Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32/Heur/Tanotos.M infection

Started by Argel , Apr 11 2009 09:48 AM

  • Please log in to reply

#1
Argel
Posted 11 April 2009 - 09:48 AM

Argel

    New Member

  • Member
  • Pip
  • 5 posts
Hello.

After reading another topic on a similar (sounding) virus, I have had no luck and have decided to ask for more personal assistance.

Unfortunately, for some reason I cannot access Kaspersky or ESET in any browser. I've tried plenty of times with no joy. I had got down to that part of this thread: before I realised that I couldn't proceed any further.

Rooter log:

icrosoft Windows XP Home Edition (5.1.2600) Service Pack 3

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:117239 Mo/Free:3240 Mo)
D:\ [CD-Rom] (Total:2152 Mo/Free:0 Mo)

11/04/2009|16:36

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\AVG\AVG8\avgwdsvc.exe
---------- C:\Program Files\Belkin\F5D7051\WLService.exe
---------- C:\WINDOWS\system32\CTsvcCDA.exe
---------- C:\Program Files\Prevx\prevx.exe
---------- C:\WINDOWS\runservice.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\AVG\AVG8\avgrsx.exe
---------- C:\Program Files\AVG\AVG8\avgnsx.exe
---------- C:\Program Files\Prevx\prevx.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\AVG\AVG8\avgtray.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\MSN Messenger\msnmsgr.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\DOCUME~1\Shaun\LOCALS~1\Temp\mmoyfb.exe
---------- C:\Program Files\Mozilla Firefox\firefox.exe
---------- C:\Program Files\AVG\AVG8\avgui.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!


----------------------\\ Cracks & Keygens..

C:\DOCUME~1\Shaun\Desktop\Crack\serial.txt
C:\DOCUME~1\Shaun\Desktop\Easy Hi-Q Recorder\Easy Hi-Q Recorder\keygen.exe
C:\DOCUME~1\Shaun\Desktop\Tunebite Platinum Edition v4.1.0.35 +crack\Read Me.txt
C:\DOCUME~1\Shaun\Desktop\Tunebite Platinum Edition v4.1.0.35 +crack\tracked_by_h33t_com.txt
C:\DOCUME~1\Shaun\Desktop\Tunebite Platinum Edition v4.1.0.35 +crack\Crack\tunebite.exe
C:\DOCUME~1\Shaun\Desktop\Tunebite Platinum Edition v4.1.0.35 +crack\Setup\tunebite.exe
C:\DOCUME~1\Shaun\Local Settings\Application Data\ApplicationHistory\Keygen.exe.5f8ca931.ini
C:\DOCUME~1\Shaun\My Documents\Battlefield.2.Keygen-ViTALiTY\vtl-bf2k.rar
C:\DOCUME~1\Shaun\My Documents\Morpheus Shared\Downloads\Final Draft 7.0 with crack.zip


1 - "C:\Rooter$\Rooter_1.txt" - 11/04/2009|16:31
2 - "C:\Rooter$\Rooter_2.txt" - 11/04/2009|16:36

----------------------\\ Scan completed at 16:36


  • 0

Advertisements

#2
kahdah
Posted 11 April 2009 - 10:49 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Argel

Welcome to G2Go.

This here is why you are infected:

Cracks & Keygens..

C:\DOCUME~1\Shaun\Desktop\Crack\serial.txt
C:\DOCUME~1\Shaun\Desktop\Easy Hi-Q Recorder\Easy Hi-Q Recorder\keygen.exe
C:\DOCUME~1\Shaun\Desktop\Tunebite Platinum Edition v4.1.0.35 +crack\Read Me.txt
C:\DOCUME~1\Shaun\Desktop\Tunebite Platinum Edition v4.1.0.35 +crack\tracked_by_h33t_com.txt
C:\DOCUME~1\Shaun\Desktop\Tunebite Platinum Edition v4.1.0.35 +crack\Crack\tunebite.exe
C:\DOCUME~1\Shaun\Desktop\Tunebite Platinum Edition v4.1.0.35 +crack\Setup\tunebite.exe
C:\DOCUME~1\Shaun\Local Settings\Application Data\ApplicationHistory\Keygen.exe.5f8ca931.ini
C:\DOCUME~1\Shaun\My Documents\Battlefield.2.Keygen-ViTALiTY\vtl-bf2k.rar
C:\DOCUME~1\Shaun\My Documents\Morpheus Shared\Downloads\Final Draft 7.0 with crack.zip

Using these types of software will always end up infecting you.
We will not help you here if after this warning you continue to use this type of software and keep coming to us to get cleaned up.
=====================
  • Download OTListIt2 to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

  • 0

#3
Argel
Posted 11 April 2009 - 03:25 PM

Argel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi

I no longer use pirated software so that won't be an issue.

I've enclosed the logs as for some reason they wouldn't attach earlier in the day (ie: when I made the OP)

Thanks for your help

Shaun

Attached Files

  • Attached File  logs.txt   77.39KB   186 downloads

  • 0

#4
kahdah
Posted 11 April 2009 - 03:30 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hi delete your version of Combofix then do the following:
Plug in all of your flash drives before running Combofix:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#5
Argel
Posted 12 April 2009 - 06:25 AM

Argel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
ComboFix 09-04-04.01 - Shaun 2009-04-12 12:56:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1558 [GMT 1:00]
Running from: c:\documents and settings\Shaun\My Documents\Sports Interactive\Football Manager 2009\schedules\ComboFix1.exe
.

((((((((((((((((((((((((( Files Created from 2009-03-12 to 2009-04-12 )))))))))))))))))))))))))))))))
.

2009-04-11 16:29 . 2009-04-11 16:36 <DIR> d-------- C:\Rooter$
2009-04-11 15:18 . 2009-04-11 15:52 <DIR> d-------- C:\ComboFix
2009-04-11 10:42 . 2009-04-11 10:42 <DIR> d-------- c:\program files\AVG
2009-04-11 10:42 . 2009-04-11 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-04-06 23:10 . 2009-04-10 15:13 <DIR> d-------- c:\documents and settings\Shaun\Application Data\LimeWire
2009-04-06 23:04 . 2009-04-11 16:09 <DIR> d-------- c:\program files\LimeWire
2009-03-20 14:47 . 2009-04-10 14:24 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-20 14:47 . 2009-03-20 14:47 1,409 --a------ c:\windows\QTFont.for
2009-03-17 18:33 . 2009-03-17 18:33 <DIR> d-------- c:\documents and settings\Shaun\Application Data\GarageGames
2009-03-14 13:27 . 2009-03-14 13:27 <DIR> d-------- c:\program files\WinAVI MP4 Converter
2009-03-14 13:23 . 2009-03-14 13:23 <DIR> d-------- c:\documents and settings\Shaun\Application Data\ImTOO Software Studio
2009-03-14 13:13 . 2003-05-22 01:50 261,632 --a------ c:\windows\system32\mcdvd_32.dll
2009-03-14 13:12 . 2009-03-14 13:12 <DIR> d-------- c:\program files\4U Computing
2009-03-14 13:12 . 2005-04-18 12:21 2,564,096 --a------ c:\windows\system32\NCTAudioCompress3.dll
2009-03-14 13:12 . 2005-04-14 20:07 2,260,992 --a------ c:\windows\system32\NCTVideoCompress.dll
2009-03-14 13:12 . 2005-04-15 15:25 1,986,560 --a------ c:\windows\system32\NCTAudioFile2.dll
2009-03-14 13:12 . 2005-04-13 12:32 1,810,432 --a------ c:\windows\system32\NCTAudioCompress2.dll
2009-03-14 13:12 . 2005-04-21 19:23 1,245,184 --a------ c:\windows\system32\NCTRMFile.dll
2009-03-14 13:12 . 2005-04-18 20:01 991,232 --a------ c:\windows\system32\NCTVideoCoreM.dll
2009-03-14 13:12 . 2005-04-14 20:05 294,912 --a------ c:\windows\system32\NCTAVIFile.dll
2009-03-14 13:12 . 2005-04-21 18:15 282,624 --a------ c:\windows\system32\NCTQuickTimeFile.dll
2009-03-14 13:12 . 2005-04-14 20:06 196,608 --a------ c:\windows\system32\NCTWMVFile.dll
2009-03-14 13:12 . 2005-04-18 16:14 139,264 --a------ c:\windows\system32\NCTVideoFile.dll
2009-03-14 13:12 . 2003-08-07 15:01 126,464 --a------ c:\windows\system32\lame_enc.dll
2009-03-14 13:12 . 2005-03-03 18:18 106,496 --a------ c:\windows\system32\NCTVideoCoreU.dll
2009-03-14 12:08 . 2009-04-11 11:33 <DIR> d-------- C:\Fraps
2009-03-14 12:08 . 2009-03-14 13:52 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-13 18:34 . 2009-04-11 12:21 <DIR> d-------- c:\program files\StuffPlug3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 10:54 --------- d-----w c:\program files\Corel
2009-04-12 10:50 --------- d-----w c:\program files\Nokia
2009-04-12 10:49 --------- d-----w c:\documents and settings\Shaun\Application Data\Corel
2009-04-12 10:41 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-12 10:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-12 10:32 --------- d-----w c:\program files\Panda Security
2009-04-12 10:13 --------- d-----w c:\program files\Replay Screencast
2009-04-11 14:55 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-11 14:08 --------- d-----w c:\program files\MSN Messenger
2009-04-11 11:24 --------- d-----w c:\program files\Windows Journal Viewer
2009-04-11 11:24 --------- d-----w c:\program files\Winamp
2009-04-11 11:23 --------- d-----w c:\program files\uTorrent
2009-04-11 11:21 --------- d-----w c:\program files\SUPERAntiSpyware
2009-04-11 11:15 --------- d-----w c:\program files\SmartFTP Client 3.0 Setup Files
2009-04-11 11:15 --------- d-----w c:\program files\Sierra On-Line
2009-04-11 11:12 --------- d-----w c:\program files\QuickTime
2009-04-11 11:11 --------- d-----w c:\program files\PowerISO
2009-04-11 11:05 --------- d-----w c:\program files\MyPhoneExplorer
2009-04-11 11:04 --------- d-----w c:\program files\Mozilla Thunderbird
2009-04-11 11:02 --------- d-----w c:\program files\Mount&Blade
2009-04-11 10:57 --------- d-----w c:\program files\MessengerPlus! 3
2009-04-11 10:55 --------- d-----w c:\program files\Last.fm Player
2009-04-11 10:52 --------- d-----w c:\program files\iTunes
2009-04-11 10:49 --------- d-----w c:\program files\Front Page Express
2009-04-11 10:49 --------- d-----w c:\program files\FREE Hi-Q Recorder
2009-04-11 10:49 --------- d-----w c:\program files\Free Download Manager
2009-04-11 10:49 --------- d-----w c:\program files\ffdshow
2009-04-11 10:49 --------- d-----w c:\program files\eMule
2009-04-11 10:48 --------- d-----w c:\program files\Easy Hi-Q Recorder
2009-04-11 10:48 --------- d-----w c:\program files\DOSBox-0.63
2009-04-11 10:48 --------- d-----w c:\program files\DivX
2009-04-11 10:44 --------- d-----w c:\program files\CoreFTP
2009-04-11 10:40 --------- d-----w c:\program files\Cliprex DVD Player Professional
2009-04-11 10:39 --------- d-----w c:\program files\BitTorrent
2009-04-11 10:34 204,800 ----a-w C:\haspsp3.exe
2009-04-11 10:34 134,144 ----a-w C:\HAres.exe
2009-04-11 10:33 341,504 ----a-w C:\FairUse4WM.exe
2009-04-10 13:06 --------- d-----w c:\program files\Common Files\Nokia
2009-04-10 13:06 --------- d-----w c:\documents and settings\All Users\Application Data\Installations
2009-04-06 21:58 --------- d---a-w c:\documents and settings\All Users\Application Data\Sports Interactive
2009-04-06 14:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-30 16:15 --------- d-----w c:\program files\Sports Interactive
2009-03-27 18:32 --------- d-----w c:\program files\Morpheus
2009-03-14 12:22 --------- d-----w c:\program files\ImTOO
2009-03-04 20:39 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-04 20:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-13 21:35 --------- d-----w c:\documents and settings\Shaun\Application Data\Thunderbird
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-01-23 19:32 102,400 ----a-w c:\windows\DUMP99a0.tmp
2008-07-13 11:05 9,569 ----a-w c:\program files\familykeylogger-2.83.zip
2008-03-31 19:18 31,633,868 ----a-w c:\program files\stream.2008-03-31.191224.mp3
2006-07-03 13:30 26,236,850 ----a-w c:\program files\clubs.zip
2008-12-20 17:21 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 17:21 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 17:21 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 17:21 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 17:21 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-02-19 16:53 168 --sh--r c:\windows\system32\43FEE08A7F.sys
2008-02-19 16:53 5,018 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-03-21 21:26 938 --sh--w c:\windows\system32\vpf95j.dll
.

------- Sigcheck -------

2005-05-25 20:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 18:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 11:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 12:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 12:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 11:45 360320 1cc09561e21a48a7f649a40f18235860 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 13:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
2005-05-25 20:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-13 03:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 12:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 20:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys
2006-04-20 12:51 359808 1dbf125862891817f374f407626967f4 c:\windows\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys
2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys
2008-06-20 12:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 12:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_15.47.46.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-26 13:38:34 140,296 ----a-w c:\windows\dxsdkuninst.exe
+ 2008-12-26 13:38:34 209,928 ----a-w c:\windows\dxsdkuninst.exe
- 1998-10-29 15:45:06 306,688 ----a-w c:\windows\IsUninst.exe
+ 1998-10-29 15:45:06 380,416 ----a-w c:\windows\IsUninst.exe
- 2007-01-06 19:07:45 737,280 ----a-w c:\windows\iun6002.exe
+ 2007-01-06 19:07:45 815,104 ----a-w c:\windows\iun6002.exe
- 2008-05-05 14:40:36 73,216 ----a-w c:\windows\ST6UNST.EXE
+ 2008-05-05 14:40:36 142,848 ----a-w c:\windows\ST6UNST.EXE
- 2006-04-06 09:54:38 73,728 ----a-w c:\windows\system32\asuninst.exe
+ 2006-04-06 09:54:38 143,360 ----a-w c:\windows\system32\asuninst.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2009-04-11 5734400]
"AtiTrayTools"="c:\program files\Ray Adams\ATI Tray Tools\atitray.exe" [2008-11-30 657408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-04-11 8720384]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-02-12 16:22 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nokia Nseries PC Suite.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Nokia Nseries PC Suite.lnk
backup=c:\windows\pss\Nokia Nseries PC Suite.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Shaun^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Shaun\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shaun^Start Menu^Programs^Startup^BitTorrent.lnk]
path=c:\documents and settings\Shaun\Start Menu\Programs\Startup\BitTorrent.lnk
backup=c:\windows\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shaun^Start Menu^Programs^Startup^Morpheus.lnk]
path=c:\documents and settings\Shaun\Start Menu\Programs\Startup\Morpheus.lnk
backup=c:\windows\pss\Morpheus.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 01:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2009-04-11 10:46 8720384 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2007-06-09 02:28 310520 c:\program files\Orb Networks\Orb\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-04-11 12:12 282624 c:\program files\QuickTime\bak\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCDEmuApp.exe]
--a------ 2009-04-11 12:11 167936 c:\program files\PowerISO\SCDEmuApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
--a------ 2002-07-12 11:15 106496 c:\windows\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-04-11 11:54 221184 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-04-11 12:21 1806336 c:\program files\SUPERAntiSpyware\ed77494d-9c44-4899-9264-e34125fc036e.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2004-04-08 03:37 60928 c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"PnkBstrA"=2 (0x2)
"iPodService"=3 (0x3)
"FirebirdServerDefaultInstance"=3 (0x3)
"FirebirdGuardianDefaultInstance"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"Microsoft SSL Client"= c:\windows\system32\msissl.exe
"Microsoft Web Browser"= c:\windows\system32\ntweb.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\PROGRAM FILES\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\SNDVOL32.EXE"=
"c:\\Program Files\\Ray Adams\\ATI Tray Tools\\atitray.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=

R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [2008-09-08 18336]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2006-12-16 2560]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\elmrrk.sys --> c:\windows\system32\drivers\elmrrk.sys [?]
R4 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys --> c:\windows\system32\drivers\pxscan.sys [?]
S3 ATICDSDr;ATICDSDr;c:\windows\system32\atiicdxx.sys [2008-11-27 6144]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-12-27 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-12-27 8320]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S4 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe -s DefaultInstance --> c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
S4 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe -s DefaultInstance --> c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - CSIScanner

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e0a4fed-bcb7-11dd-b2ba-0011507d963b}]
\Shell\AutoRun\command - g:\setup\rsrc\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b4e9c34-d735-11dd-b325-0011507d963b}]
\sHell\AutopLAY\CoMMAnd - E:\uhsvoa.exe
\sHell\AutoRun\command - E:\uhsvoa.exe
\sHell\eXPlOrE\ComMand - E:\uhsvoa.exe
\sHell\oPen\CoMmAnd - E:\uhsvoa.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Corel Photo Downloader - c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
MSConfigStartUp-Nitro PDF Printer Monitor - c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download web site with Free Download Manager - file://c:\program files\Free Download Manager\dlpage.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\program files\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: doginhispen.com
Trusted Zone: whataboutadog.com
FF - ProfilePath - c:\documents and settings\Shaun\Application Data\Mozilla\Firefox\Profiles\xnjmg5k2.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-12 13:00:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1645522239-1417001333-682003330-1004\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"GameDir"="c:\\Documents and Settings\\Shaun\\My Documents\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Documents and Settings\\Shaun\\My Documents\\Sports Interactive\\Football Manager 2009"
"SaveDir"="c:\\Documents and Settings\\Shaun\\My Documents\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="c:\\Documents and Settings\\Shaun\\Local Settings\\Temp\\wzf629\\FM Genie Scout 2009 XE\\History Points"
"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\db\\900\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000046
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000067
"UniqueID"="74-F6D5-0D11"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"Currency"=dword:00000056
"GraphStep"=dword:00000000

[HKEY_USERS\S-1-5-21-1645522239-1417001333-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:cc,eb,eb,44,f3,7f,4f,c2,c7,7b,54,b5,80,3d,df,da,0c,a1,a1,a1,ed,2e,9c,
ed,10,40,c4,d5,5f,3b,69,a0,13,a0,f0,3b,39,a7,7f,31,63,40,20,45,f4,e7,58,b2,\
"??"=hex:a2,e5,40,2c,7b,4b,60,b6,26,00,3c,e3,99,aa,a0,ba

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&[email protected]^t! #^$ g9^$&pgb SDB36o \103076C71E8172E2]
"1"=hex:f3,63,02,17,10,0f,8c,72,44,b1,bf,31,22,25,c4,7d,41,89,c7,a7,5f,90,bb,
a2
"2"=hex:05,42,30,42,a7,15,e9,31,44,4c,e8,ce,26,93,4c,ff,dc,fd,7a,28,38,0d,79,
b8
"3"=hex:f3,63,02,17,10,0f,8c,72,44,b1,bf,31,22,25,c4,7d,38,a8,bc,ca,16,d6,08,
eb,9c,8b,9c,0d,35,8b,99,e4,25,24,80,ac,1f,d3,6a,72

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&[email protected]^t! #^$ g9^$&pgb SDB36o \103076C71E8172E2\AAEBAA674720777F98D3CB19E52B3725]
"1"=hex:33,08,da,55,f6,12,dc,ab,f4,e9,74,73,21,3e,6a,85,2f,ad,11,35,1e,74,d2,
f6,85,c6,80,d5,b6,ed,0d,87
"2"=hex:56,f3,50,11,98,55,25,42
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:33,08,da,55,f6,12,dc,ab,f4,e9,74,73,21,3e,6a,85,2f,ad,11,35,1e,74,d2,
f6,d6,93,62,58,16,ac,98,9d,fb,96,15,df,14,58,40,fd,da,1c,0b,31,a3,58,f4,6f,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,86,15,ba,ba,a8,7c,30,
6e,e7,be,f3,4e,5c,b8,67,18,68,d2,34,71,6e,be,6a,68,12,55,ff,37,2b,86,ac,b7,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-12 13:04:59
ComboFix-quarantined-files.txt 2009-04-12 12:04:09
ComboFix2.txt 2009-04-11 14:52:14

Pre-Run: 5,506,396,160 bytes free
Post-Run: 5,413,490,688 bytes free

Current=6 Default=6 Failed=3 LastKnownGood=7 Sets=1,2,3,4,5,6,7
365 --- E O F --- 2009-03-13 22:11:19
  • 0

#6
kahdah
Posted 12 April 2009 - 06:26 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#7
Argel
Posted 12 April 2009 - 09:04 AM

Argel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Downloaded and used ATF (as before)

Again, I can't access Kaspersky. It just doesn't work, I can only assume that the viruses are blocking me from accessing it, in the same way they are stopping me installing some AV software.
  • 0

#8
Argel
Posted 12 April 2009 - 09:09 AM

Argel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I've also tried re-installing firefox/IE and still can't access any website with Kaspersky in it's address
  • 0

#9
kahdah
Posted 13 April 2009 - 05:43 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok please try the kaspersky scan again and let me know if you can reach their site.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP