Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

MBAM found 40 viruses and spy bot found some too


  • This topic is locked This topic is locked

#16
elkski

elkski

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
ComboFix 10-12-06.04 - Randy 12/07/2010 12:18:03.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2452 [GMT -7:00]
Running from: c:\documents and settings\Randy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Randy\Desktop\CFScript.txt
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

file zipped: c:\documents and settings\Randy\mhshkrqmwp.tmp
.

((((((((((((((((((((((((( Files Created from 2010-11-07 to 2010-12-07 )))))))))))))))))))))))))))))))
.

2010-12-05 23:59 . 2010-12-05 23:59 -------- d-----w- C:\_OTL
2010-12-05 23:04 . 2010-12-05 23:04 0 ---ha-w- c:\documents and settings\Randy\mhshkrqmwp.tmp
2010-12-05 01:05 . 2010-12-05 01:05 -------- d-----w- c:\documents and settings\Randy\Application Data\TeamViewer
2010-12-05 01:05 . 2010-12-05 01:05 -------- d-----w- c:\program files\TeamViewer
2010-12-03 18:11 . 2010-12-07 13:37 -------- d-----w- c:\documents and settings\Randy\Application Data\skypePM
2010-12-03 18:10 . 2010-12-03 18:10 -------- d-----w- c:\program files\Common Files\Skype
2010-12-03 18:10 . 2010-12-07 13:37 -------- d-----w- c:\documents and settings\Randy\Application Data\Skype
2010-12-03 18:10 . 2010-12-03 18:11 -------- d-----r- c:\program files\Skype
2010-12-03 18:10 . 2010-12-03 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-12-03 16:17 . 2010-12-03 16:17 203776 --sh--w- c:\windows\system32\unrar.exe
2010-12-03 16:10 . 2010-12-03 16:10 -------- d-----w- c:\program files\Common Files\Adobe
2010-12-03 15:36 . 2010-12-03 16:51 -------- d-----w- c:\documents and settings\Randy\Application Data\Cabos
2010-12-03 15:35 . 2010-12-03 15:36 -------- d-----w- c:\program files\Cabos
2010-12-03 02:11 . 2010-12-03 02:11 -------- d-----w- c:\program files\iPod
2010-12-03 02:11 . 2010-12-03 02:12 -------- d-----w- c:\program files\iTunes
2010-12-03 02:08 . 2010-09-28 22:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-12-03 02:08 . 2010-09-28 22:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-12-03 02:08 . 2010-12-03 02:08 -------- d-----w- c:\program files\Bonjour
2010-12-03 02:04 . 2010-12-03 02:04 -------- d-----w- c:\program files\Safari
2010-11-19 00:38 . 2010-11-19 00:38 -------- d-s---w- c:\documents and settings\Friend\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-30 00:42 . 2009-12-27 20:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-30 00:42 . 2009-12-27 20:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-07 19:23 . 2010-10-07 19:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 19:23 . 2010-10-07 19:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Friend\UserData ----

2010-11-20 15:01 . 2010-11-20 15:01 28 ----a-w- c:\documents and settings\Friend\UserData\IFA8N5W6\comcast[1].xml
2010-11-19 00:38 . 2010-11-20 15:01 32768 ----a-w- c:\documents and settings\Friend\UserData\index.dat


((((((((((((((((((((((((((((( [email protected]_01.55.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-07 19:22 . 2010-12-07 19:22 16384 c:\windows\Temp\Perflib_Perfdata_310.dat
+ 2010-12-07 19:21 . 2010-12-07 19:21 16384 c:\windows\Temp\Perflib_Perfdata_258.dat
+ 2001-08-23 12:00 . 2010-12-07 19:25 68360 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2010-12-07 00:58 68360 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2010-12-07 00:58 435590 c:\windows\system32\perfh009.dat
+ 2001-08-23 12:00 . 2010-12-07 19:25 435590 c:\windows\system32\perfh009.dat
+ 2010-12-07 13:36 . 2010-12-07 13:36 667648 c:\windows\ERDNT\AutoBackup\12-7-2010\Users\00000002\UsrClass.dat
+ 2010-12-07 13:36 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\12-7-2010\ERDNT.EXE
+ 2010-12-07 13:36 . 2010-12-07 13:36 8019968 c:\windows\ERDNT\AutoBackup\12-7-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerPanel Personal Edition User Interaction"="c:\program files\GEEK SQUAD POWER MANAGEMENT\pppeuser.exe" [2005-09-21 270336]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-02-17 5244216]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-14 8429568]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"EPSON Stylus CX7800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-06 98304]
"DT LGE"="c:\program files\Portrait Displays\forteManager\DTHtml.exe" [2007-02-01 285696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-14 198160]
"Auto Auto EPSON Stylus CX7800 Series on 9200Q6600 on CHERYL"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-06 98304]
"Auto EPSON Stylus CX7800 Series on DOCSLAPTOP"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-06 98304]
"Auto EPSON Stylus CX7800 Series on COMPUTERAUTUMN"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-06 98304]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\Randy\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/25/2010 9:39 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/25/2010 9:39 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/25/2010 9:39 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20101201.001\IDSXpx86.sys [12/6/2010 2:54 PM 341944]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [2/25/2010 9:39 PM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 6:20 PM 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/13/2009 5:10 PM 135664]
S2 Netman32;Network Connections ;c:\windows\system32\msgina32.exe --> c:\windows\system32\msgina32.exe [?]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [11/13/2009 2:54 PM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [11/13/2009 2:54 PM 17408]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [9/16/2009 4:51 PM 627072]
.
Contents of the 'Scheduled Tasks' folder

2010-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-14 00:10]

2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-14 00:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\rj5p8oa5.default\
FF - prefs.js: browser.search.selectedEngine - BearShare Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.bearshare.com/web?src=ffb&q=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Randy\Application Data\Mozilla\plugins\np-mswmp.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: eSnipe.com SnipeIt!: [email protected] - c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\rj5p8oa5.default\extensions\[email protected]
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\rj5p8oa5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\rj5p8oa5.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord\firefox\ext
FF - Extension: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(yahoo.homepage.dontask, true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-07 12:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(8020)
c:\windows\system32\logishrd\LVPrcInj01.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\geeksquad\upssrv.exe
c:\program files\Common Files\Portrait Displays\Shared\dtsrvc.exe
c:\geeksquad\upsio.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\GEEK SQUAD POWER MANAGEMENT\ppped.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-12-07 12:36:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-07 19:36
ComboFix2.txt 2010-12-07 13:45
ComboFix3.txt 2010-12-07 01:56

Pre-Run: 55,164,301,312 bytes free
Post-Run: 55,143,931,904 bytes free

- - End Of File - - C4D6ADF26E9984237158BA074936BF06
  • 0

Advertisements


#17
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Please post the other logs when you get a chance.
  • 0

#18
elkski

elkski

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5263

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/7/2010 12:47:53 PM
mbam-log-2010-12-07 (12-47-53).txt

Scan type: Quick scan
Objects scanned: 178442
Time elapsed: 2 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Randy\my documents\downloads\quicktime_update_kb081312.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\documents and settings\Randy\my documents\downloads\quicktime_update_kb485156.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000a54567bb1079c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000a54567bb1079o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000a54567bb1079p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000a54567bb1079s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
  • 0

#19
elkski

elkski

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
ESSETScan

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CNwAQdN.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\WinMaximizer\WinMaximizer\InstallCache\{B6796CC9-76A5-46C8-BF10-B057474FECA3}\WinMaximizer.msi a variant of Win32/SlowPCfighter application
C:\Documents and Settings\Randy\My Documents\Downloads\WinMaximizer.exe a variant of Win32/SlowPCfighter application
C:\Qoobox\Quarantine\C\Documents and Settings\cheryl\Application Data\Mozilla\Firefox\Profiles\00gfyzfr.default\extensions\{264f1066-3d4c-484c-9e93-110eced6217c}\chrome\xulcache.jar.vir JS/Agent.NCP trojan
C:\Qoobox\Quarantine\C\Documents and Settings\cheryl\Application Data\Mozilla\Firefox\Profiles\00gfyzfr.default\extensions\{4923d434-cd56-42f4-912b-89adfd19e91d}\chrome\xulcache.jar.vir JS/Agent.NCP trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Friend\Application Data\Mozilla\Firefox\Profiles\x6ahsiu4.default\extensions\{264f1066-3d4c-484c-9e93-110eced6217c}\chrome\xulcache.jar.vir JS/Agent.NCP trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Friend\Application Data\Mozilla\Firefox\Profiles\x6ahsiu4.default\extensions\{4923d434-cd56-42f4-912b-89adfd19e91d}\chrome\xulcache.jar.vir JS/Agent.NCP trojan
C:\_OTL\MovedFiles\12062010_175210\C_Documents and Settings\Randy\Application Data\Mozilla\Firefox\Profiles\rj5p8oa5.default\extensions\{264f1066-3d4c-484c-9e93-110eced6217c}\chrome\xulcache.jar JS/Agent.NCP trojan
C:\_OTL\MovedFiles\12062010_175210\C_Documents and Settings\Randy\Application Data\Mozilla\Firefox\Profiles\rj5p8oa5.default\extensions\{4923d434-cd56-42f4-912b-89adfd19e91d}\chrome\xulcache.jar JS/Agent.NCP trojan

Edited by elkski, 07 December 2010 - 02:41 PM.

  • 0

#20
elkski

elkski

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
Results of screen317's Security Check version 0.99.6
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 21
Out of date Java installed!
Adobe Flash Player 10.1.85.3
Adobe Reader 9.4.1
Mozilla Firefox (3.6.9)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
````````````````````````````````
DNS Vulnerability Check:

Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````
  • 0

#21
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

How are things running?

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :Services
    :OTL
    :Reg
    
    :Files
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CNwAQdN.zip
    C:\Documents and Settings\All Users\Application Data\WinMaximizer\WinMaximizer\InstallCache\{B6796CC9-76A5-46C8-BF10-B057474FECA3}\WinMaximizer.msi
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.



NEXT:



Java Outdated
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 22 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note:
The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.
To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
Click Ok and reboot your computer.


NEXT



Update FireFox
You are currently using an outdated version of Firefox. The latest version of Firefox is 3.6.12.

You can get the latest version of Firefox by accessing the Help menu in Firefox and then selecting Check for Updates. Please make sure that you Check for Updates again after updating to the latest version to make sure that you have in fact received the latest version.
  • 0

#22
elkski

elkski

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CNwAQdN.zip moved successfully.
C:\Documents and Settings\All Users\Application Data\WinMaximizer\WinMaximizer\InstallCache\{B6796CC9-76A5-46C8-BF10-B057474FECA3}\WinMaximizer.msi moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Randy\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Randy\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: All Users

User: Aspen
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Autumn
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: cheryl
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 43966677 bytes
->Flash cache emptied: 456 bytes

User: Cheryl's old laptop data

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Friend
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Randy
->Temp folder emptied: 870284 bytes
->Temporary Internet Files folder emptied: 667383 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 63194386 bytes
->Flash cache emptied: 2482 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 104.00 mb


[EMPTYFLASH]

User: All Users

User: Aspen

User: Autumn

User: cheryl
->Flash cache emptied: 0 bytes

User: Cheryl's old laptop data

User: Default User
->Flash cache emptied: 0 bytes

User: Friend
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: Randy
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 12072010_152929

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\JETF695.tmp not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_33c.dat not found!

Registry entries deleted on Reboot...
  • 0

#23
elkski

elkski

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
ok all things are done.. It has been running fine.. the lagging I was experiencing seems to be gone for now.
What about that last run that found the 9 virus where you had me check to not delete them?
  • 0

#24
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

The rest of the files that were detected by ESET Online Scanner will be dealt with once you run the clean-up procedures below.



Please do the following:

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "C:\Documents and Settings\Randy\My Documents\Downloads\WinMaximizer.exe"



Your logs appear to be clean, so if you have no further issues with your computer, then please proceed with the following housekeeping procedures outlined below.



Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /Uninstall



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :Commands
    [ClearAllRestorePoints]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



OTL Clean-Up

We Need to Clean Up our Mess
Our work on your machine has left considerable leftovers on your box. Let's clean those up real quick:
  • Reopen Posted Image on your desktop.
  • Click on Posted Image
  • You will be prompted to reboot your system. Please do so.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.


NEXT:



All Clean Speech

===> Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <===



Below I have included a number of recommendations for how to protect your computer against malware infections.


Updated Anti-Virus Program
It's essential that you have an updated anti-virus program running on your computer. You don't want to run more than one as it can cause program conflicts, as well as false positives

You can view an excellent list of Free Security Software programs that has been compiled by GeekstoGo.


Avoid P2P Programs

Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

If you have any of these programs installed then I highly suggest you uninstall them.

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Internet Browsers

Many of the users that I assist here on the forums, ask me which programs they can use to prevent themselves from getting infected again in the future. The best answer I can give you is too practice safe browsing.

Please consider using an alternative browser such as Google Chrome or Opera. They are both much more secure than Internet Explorer, immune to almost all known browser hijackers, and also have graet built-in pop-up blockers.

I also suggest you make your Internet Explore more secure.


Make Internet Explorer more secure

  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.



Extra Goodies

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • You should run an updated scan with MalwareBytes' Anti-Malware weekly. Instructions are included below:

    • Open Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Check for Updates

  • Be weary of e-mails from unknown senders. Keep the following in mind as well: If it's to good to be true, then it more than likely is.

  • FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for Chrome and Opera.
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.
**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Cheers,
SweetTech.
  • 0

#25
elkski

elkski

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
Dont see the bold text to add in the command line here for combo uninstall

Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /Uninstall



NEXT:
  • 0

Advertisements


#26
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
You want to enter this into the Run Dialog box: ComboFix /Uninstall
  • 0

#27
elkski

elkski

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
I will get rid of the Cabos and some no file sharing I just downloaded that this week.
I thank you very much.
Do you have a paypal account where I can give you a gift?
Our Schedules seemed to coincide and made this a much faster fix than every before.
I will get the latest MS updates but this is not a legit version so I have auto update turned off. Not sure if that will be a problem??

I have another computer that has a problem and in fact that is what I started trying to fix. She was getting the BLOD and had the rogue virus.
I couldn't even load and run some virus programs.Is there a way I can get you to take this case too.
I posted it in the wrong section of the forums.
It is here.
http://www.geekstogo..._1#entry1926886
Now that my base puter seems healthy I will look at her again and then we have a total of 5 in the house and they probably all need work.
Randy
in Utah
  • 0

#28
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

I will get the latest MS updates but this is not a legit version so I have auto update turned off. Not sure if that will be a problem??

If this is not a legit version of Windows, then you will not be able to update it. I suggest you get yourself a licensed copy of Windows.


Do you have a paypal account where I can give you a gift?

I have a paypal link in my signature, which can be located at the bottom of each of my posts.

I couldn't even load and run some virus programs.

If your still unable to run any tools on the other infected computer you will want to post here.

If you are able to run tools on that computer then take a look at this thread here.
  • 0

#29
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :D

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP