|
|
|
D@mn this virus. D@mn it to h3ll. (Trojan.gaslide b)
|
|
AfterDawn Addict
|
22. August 2008 @ 16:00 |
Link to this message
|
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 22. August 2008 @ 16:04
|
|
Advertisement
|
 |
|
|
AfterDawn Addict
|
23. August 2008 @ 02:32 |
Link to this message
|
Hi cw322, 
What we are about to do seems to have removed this infection in the other computer that I have been helping with, so let?s do it! 
First:
Download and install: Comodo BOClean
After installation, re-boot and then you will not need to do anything else. This little jewel just sits there in the tray and does it?s thing, quietly until something moves. Uses very little resources. And, it?s FREE!
Comodo BOClean protects your computer against trojans, malware and other threats. It constantly scans your system in the background and intercepts any recognized trojan activity. The program can ask the user what to do, or run in unattended mode and automatically shutdown and remove any suspected trojan application. Comodo BOClean currently supports more than 59000 malware items and offers automatic daily updates. Other features include updating via network share, tamper protection and stealth mode.
Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C
Quote:
KILLALL::
File::
C:\WINDOWS\system32\qxkdsfql.exe
C:\WINDOWS\system32\gpwzmreb.exe
C:\WINDOWS\system32\atgdgrkz.exe
C:\WINDOWS\system32\cjaxwlqr.exe
C:\WINDOWS\system32\hcpghwvc.exe
C:\WINDOWS\system32\puvyzafy.exe
C:\WINDOWS\system32\vipipcty.exe
C:\WINDOWS\system32\mjsfgrwn.exe
C:\WINDOWS\system32\futmhclu.exe
C:\WINDOWS\system32\zolkdwnu.exe
C:\WINDOWS\system32\zotuxcnu.exe
C:\WINDOWS\system32\evmnupqh.exe
C:\Program Files\gnfgay
C:\Documents and Settings\All Users\Application Data\rmlsdkby
C:\Documents and Settings\All Users\Application Data\edubqncj
C:\WINDOWS\system32\atonaxmt.exe
C:\WINDOWS\system32\614E2D13C8.sys
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dscutil"=-
"ShDsc"=-
"winsrv"=-
"aplen"=-
"shmnthlp"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop
Referring to the picture above, drag CFScript into ComboFix.exe
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
gyqrr
Newbie
|
23. August 2008 @ 06:05 |
Link to this message
|
2OG,
I' having the same problems too. And thank God i found this forum and your post. I did want you said but i'm still not sure if i have completely removed the virus. Bec, after i did the scan, everytime i try to log in after a few seconds i will still get a blue screen. Please help. Your advise will greatly be appreciated. Thank you so much!
Gyqrr
FIRST SCAN
==========
Malwarebytes' Anti-Malware 1.25
Database version: 1076
Windows 5.1.2600 Service Pack 2
11:47:29 AM 8/23/2008
mbam-log-08-23-2008 (11-47-29).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 108062
Time elapsed: 25 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 17
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\blphc7gmj0epbj.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphc7gmj0epbj.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phc7gmj0epbj.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest32.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Girlie\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Girlie\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Girlie\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Girlie\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Girlie\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Girlie\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Girlie\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Girlie\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Girlie\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Girlie\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Girlie\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Girlie\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Girlie\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
====================================================================
After restarting windows, after a few seconds, i got the blue screen again.
|
AfterDawn Addict
|
23. August 2008 @ 06:16 |
Link to this message
|
|
Try to complete the ComboFix instructions.
If you have trouble with it, run it in Safe Mode..
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
AfterDawn Addict
|
23. August 2008 @ 06:21 |
Link to this message
|
|
p.s. I think the Blue Screen is just a joke screensaver....
ComboFox should take care of that.
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
AfterDawn Addict
|
23. August 2008 @ 07:34 |
Link to this message
|
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
gyqrr
Newbie
|
23. August 2008 @ 12:08 |
Link to this message
|
2OG,
WOW! Thank you so much for the fast reply! I'll give it a try.
Thank's a million again.
gyqrr
|
|
gyqrr
Newbie
|
23. August 2008 @ 12:20 |
Link to this message
|
|
2OG
After reading the extra note for ComboFix, i'm kinda having second thoughts if i should do it (this may sound stupid, but i dont know how to disable the script blocking.. hehehe). I'm scared that i might mess up my laptop (more).
confused,
gyqrr
|
AfterDawn Addict
|
23. August 2008 @ 12:33 |
Link to this message
|
@gyqrr.
It's not all that bad.. There are warnings on cigarette lighters also but who reads them. The program sets a restore point before running, just in case.
No fear! It just means don't try to use it on your own without help.
p.s. post a HJT Log also..
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 23. August 2008 @ 12:34
|
AfterDawn Addict
|
23. August 2008 @ 12:56 |
Link to this message
|
If you will just send a hijackthis log, I will tell you if there is anything that needs disabling...
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
cw322
Newbie
|
23. August 2008 @ 16:40 |
Link to this message
|
|
2OG,
Sure. Let's try to remove it. In the long run I'll reformat but for now we can try to remove it. Let me know how you want to proceed.
cw322
|
AfterDawn Addict
|
23. August 2008 @ 16:53 |
Link to this message
|
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
cw322
Newbie
|
23. August 2008 @ 18:23 |
Link to this message
|
Here is the combo fix log:
ComboFix 08-08-21.01 - Craig Whitham 2008-08-23 18:08:27.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.714 [GMT -4:00]
Running from: C:\Documents and Settings\Craig Whitham\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Craig Whitham\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\All Users\Application Data\edubqncj
C:\Documents and Settings\All Users\Application Data\rmlsdkby
C:\Program Files\gnfgay
C:\WINDOWS\system32\614E2D13C8.sys
C:\WINDOWS\system32\atgdgrkz.exe
C:\WINDOWS\system32\atonaxmt.exe
C:\WINDOWS\system32\cjaxwlqr.exe
C:\WINDOWS\system32\evmnupqh.exe
C:\WINDOWS\system32\futmhclu.exe
C:\WINDOWS\system32\gpwzmreb.exe
C:\WINDOWS\system32\hcpghwvc.exe
C:\WINDOWS\system32\mjsfgrwn.exe
C:\WINDOWS\system32\puvyzafy.exe
C:\WINDOWS\system32\qxkdsfql.exe
C:\WINDOWS\system32\vipipcty.exe
C:\WINDOWS\system32\zolkdwnu.exe
C:\WINDOWS\system32\zotuxcnu.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\614E2D13C8.sys
C:\WINDOWS\system32\blphcg90j0ej7t.scr
C:\WINDOWS\system32\lphcg90j0ej7t.exe
C:\WINDOWS\system32\phcg90j0ej7t.bmp
.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.
2008-08-23 17:38 . 2008-08-23 17:38 <DIR> d-------- C:\Program Files\Comodo
2008-08-23 17:38 . 2008-08-23 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC427
2008-08-23 17:38 . 2008-07-14 05:09 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
2008-08-23 17:38 . 2008-07-14 05:09 205,560 --a------ C:\WINDOWS\UNBOC.EXE
2008-08-23 17:38 . 2004-08-04 07:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-08-23 17:38 . 2008-08-23 18:14 11,703 --a------ C:\WINDOWS\BOC427.INI
2008-08-23 16:55 . 2008-08-23 16:55 195,584 --a------ C:\WINDOWS\system32\qxqzkbed.exe
2008-08-23 16:55 . 2008-08-23 16:55 106,496 --a------ C:\WINDOWS\system32\gpwhstmr.exe
2008-08-22 01:54 . 2008-08-22 01:54 81,920 --a------ C:\WINDOWS\system32\sdezadit.exe
2008-08-22 01:46 . 2008-08-22 01:46 81,920 --a------ C:\WINDOWS\system32\mxmxytkj.exe
2008-08-22 01:02 . 2008-08-22 01:02 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-22 00:07 . 2008-08-22 00:44 250 --a------ C:\WINDOWS\gmer.ini
2008-08-20 23:48 . 2008-08-20 23:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 22:25 . 2008-08-20 22:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-20 22:25 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-19 20:09 . 2008-08-19 20:09 <DIR> d--hs---- C:\Documents and Settings\Craig Whitham\UserData
2008-08-19 19:15 . 2008-08-19 19:14 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-19 19:14 . 2008-08-19 19:33 <DIR> d-------- C:\Documents and Settings\Craig Whitham\.housecall6.6
2008-08-19 01:06 . 2008-08-19 01:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-19 00:56 . 2008-08-19 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-19 00:55 . 2008-08-19 02:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-19 00:55 . 2008-08-19 02:12 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\SUPERAntiSpyware.com
2008-08-18 22:35 . 2008-08-18 22:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 20:48 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 18:48 . 2006-01-25 23:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-08-18 18:48 . 2006-01-25 23:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-08-18 18:48 . 2006-01-25 23:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-08-18 18:48 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-16 14:40 . 2008-08-16 14:40 <DIR> d-------- C:\Program Files\gnfgay
2008-08-16 14:40 . 2008-08-16 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rmlsdkby
2008-08-16 14:40 . 2008-08-16 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\edubqncj
2008-08-13 19:28 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-07-25 13:39 . 2008-07-25 13:40 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\U3
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 22:14 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-08-22 02:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 02:58 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-22 02:25 --------- d-----w C:\Program Files\Privacy Guardian
2008-08-21 02:46 --------- d-----w C:\Program Files\RegSweep
2008-08-05 06:03 160,792 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys
2008-07-23 00:34 --------- d-----w C:\Program Files\Java
2008-05-31 03:31 28,264 ----a-w C:\Documents and Settings\Craig Whitham\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-08-21_20.25.41.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-22 04:07:37 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-08-22 04:06:26 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2004-08-04 11:00:00 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2008-08-22 04:07:37 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 18:33 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 23:05 344064]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15 290816]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-03-08 19:19 1074736]
"BOC-427"="C:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 05:09 351480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"PrivacyGuardianIndex"="C:\Program Files\Privacy Guardian\PgIndex.exe" [2006-10-30 13:57 38488]
C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-25 23:04:19 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.SEDG"= mcs_vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Craig Whitham^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 18:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 12:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 12:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2005-07-19 17:32 221184 C:\WINDOWS\system32\LVCOMSX.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Privacy Guardian]
--a------ 2007-06-12 10:20 2401832 C:\Program Files\Privacy Guardian\pg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-15 20:33 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-05 02:03]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 18:14:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2008-08-23 18:19:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-23 22:19:27
ComboFix2.txt 2008-08-22 05:59:30
ComboFix3.txt 2008-08-22 03:38:52
ComboFix4.txt 2008-08-22 02:30:36
ComboFix5.txt 2008-08-23 22:07:51
Pre-Run: 44,533,317,632 bytes free
Post-Run: 44,519,350,272 bytes free
206 --- E O F --- 2008-08-15 01:03:04
|
|
cw322
Newbie
|
23. August 2008 @ 18:27 |
Link to this message
|
Highjack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:47 PM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\RunOnce: [PrivacyGuardianIndex] C:\Program Files\Privacy Guardian\PgIndex.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 8282 bytes
|
AfterDawn Addict
|
23. August 2008 @ 18:37 |
Link to this message
|
|
@cw322,
First, did you install BOClean before running ComboFix??
I don't see a Rootkit, maybe we got lucky.
It is going to take me a while to go through these Logs. I'll try to get them before long.
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
cw322
Newbie
|
23. August 2008 @ 18:47 |
Link to this message
|
2OG,
Yes i ran BO Clean before starting Combofix. It installed, then i restarted. Then i made that file in notepad exactly like you said, then i dragged it into ComboFix, then it started, when it was done it restarted the cpu. When it got back i noticed the background didnt change and for the fist time there were no pop ups asking me to download things. Looks like it worked, at least fixed it up better. Let me know what u find.
Thanks again.
|
|
dburak
Newbie
|
23. August 2008 @ 19:43 |
Link to this message
|
@2oldGeek
Just a quick question about your post about Comodo BOClean. I'm currently using the Spyware Doctor (along with Norton). Would you advise me to uninstall SpyDoc and install Comodo instead?
Cheers.
|
AfterDawn Addict
|
23. August 2008 @ 19:50 |
Link to this message
|
|
naw, they get along just fine. kissy, kissy, huggy, huggy
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
AfterDawn Addict
|
23. August 2008 @ 20:09 |
Link to this message
|
It?s looking real good, you may not need to reformat.
First, let?s use HJT to clean some orphans out. All of these have had the file removed.
Fix entries using HiJackThis
Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still remain)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
Click the Fix checked button and close HiJackThis
Now, we need to delete some files that were created after I made the first Fix?.
We?ll have to run ComboFix again..
Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C
Quote:
KILLALL::
File::
C:\WINDOWS\system32\qxqzkbed.exe
C:\WINDOWS\system32\gpwhstmr.exe
C:\WINDOWS\system32\sdezadit.exe
C:\WINDOWS\system32\mxmxytkj.exe
C:\Program Files\gnfgay
Folder::
C:\Program Files\gnfgay
C:\Documents and Settings\All Users\Application Data\rmlsdkby
C:\Documents and Settings\All Users\Application Data\edubqncj
Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop
Referring to the picture above, drag CFScript into ComboFix.exe
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
cw322
Newbie
|
23. August 2008 @ 20:37 |
Link to this message
|
Combo Fix log:
ComboFix 08-08-23.01 - Craig Whitham 2008-08-23 20:23:21.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.716 [GMT -4:00]
Running from: C:\Documents and Settings\Craig Whitham\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Craig Whitham\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Program Files\gnfgay
C:\WINDOWS\system32\gpwhstmr.exe
C:\WINDOWS\system32\mxmxytkj.exe
C:\WINDOWS\system32\qxqzkbed.exe
C:\WINDOWS\system32\sdezadit.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\edubqncj
C:\Documents and Settings\All Users\Application Data\edubqncj\wlmtqpqf.exe
C:\Documents and Settings\All Users\Application Data\rmlsdkby
C:\Program Files\gnfgay
C:\Program Files\gnfgay\enstr.dll
C:\WINDOWS\system32\gpwhstmr.exe
C:\WINDOWS\system32\mxmxytkj.exe
C:\WINDOWS\system32\qxqzkbed.exe
C:\WINDOWS\system32\sdezadit.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.
2008-08-23 17:38 . 2008-08-23 17:38 <DIR> d-------- C:\Program Files\Comodo
2008-08-23 17:38 . 2008-08-23 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC427
2008-08-23 17:38 . 2008-07-14 05:09 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
2008-08-23 17:38 . 2008-07-14 05:09 205,560 --a------ C:\WINDOWS\UNBOC.EXE
2008-08-23 17:38 . 2004-08-04 07:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-08-23 17:38 . 2008-08-23 20:28 11,578 --a------ C:\WINDOWS\BOC427.INI
2008-08-22 01:02 . 2008-08-22 01:02 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-22 00:07 . 2008-08-22 00:44 250 --a------ C:\WINDOWS\gmer.ini
2008-08-20 23:48 . 2008-08-20 23:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 22:25 . 2008-08-20 22:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-20 22:25 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-19 20:09 . 2008-08-19 20:09 <DIR> d--hs---- C:\Documents and Settings\Craig Whitham\UserData
2008-08-19 19:15 . 2008-08-19 19:14 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-19 19:14 . 2008-08-19 19:33 <DIR> d-------- C:\Documents and Settings\Craig Whitham\.housecall6.6
2008-08-19 01:06 . 2008-08-19 01:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-19 00:56 . 2008-08-19 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-19 00:55 . 2008-08-19 02:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-19 00:55 . 2008-08-19 02:12 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\SUPERAntiSpyware.com
2008-08-18 22:35 . 2008-08-18 22:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 20:48 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 18:48 . 2006-01-25 23:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-08-18 18:48 . 2006-01-25 23:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-08-18 18:48 . 2006-01-25 23:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-08-18 18:48 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-13 19:28 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-07-25 13:39 . 2008-07-25 13:40 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\U3
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 00:28 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-08-22 02:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 02:58 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-22 02:25 --------- d-----w C:\Program Files\Privacy Guardian
2008-08-21 02:46 --------- d-----w C:\Program Files\RegSweep
2008-08-05 06:03 160,792 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys
2008-07-23 00:34 --------- d-----w C:\Program Files\Java
2008-05-31 03:31 28,264 ----a-w C:\Documents and Settings\Craig Whitham\Application Data\GDIPFONTCACHEV1.DAT
2005-11-03 23:29 72,832 -c--a-r C:\WINDOWS\inf\CamAvb.sys
.
((((((((((((((((((((((((((((( snapshot@2008-08-21_20.25.41.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-22 04:07:37 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-08-22 04:06:26 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2004-08-04 11:00:00 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2008-08-22 04:07:37 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 18:33 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 23:05 344064]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15 290816]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-03-08 19:19 1074736]
"BOC-427"="C:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 05:09 351480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"PrivacyGuardianIndex"="C:\Program Files\Privacy Guardian\PgIndex.exe" [2006-10-30 13:57 38488]
C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-25 23:04:19 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.SEDG"= mcs_vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Craig Whitham^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 18:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 12:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 12:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2005-07-19 17:32 221184 C:\WINDOWS\system32\LVCOMSX.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Privacy Guardian]
--a------ 2007-06-12 10:20 2401832 C:\Program Files\Privacy Guardian\pg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-15 20:33 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-05 02:03]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 20:27:25
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2008-08-23 20:33:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-24 00:33:39
ComboFix2.txt 2008-08-23 22:19:38
ComboFix3.txt 2008-08-22 05:59:30
ComboFix4.txt 2008-08-22 03:38:52
ComboFix5.txt 2008-08-24 00:22:35
Pre-Run: 44,484,485,120 bytes free
Post-Run: 44,469,288,960 bytes free
193 --- E O F --- 2008-08-15 01:03:04
Highjack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:47 PM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\RunOnce: [PrivacyGuardianIndex] C:\Program Files\Privacy Guardian\PgIndex.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 7668 bytes
|
AfterDawn Addict
|
23. August 2008 @ 21:31 |
Link to this message
|
@cw322,
I can find nothing detrimental.
I would like to see 1 more MBAM log and 1 more combofix log that are completely clean, If you could run those and post the logs, please.
After that, we will have a little final straightening up to do to complete this and I will make a few suggestions on how to keep from getting infected again.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
cw322
Newbie
|
23. August 2008 @ 22:07 |
Link to this message
|
Here is the MBAM. Im happy to say it didnt find anything!! :D
Ill run the combofix now.
Malwarebytes' Anti-Malware 1.25
Database version: 1076
Windows 5.1.2600 Service Pack 2
10:05:59 PM 8/23/2008
mbam-log-08-23-2008 (22-05-59).txt
Scan type: Full Scan (C:\|)
Objects scanned: 82302
Time elapsed: 27 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
|
|
cw322
Newbie
|
23. August 2008 @ 22:19 |
Link to this message
|
ComboFix 08-08-23.01 - Craig Whitham 2008-08-23 22:12:45.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.668 [GMT -4:00]
Running from: C:\Documents and Settings\Craig Whitham\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.
2008-08-23 17:38 . 2008-08-23 17:38 <DIR> d-------- C:\Program Files\Comodo
2008-08-23 17:38 . 2008-08-23 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC427
2008-08-23 17:38 . 2008-07-14 05:09 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
2008-08-23 17:38 . 2008-07-14 05:09 205,560 --a------ C:\WINDOWS\UNBOC.EXE
2008-08-23 17:38 . 2004-08-04 07:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-08-23 17:38 . 2008-08-23 22:11 11,715 --a------ C:\WINDOWS\BOC427.INI
2008-08-22 01:02 . 2008-08-22 01:02 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-22 00:07 . 2008-08-22 00:44 250 --a------ C:\WINDOWS\gmer.ini
2008-08-20 23:48 . 2008-08-20 23:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 22:25 . 2008-08-20 22:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-20 22:25 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-19 20:09 . 2008-08-19 20:09 <DIR> d--hs---- C:\Documents and Settings\Craig Whitham\UserData
2008-08-19 19:15 . 2008-08-19 19:14 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-19 19:14 . 2008-08-19 19:33 <DIR> d-------- C:\Documents and Settings\Craig Whitham\.housecall6.6
2008-08-19 01:06 . 2008-08-19 01:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-19 00:56 . 2008-08-19 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-19 00:55 . 2008-08-19 02:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-19 00:55 . 2008-08-19 02:12 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\SUPERAntiSpyware.com
2008-08-18 22:35 . 2008-08-18 22:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 20:48 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 18:48 . 2006-01-25 23:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-08-18 18:48 . 2006-01-25 23:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-08-18 18:48 . 2006-01-25 23:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-08-18 18:48 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-13 19:28 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-07-25 13:39 . 2008-07-25 13:40 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\U3
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 02:11 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-08-22 02:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 02:58 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-22 02:25 --------- d-----w C:\Program Files\Privacy Guardian
2008-08-21 02:46 --------- d-----w C:\Program Files\RegSweep
2008-08-05 06:03 160,792 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys
2008-07-23 00:34 --------- d-----w C:\Program Files\Java
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-31 03:31 28,264 ----a-w C:\Documents and Settings\Craig Whitham\Application Data\GDIPFONTCACHEV1.DAT
2005-11-03 23:29 72,832 -c--a-r C:\WINDOWS\inf\CamAvb.sys
.
((((((((((((((((((((((((((((( snapshot@2008-08-21_20.25.41.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-22 04:07:37 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-08-22 04:06:26 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2004-08-04 11:00:00 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2008-08-22 04:07:37 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 18:33 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 23:05 344064]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15 290816]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-03-08 19:19 1074736]
"BOC-427"="C:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 05:09 351480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"PrivacyGuardianIndex"="C:\Program Files\Privacy Guardian\PgIndex.exe" [2006-10-30 13:57 38488]
C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-25 23:04:19 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.SEDG"= mcs_vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Craig Whitham^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 18:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 12:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 12:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2005-07-19 17:32 221184 C:\WINDOWS\system32\LVCOMSX.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Privacy Guardian]
--a------ 2007-06-12 10:20 2401832 C:\Program Files\Privacy Guardian\pg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-15 20:33 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-05 02:03]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = www.yahoo.ca/
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell.ca/myway
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O18 -: Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 22:15:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-23 22:17:10
ComboFix-quarantined-files.txt 2008-08-24 02:16:17
ComboFix2.txt 2008-08-24 00:33:48
ComboFix3.txt 2008-08-23 22:19:38
ComboFix4.txt 2008-08-22 05:59:30
ComboFix5.txt 2008-08-24 02:12:24
Pre-Run: 44,478,570,496 bytes free
Post-Run: 44,463,505,408 bytes free
182 --- E O F --- 2008-08-15 01:03:04
|
AfterDawn Addict
|
23. August 2008 @ 23:36 |
Link to this message
|
Congratulations cw322, your log now looks CLEAN 
Your log is as clean as an old maid?s parlor.
Please perform these final steps and we can call it done?..
I must drop out now but if you have any questions I?ll be back tomorrow..
Hhere are a few other things you must do once you are completely clean:
1. Time for some housekeeping
Please download the OTMoveIt2 by OldTimer
? Save it to your desktop.
? Run the tool by clicking on the icon.
? Click the Cleanup button.
? The tools that we used as well as this one will be removed from your system.
2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.
? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? Click Exit on the Main menu to close the program.
3. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
? Go to Start > Programs > Accessories > System Tools and click "System Restore".
? Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
? Then go to Start > Run and type: Cleanmgr
? Click "OK"
Select the drive you want to clean usually C:
Click OK
When it completes the scan:
? Click the "More Options" Tab.
? Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
4. Defragment your Hard Drive
1.Open My Computer.
2.Right-click the local disk volume that you want to defragment, and then click Properties.
3.On the Tools tab, click Defragment Now.
4.Click Defragment.
And here are some tips to reduce the potential for spyware infection in the future:
I use and recommend a layered protection plan that BLOCKS malware BEFORE it enters your computer.
Layer 1 ? Firewall - this can be a router with SPI (stateful packet inspection) or a 3rd party software firewall ? Comodo Pro Free for the geeks and ZoneAlarm Free for the novice.
Layer 2 ? HOST file ?> HERE This is the most important layer it blocks Bad Sites from being able to get into your computer ? MVPS Host file only, for the novice and a combination of MVPS and HP Hosts with HostXpert.exe to manage them for the geeks.
Layer 3 ? AntiVirus ? Avira AntiVir for everyone ? the free version has Nag screens but can be stopped by googling avira antivir nag disable ? This is the best of the free AV?s and I like it better than any AV I?ve tried Free or Paid.
Layer 4 ? AntiMalware ? Comodo BOClean ? for everyone ? for the paranoid I suggest adding a weekly scan with MalwareBytes? AntiMalware or SUPERAntiSpyware or BOTH but If you have this full plan in place you won?t need them.
Layer 5 ? HIPS ( Host Intrusion Prevention Software) ? WinPatrol or if you?re using Comodo Pro Firewall you probably don?t need it.
For a backup system, I use and recommend Acronis True Image Home.
2OG 
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
Advertisement
|
|
|
|
cw322
Newbie
|
24. August 2008 @ 00:45 |
Link to this message
|
|
2OG,
Thanks a lot 2OG. I owe you so much. I got like a 300$ serive for free.
Thanks again!!!
|
|
