\WINDOWS\system32\__c00FE19E.dat
C:\WINDOWS\system32\aqnxbgnt.ini
C:\WINDOWS\system32\blphc3kej0epf1.scr
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\SYSTEM32\gjjlm.bak1
C:\WINDOWS\SYSTEM32\gjjlm.bak2
C:\WINDOWS\SYSTEM32\gjjlm.ini
C:\WINDOWS\SYSTEM32\gjjlm.ini2
C:\WINDOWS\SYSTEM32\gjjlm.tmp
C:\WINDOWS\system32\lphc3kej0epf1.exe
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\mcroso~1\M?crosoft\
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\SYSTEM32\npqss.bak1
C:\WINDOWS\SYSTEM32\npqss.bak2
C:\WINDOWS\SYSTEM32\npqss.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\phc3kej0epf1.bmp
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.

2008-08-17 19:37 . 2008-08-17 19:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 19:25 . 2008-08-17 19:25 <DIR> d-------- C:\VundoFix Backups
2008-08-14 13:29 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-11 23:05 . 2008-08-11 23:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-08-11 20:13 . 2008-08-11 20:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-11 20:13 . 2008-08-11 20:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-08 21:48 . 2008-08-08 21:48 <DIR> d-------- C:\Documents and Settings\Steve Rogers\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 12:35 --------- d-----w C:\Documents and Settings\Steve Rogers\Application Data\AVG7
2008-08-14 19:10 --------- d-----w C:\Documents and Settings\Steve Rogers\Application Data\Corel
2008-07-05 00:14 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-01 03:18 --------- d-----w C:\Program Files\Lavasoft
2008-07-01 03:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 02:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-01 02:39 --------- d-----w C:\Program Files\ToniArts
2008-07-01 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-01 02:13 --------- d-----w C:\Documents and Settings\Steve Rogers\Application Data\Lavasoft
2008-07-01 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-07 13:54 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-27 15:37 580096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 09:28 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\ComPlus Applications\rtejeja.html
FriendlyName=

[HKLM\~\startupfolder\C:^Documents and Settings^Steve Rogers^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Steve Rogers\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve Rogers^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Steve Rogers\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blqakbqi]
C:\WINDOWS\??mbols\l?gonui.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-08-13 02:05 122939 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 17:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 05:04 59392 C:\WINDOWS\EHOME\EHTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2004-06-29 12:23 135168 C:\Program Files\Intel\Intel Application Accelerator\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 09:50 53248 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-05-18 03:21 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2004-03-11 10:50 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Documents and Settings\\Steve Rogers\\Desktop\\Crap\\The All-Seeing Eye\\eye.exe"=
"C:\\Return to Castle Wolfenstein\\WolfMP.exe"=
"C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"C:\\Wolfenstein - Enemy Territorybackup\\ET.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MidTen Media\\Comic Collector Live\\CCL.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\Steve Rogers\\Desktop\\Crap\\Return to Castle Wolfenstein\\WolfMP.exe"=
"C:\\Documents and Settings\\Steve Rogers\\Desktop\\Crap\\Wolfenstein - Enemy Territory\\ETDED.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-08-17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-08-19 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe []

2008-08-14 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe []
.
- - - - ORPHANS REMOVED - - - -

Notify-__c008AD9 - C:\WINDOWS\system32\__c008AD9.dat
Notify-__c00A0464 - C:\WINDOWS\system32\__c00A0464.dat
Notify-__c00FE19E - C:\WINDOWS\system32\__c00FE19E.dat
MSConfigStartUp-ctfmon - C:\WINDOWS\system32\ctfmon.exe
MSConfigStartUp-ExploreUpdSched - C:\WINDOWS\system32\lwinomdt.exe
MSConfigStartUp-meveqazi - C:\Program Files\MSN Gaming Zone\meveqazi22011.exe
MSConfigStartUp-MsnMsgr - C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
MSConfigStartUp-runner1 - C:\WINDOWS\retadpu1000106.exe
MSConfigStartUp-Uaol - C:\WINDOWS\system32\MCROSO~1\wowexec.exe
MSConfigStartUp-WinPop - C:\Program Files\WinPop\winpop.exe
MSConfigStartUp-{C5-5D-D3-30-ZN} - c:\windows\system32\dwdsrngt.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://google.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 21:54:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\EHOME\ehRecvr.exe
C:\WINDOWS\EHOME\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
C:\WINDOWS\SYSTEM32\PnkBstrA.exe
C:\WINDOWS\SYSTEM32\PnkBstrB.exe
C:\WINDOWS\SYSTEM32\DLLHOST.EXE
.
**************************************************************************
.
Completion time: 2008-08-18 21:55:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-19 01:55:48

Pre-Run: 286,684,102,656 bytes free
Post-Run: 286,731,984,896 bytes free

200 --- E O F --- 2008-08-15 02:15:54
  • 0

#9
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi Steve,

Just one entry that is disabled with msconfig. Just don't want to see it get mistakenly re-enabled.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
C:\WINDOWS\??mbols

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blqakbqi]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#10
steve_rogers

steve_rogers

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
ComboFix 08-08-19.05 - Steve Rogers 2008-08-20 18:26:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2498 [GMT -4:00]
Running from: C:\Documents and Settings\Steve Rogers\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve Rogers\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-19 21:47 . 2008-08-19 21:47 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-19 21:37 . 2008-08-19 21:37 <DIR> d-------- C:\SDFix.exe
2008-08-19 21:36 . 2008-08-19 21:54 <DIR> d-------- C:\SDFix
2008-08-18 22:32 . 2008-08-18 22:32 <DIR> d--hs---- C:\Documents and Settings\Steve Rogers\UserData
2008-08-18 22:08 . 2008-08-19 17:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 22:08 . 2008-08-18 22:08 <DIR> d-------- C:\Documents and Settings\Steve Rogers\Application Data\Malwarebytes
2008-08-18 22:08 . 2008-08-18 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 22:08 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-08-18 22:08 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-08-17 19:37 . 2008-08-17 19:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 19:25 . 2008-08-17 19:25 <DIR> d-------- C:\VundoFix Backups
2008-08-14 13:29 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-11 23:05 . 2008-08-11 23:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-08-11 20:13 . 2008-08-11 20:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-11 20:13 . 2008-08-11 20:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-08 21:48 . 2008-08-08 21:48 <DIR> d-------- C:\Documents and Settings\Steve Rogers\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 12:48 --------- d-----w C:\Documents and Settings\Steve Rogers\Application Data\AVG7
2008-08-14 19:10 --------- d-----w C:\Documents and Settings\Steve Rogers\Application Data\Corel
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-07-05 22:47 107,832 ----a-w C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2008-07-05 00:14 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-04 01:11 43,520 ----a-w C:\WINDOWS\SYSTEM32\CmdLineExt03.dll
2008-07-03 00:25 66,872 ----a-w C:\WINDOWS\SYSTEM32\PnkBstrA.exe
2008-07-01 03:18 --------- d-----w C:\Program Files\Lavasoft
2008-07-01 03:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 02:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-01 02:39 --------- d-----w C:\Program Files\ToniArts
2008-07-01 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-01 02:13 --------- d-----w C:\Documents and Settings\Steve Rogers\Application Data\Lavasoft
2008-07-01 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 14:57 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
.

((((((((((((((((((((((((((((( [email protected]_21.55.34.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 20:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-20 01:47:28 3,678,208 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-08-20 01:47:28 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-08-20 01:47:28 3,678,208 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-08-20 01:47:28 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-08-05 15:11:02 15,888,504 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-07 13:54 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-27 15:37 580096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 09:28 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\ComPlus Applications\rtejeja.html
FriendlyName=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Steve Rogers^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Steve Rogers\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve Rogers^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Steve Rogers\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-08-13 02:05 122939 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 17:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 05:04 59392 C:\WINDOWS\EHOME\EHTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2004-06-29 12:23 135168 C:\Program Files\Intel\Intel Application Accelerator\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 09:50 53248 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-05-18 03:21 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2004-03-11 10:50 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Documents and Settings\\Steve Rogers\\Desktop\\Crap\\The All-Seeing Eye\\eye.exe"=
"C:\\Return to Castle Wolfenstein\\WolfMP.exe"=
"C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"C:\\Wolfenstein - Enemy Territorybackup\\ET.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MidTen Media\\Comic Collector Live\\CCL.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\Steve Rogers\\Desktop\\Crap\\Return to Castle Wolfenstein\\WolfMP.exe"=
"C:\\Documents and Settings\\Steve Rogers\\Desktop\\Crap\\Wolfenstein - Enemy Territory\\ETDED.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-08-17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-08-20 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe []

2008-08-14 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe []
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 18:26:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-20 18:27:26
ComboFix-quarantined-files.txt 2008-08-20 22:27:24
ComboFix2.txt 2008-08-19 01:55:51

Pre-Run: 286,608,039,936 bytes free
Post-Run: 286,619,144,192 bytes free

161 --- E O F --- 2008-08-20 10:49:44

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:48 PM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rtejeja.html

--
End of file - 5530 bytes
  • 0

Advertisements


#11
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Think you're in pretty good shape Steve. Would like to see a Kaspersky scan though...

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

  • 0

#12
steve_rogers

steve_rogers

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
scan was clean...absolutely nothing in log....

are there any things I can do to prevent these types of things from hitting me? this one was pretty busy because I saw another 4 people posted threads today about the same problems...
  • 0

#13
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
You're right, this thing is all over the place. It comes in so many ways...here are a couple of examples.

Emails from "CNN" and other places you would trust: http://malwaredataba...php/2008/08/04/
Google Sponsored Results: http://malwaredataba...not-equal-safe/

It spreads through P2P also, and fake video codecs....

Here are some other tools you may want to consider to help prevent these infections.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which may be infected anyway).

Click Start>Help and Support>Undo changes to your computer with System Restore
Select Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

In addition to updating and using what you currently have you may want to consider the following:

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide
better security than the Windows Firewall. Comodo
Outpost Firewall
For a tutorial on Firewalls and a listing of some other available ones see the link below:
Understanding and Using Firewalls

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Install SpywareGuard - SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
A tutorial on installing & using this product can be found here:
Using SpywareGuard to protect your computer from Spyware and Malware

Use Zoned Out -
Zoned Out will block access to malicious websites so you cannot be redirected to them from an infected site or email. Instructions for set up and use can be found at the website.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Hope these help.
Dave
  • 0

#14
steve_rogers

steve_rogers

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for your time! Im glad the system is clean! what is the purpose of this/these virus anyway? unchecked what would be the result?
  • 0

#15
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Most are designed to separate you from your credit card! They produce pop ups claiming you are infected, and for ONLY $49.95 they will "clean" your system. Usually the only infection you have is their malware they just planted on your machine.

The days of "script kiddies" making your machine do funny things are gone. It is now a business and it's motivated by the all mighty dollar. The purveyors of this stuff are serious business people, very corrupt, but serious about getting your money.

Good luck avoiding them, and never give in!
Dave
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP