Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Police Pro/ Everything imaginable Malware etc. [Solved]


  • This topic is locked This topic is locked

#46
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Looks good do you have the kaspersky log?
  • 0

Advertisements


#47
BlkTebow

BlkTebow

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 100 posts
HEy Kahdah Logs are as followed I forgot to save the Critical Areas Log as a txt but I'm sure you'll have no problems opening it and the 2nd is the My Computer Log I'll just post that one here and attach the Critical Areas one. thx!!


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, September 18, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, September 18, 2009 06:14:59
Records in database: 2847596
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
H:\

Scan statistics:
Objects scanned: 77989
Threats found: 26
Infected objects found: 63
Suspicious objects found: 0
Scan duration: 07:03:38


File name / Threat / Threats count
C:\Avenger\10613284\10613284.exe Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UAChxyqjwqvst.sys.vir Infected: Rootkit.Win32.Agent.rqm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp3_899037592126.bk.vir Infected: Trojan-Clicker.Win32.VB.alo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClfqujotehb.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACnmwrridvbq.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACnssinthnxr.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACsbqaencfmn.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvnfyabwqqp.dll.vir Infected: Trojan.Win32.Tdss.anrc 1
C:\Qoobox\Quarantine\[4]-Submit_2009-09-16_19.41.46.zip Infected: Trojan-Downloader.Win32.Agent.bqxc 3
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000001.sys Infected: Rootkit.Win32.Agent.rqm 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000002.dll Infected: Packed.Win32.TDSS.y 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000003.dll Infected: Trojan.Win32.Tdss.anrc 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000004.dll Infected: Packed.Win32.TDSS.y 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000005.dll Infected: Packed.Win32.TDSS.y 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000045.dll Infected: Packed.Win32.TDSS.y 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000072.exe Infected: Trojan.Win32.Agent.cvaq 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000074.exe Infected: Trojan.Win32.Agent.cvaq 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000075.exe Infected: Trojan.Win32.Agent.cvaq 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000076.exe Infected: Trojan.Win32.Agent.cvaq 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000077.exe Infected: Trojan.Win32.FraudPack.tkj 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000078.sys Infected: Backdoor.Win32.UltimateDefender.xm 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000080.exe Infected: Packed.Win32.Krap.x 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000081.dll Infected: Trojan.Win32.Monder.bzea 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000082.exe Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000083.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000089.exe Infected: Trojan.Win32.FraudPack.tcl 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000094.dll Infected: Trojan.Win32.Pakes.npu 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000095.dll Infected: Trojan.Win32.Monder.bzea 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000098.exe Infected: Trojan-Downloader.Win32.Agent.cokb 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000102.dll Infected: Trojan.Win32.Monder.bzea 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000103.exe Infected: Trojan-Downloader.Win32.FraudLoad.fmb 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000104.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000105.exe Infected: Trojan-Downloader.Win32.FraudLoad.fms 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000106.dll Infected: Trojan.Win32.Monder.bzea 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000107.exe Infected: Net-Worm.Win32.Koobface.bmu 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000108.exe Infected: Net-Worm.Win32.Koobface.bmu 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000109.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000111.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000112.dll Infected: Trojan.Win32.Monder.bzea 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000114.exe Infected: Trojan-Downloader.Win32.Pher.rs 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000116.exe Infected: Packed.Win32.Krap.x 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000119.dll Infected: Trojan.Win32.Monder.bzea 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000121.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000123.dll Infected: Trojan.Win32.Monder.bzea 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000127.exe Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.jy 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000130.dll Infected: Trojan.Win32.Monder.bzea 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000132.dll Infected: Trojan.Win32.Monder.bzea 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000135.dll Infected: Trojan.Win32.Monder.bzea 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000136.dll Infected: Trojan.Win32.Tdss.ajvp 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000137.dll Infected: not-a-virus:FraudTool.Win32.AdvancedAntivirus.ix 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000138.exe Infected: Trojan-Downloader.Win32.FraudLoad.fms 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000139.exe Infected: Trojan.Win32.FraudPack.rcj 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000140.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000141.exe Infected: Trojan-Downloader.Win32.Pher.rs 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000143.exe Infected: Trojan-Downloader.Win32.FraudLoad.fkw 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000144.dll Infected: Trojan.Win32.Monder.bzea 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000145.exe Infected: Packed.Win32.Krap.x 1
C:\WINDOWS\system32\asck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.ay 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0M804N07\aesdfghjgf[1].dll Infected: not-a-virus:FraudTool.Win32.AdvancedAntivirus.ix 1
C:\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.dhe 1
C:\WINDOWS\system32\tmpxr_450793128625.bk Infected: Trojan.Win32.Agent.afgr 1

Selected area has been scanned.

Attached Files


  • 0

#48
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\tmpxr_450793128625.bk
C:\WINDOWS\system32\stsycod.sys
C:\WINDOWS\system32\asck.exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0M804N07\aesdfghjgf[1].dll


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
=============
  • 0

#49
BlkTebow

BlkTebow

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 100 posts
ComboFix 09-09-13.04 - Andy Gossett 09/19/2009 8:12.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.137 [GMT -5:00]
Running from: c:\documents and settings\Andy Gossett\Desktop\kahdah.bat.exe
Command switches used :: c:\documents and settings\Andy Gossett\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 090918-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
"c:\windows\system32\asck.exe"
"c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0M804N07\aesdfghjgf[1].dll"
"c:\windows\system32\stsycod.sys"
"c:\windows\system32\tmpxr_450793128625.bk"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\asck.exe
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0M804N07\aesdfghjgf[1].dll
c:\windows\system32\stsycod.sys
c:\windows\system32\tmpxr_450793128625.bk

.
((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))
.

2009-09-17 12:40 . 2009-09-17 12:40 -------- d-----w- c:\documents and settings\Andy Gossett\Application Data\Malwarebytes
2009-09-17 12:40 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-17 12:40 . 2009-09-17 12:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 12:40 . 2009-09-17 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-17 12:40 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-16 02:44 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-16 02:37 . 2008-05-08 11:24 155648 ----a-w- c:\windows\system32\wscript.exe
2009-09-15 23:47 . 2009-09-15 23:47 -------- d-----w- C:\_OTS
2009-09-15 23:29 . 2009-09-15 23:29 2474 ----a-w- C:\3.reg
2009-09-15 23:29 . 2009-09-15 23:29 2628 ----a-w- C:\2.reg
2009-09-15 23:29 . 2009-09-15 23:29 2072 ----a-w- C:\1.reg
2009-09-15 23:28 . 2009-09-15 23:28 628 ----a-w- C:\avexport.bat
2009-09-14 02:36 . 2009-09-14 02:36 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-14 02:13 . 2009-09-15 23:28 574 ----a-w- C:\cleanup.bat
2009-09-14 02:13 . 2009-09-15 23:28 135168 ----a-w- C:\zip.exe
2009-09-12 06:44 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-12 06:44 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-12 06:44 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-12 06:44 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-12 06:44 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-12 06:44 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-12 06:44 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-12 06:44 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-12 06:43 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-12 06:43 . 2009-09-12 06:43 -------- d-----w- c:\program files\Alwil Software
2009-09-12 05:41 . 2009-09-12 05:41 -------- d-----w- c:\program files\VS Revo Group
2009-09-09 03:20 . 2009-09-09 22:43 -------- d-----w- c:\documents and settings\Andy Gossett\Application Data\Lavasoft
2009-09-07 05:47 . 2009-09-07 05:47 76560 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-07 04:12 . 2009-09-07 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-09-07 04:04 . 2005-09-23 12:29 626688 ----a-w- c:\windows\system32\msvcr80.dll
2009-09-07 04:02 . 2009-09-07 04:02 -------- d-sh--w- c:\documents and settings\Andy Gossett\IECompatCache
2009-09-07 03:26 . 2009-09-07 03:26 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-07 03:26 . 2009-09-07 03:26 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-05 22:20 . 2009-09-05 22:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-05 19:47 . 2009-09-05 19:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-01 08:15 . 2009-09-11 09:34 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-19 13:16 . 2007-10-29 07:53 -------- d-----w- c:\program files\PeerGuardian2
2009-09-19 13:12 . 2005-12-03 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-19 13:08 . 2007-09-07 01:16 -------- d-----w- c:\documents and settings\Andy Gossett\Application Data\uTorrent
2009-09-16 03:36 . 2007-11-05 08:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-15 21:35 . 2009-03-29 18:10 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-08 23:03 . 2007-12-17 23:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-07 03:25 . 2008-11-14 10:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-22 17:18 . 2006-01-15 00:56 91728 ----a-w- c:\documents and settings\Andy Gossett\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 04:38 . 2005-11-27 15:27 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-14 17:42 . 2007-11-05 08:39 -------- d-----w- c:\program files\MSBuild
2009-08-14 17:40 . 2009-08-14 17:40 -------- d-----w- c:\program files\Reference Assemblies
2009-08-11 22:26 . 2007-09-07 23:23 -------- d-----w- c:\documents and settings\Andy Gossett\Application Data\Apple Computer
2009-08-06 20:53 . 2005-11-17 16:08 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:49 . 2009-08-04 21:15 -------- d-----w- c:\program files\Lexmark 1200 Series
2009-08-04 21:47 . 2009-08-04 21:42 -------- d-----w- c:\program files\Lexmark Fax Solutions
2009-08-04 21:41 . 2009-08-04 21:31 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-08-04 20:02 . 2006-01-15 00:55 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-04 20:02 . 2007-08-15 16:54 88 --sh--r- c:\windows\system32\3BCEB709B6.sys
2009-07-27 05:36 . 2007-03-19 19:43 -------- d-----w- c:\documents and settings\Andy Gossett\Application Data\LimeWire
2009-07-25 10:23 . 2008-12-07 18:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-10 18:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-10-31 05:17 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 18:51 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 18:51 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 18:51 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 18:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-10 18:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 18:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-10 18:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-16_02.23.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-19 07:50 . 2009-09-19 07:50 16384 c:\windows\Temp\Perflib_Perfdata_7e8.dat
- 2007-11-05 08:46 . 2009-08-13 06:55 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-11-05 08:46 . 2009-09-16 03:36 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-11-05 08:46 . 2009-09-16 03:36 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-11-05 08:46 . 2009-08-13 06:55 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2007-11-05 08:46 . 2009-09-16 03:36 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2007-11-05 08:46 . 2009-08-13 06:55 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2004-08-10 18:51 . 2009-03-08 09:33 726528 c:\windows\system32\jscript.dll
+ 2004-08-10 18:51 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2009-03-08 09:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-03-20 16:48 . 2009-03-20 16:48 183808 c:\windows\Installer\7f1c8.msp
- 2007-11-05 08:46 . 2009-08-13 06:55 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2007-11-05 08:46 . 2009-09-16 03:36 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2007-11-05 08:46 . 2009-08-13 06:55 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2007-11-05 08:46 . 2009-09-16 03:36 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2007-11-05 08:46 . 2009-09-16 03:36 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2007-11-05 08:46 . 2009-08-13 06:55 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2007-11-05 08:46 . 2009-09-16 03:36 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2007-11-05 08:46 . 2009-08-13 06:55 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2007-11-05 08:46 . 2009-08-13 06:55 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2007-11-05 08:46 . 2009-09-16 03:36 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2007-11-05 08:46 . 2009-09-16 03:36 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2007-11-05 08:46 . 2009-08-13 06:55 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2007-11-05 08:46 . 2009-09-16 03:36 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2007-11-05 08:46 . 2009-08-13 06:55 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-09-16 03:35 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-16 03:35 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-16 03:35 . 2009-03-08 09:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
- 2004-08-10 18:51 . 2008-06-18 11:03 2458112 c:\windows\system32\WMVCore.dll
+ 2004-08-10 18:51 . 2009-05-20 09:56 2458112 c:\windows\system32\WMVCore.dll
- 2004-08-10 18:51 . 2008-06-18 11:03 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2004-08-10 18:51 . 2009-05-20 09:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-08-18 17:56 . 2009-08-18 17:56 5020672 c:\windows\Installer\460947.msp
- 2007-11-05 08:46 . 2009-08-13 06:55 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2007-11-05 08:46 . 2009-09-16 03:36 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2007-11-05 08:46 . 2009-09-16 03:36 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2007-11-05 08:46 . 2009-08-13 06:54 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-09-16 03:38 . 2009-08-28 19:38 24689600 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-05-09 4608]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\Andy Gossett\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-18 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-11-17 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Motorola Phone Tools\\mPhonetools.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2837:UDP"= 2837:UDP:Windows Media Format SDK (Indt2.sys)
"3074:UDP"= 3074:UDP:Xbox (192.168.0.3074) 3074 UDP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/12/2009 1:44 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/12/2009 1:44 AM 20560]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [12/5/2008 9:02 AM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [12/5/2008 9:02 AM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{31254ED7-8950-E631-0606-040707080607}]
c:\windows\Nvcpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-09-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-19 c:\windows\Tasks\User_Feed_Synchronization-{0DFD9271-E81E-420E-80C9-B89111248B6F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: aol.com\free
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-19 08:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-09-19 8:22
ComboFix-quarantined-files.txt 2009-09-19 13:21
ComboFix2.txt 2009-09-17 01:47
ComboFix3.txt 2009-09-16 02:42

Pre-Run: 18,795,999,232 bytes free
Post-Run: 18,872,815,616 bytes free

Current=13 Default=13 Failed=12 LastKnownGood=14 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14
258 --- E O F --- 2009-09-19 01:41
  • 0

#50
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please submit the following file to one of these online file scanners.
(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

c:\windows\Nvcpl.exe

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
  • 0

#51
BlkTebow

BlkTebow

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 100 posts
Hey K it says file not found when I copy and past c:\windows\Nvcpl.exe and click open....
  • 0

#52
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Looks good are things back to normal?
  • 0

#53
BlkTebow

BlkTebow

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 100 posts
Hey Kah yah things are back to normal pretty much but I still couldn't get that file to come up in either of the file scanners..... is that a problem??
  • 0

#54
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No it just means that it isn't there.
Nothing to worry about.

=======Cleanup=======
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
======Next======
  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 16...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
======================Clear out infected System Restore points======================


Then we need to reset your System Restore points.
The link below shows how to do this.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingc...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================
After that your all set. :)


The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...
  • 0

#55
BlkTebow

BlkTebow

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 100 posts
AWESOME KAH!!! 1st off I'd like to say thank you for being patient w/ me b/c I was getting very discouraged at 1st b/c my comp has NEVER been this infected (really got tired of starting and restarting my comp at least 10 times to get it to load in Safe MODE LOL) and I really appreciate what all yall are doing here and lastly I'll let you know whenever I complete all of my steps in the next reply!!
:)
  • 0

Advertisements


#56
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome once those steps are complete I will close this thread.
  • 0

#57
BlkTebow

BlkTebow

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 100 posts
completed!
  • 0

#58
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#59
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP