|
|
|
antivirus2009 how to get rid of it
|
|
Senior Member
|
5. August 2008 @ 20:41 |
Link to this message
|
have this popup on my computer,antivirus2009.want to delete it.here is my hijackthis log.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:34:58, on 05/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
--
End of file - 4847 bytes
|
|
Advertisement
|
|
|
|
AfterDawn Addict
|
6. August 2008 @ 01:49 |
Link to this message
|
Hi aldan,
Your HJT Log doesn?t show the infection, but that don?t mean it?s not there?
This just may be the new variant of Vundo Trojan and the new antivirus 2009.
Let?s do this:
Please download Malwarebytes' Anti-Malware to your desktop.
? Double-click mbam-setup.exe and follow the prompts to install the program.
? At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
? If an update is found, it will download and install the latest version.
? Once the program has loaded, select Perform full scan, then click Scan.
? When the scan is complete, click OK, then Show Results to view the results.
? Be sure that everything is checked, and click Remove Selected.
? When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
? Please post contents of that file in your next reply.
And then do this:
Download ComboFix from Here to your Desktop.
? Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
? Double click combofix.exe and follow the prompts.
? When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
Senior Member
|
6. August 2008 @ 17:59 |
Link to this message
|
im back.here are my logs.thanks very much for your help.if you ever nLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:44:20, on 06/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
--
End of file - 5035 bytes
eed advice on car repairs,im a licensed auto mechanic.Malwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 5.1.2600 Service Pack 3
2:26:05 PM 06/08/2008
mbam-log-8-6-2008 (14-26-05).txt
Scan type: Full Scan (C:\|)
Objects scanned: 94209
Time elapsed: 45 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\Fonts (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\Fonts\ocraext.ttf (Trojan.Agent) -> Quarantined and deleted successfully.
ComboFix 08-08-06.01 - al daniels 2008-08-06 14:30:54.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.565 [GMT -7:00]
Running from: C:\Documents and Settings\al daniels\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.
2008-08-06 13:29 . 2008-08-06 13:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 13:29 . 2008-08-06 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-06 13:29 . 2008-08-06 13:29 <DIR> d-------- C:\Documents and Settings\al daniels\Application Data\Malwarebytes
2008-08-06 13:29 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-06 13:29 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-05 17:32 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-05 17:32 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-05 17:32 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-05 17:32 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-05 17:32 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-08-05 17:32 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-05 17:32 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-05 17:32 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-05 17:32 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-25 23:15 . 2008-07-25 23:15 <DIR> d-------- C:\Program Files\TouchStoneSoftware
2008-07-25 22:44 . 2008-07-25 22:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-25 22:13 . 1998-09-17 05:20 393,216 --a------ C:\WINDOWS\system32\MSRDO20.DLL
2008-07-25 22:13 . 1998-09-17 05:20 151,552 --a------ C:\WINDOWS\system32\rdocurs.dll
2008-07-25 22:13 . 2008-07-25 22:13 6,144 --ahsc--- C:\WINDOWS\system32\access.ctl
2008-07-25 21:53 . 2008-07-26 21:02 <DIR> d-------- C:\Program Files\RegistryFix6
2008-07-25 21:13 . 2008-07-25 21:13 <DIR> d-------- C:\Program Files\Realtek AC97
2008-07-25 20:41 . 2008-07-25 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-25 19:42 . 2008-07-25 19:42 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-07-25 19:12 . 2008-04-03 15:42 53,248 -ra------ C:\WINDOWS\system32\drivers\ViPrt.sys
2008-07-25 19:12 . 2008-05-26 16:14 18,432 -ra------ C:\WINDOWS\system32\vIdeInst.dll
2008-07-25 19:12 . 2008-04-03 15:42 16,896 -ra------ C:\WINDOWS\system32\drivers\ViBus.sys
2008-07-25 19:02 . 2008-07-25 19:02 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-07-25 18:32 . 2008-07-25 18:32 <DIR> d-------- C:\Program Files\VIA Technologies, Inc
2008-07-25 18:32 . 2003-06-16 11:05 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-07-25 18:32 . 2003-06-16 11:05 720,896 --a------ C:\WINDOWS\system32\a3d.dll
2008-07-25 18:32 . 2001-08-17 22:36 98,304 --a--c--- C:\WINDOWS\system32\dllcache\a3d.dll
2008-07-25 18:32 . 2003-07-04 23:14 32,768 --a------ C:\WINDOWS\system32\UnAudioNT.dll
2008-07-25 18:32 . 2003-05-27 16:45 3,351 --a------ C:\WINDOWS\system32\drivers\vsp.sys
2008-07-25 01:36 . 2008-07-25 01:36 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-07-25 01:36 . 2008-07-25 01:36 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-07-24 20:35 . 2008-07-24 20:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-24 15:23 . 2008-07-24 15:23 <DIR> d-------- C:\VundoFix Backups
2008-07-24 12:39 . 2008-07-24 12:39 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-23 20:26 . 2008-07-23 20:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-07-23 20:20 . 2008-07-24 12:39 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-07-23 09:50 . 2008-07-23 09:50 3,596,288 --a--c--- C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 09:48 . 2008-07-23 09:48 1,044,480 --a--c--- C:\WINDOWS\system32\libdivx.dll
2008-07-23 09:48 . 2008-07-23 09:48 200,704 --a--c--- C:\WINDOWS\system32\ssldivx.dll
2008-07-23 09:47 . 2008-07-23 09:47 634,880 --a------ C:\WINDOWS\system32\divxdec.ax
2008-07-23 09:47 . 2008-07-23 09:47 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-07-23 09:47 . 2008-07-23 09:47 416 --a--c--- C:\WINDOWS\system32\dtu100.dll.manifest
2008-07-23 09:47 . 2008-07-23 09:47 416 --a--c--- C:\WINDOWS\system32\dpl100.dll.manifest
2008-07-23 09:46 . 2008-07-23 09:46 12,288 --a--c--- C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-19 15:13 . 2008-06-08 09:37 402,728 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2008-07-15 19:35 . 2008-02-28 13:26 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-07-15 19:35 . 2008-02-28 13:01 774,144 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-07-09 20:45 . 2008-07-09 20:45 196,043 --a------ C:\_crash.dmp
2008-07-09 20:45 . 2008-07-09 20:45 63,432 --a------ C:\report.zip
2008-07-09 18:20 . 2008-07-09 18:20 <DIR> d-------- C:\Program Files\Common Files\NSV
2008-07-09 13:10 . 2008-05-15 16:15 53,168 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-07-08 17:29 . 2008-07-08 17:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-07-08 17:28 . 2008-08-05 13:31 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-08 17:13 . 2008-08-05 17:25 1,766 --a------ C:\WINDOWS\system32\tmp.reg
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 20:14 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live
2008-08-06 03:08 --------- d-----w C:\Program Files\PeerGuardian2
2008-08-05 20:05 --------- d-----w C:\Program Files\DivX
2008-08-02 02:38 --------- d-----w C:\Documents and Settings\al daniels\Application Data\OfficeUpdate12
2008-07-26 17:42 --------- d-----w C:\Program Files\QuickTime
2008-07-26 05:44 --------- d-----w C:\Documents and Settings\al daniels\Application Data\SUPERAntiSpyware.com
2008-07-26 05:14 --------- d-----w C:\Program Files\MyApp
2008-07-26 04:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-26 02:55 --------- d-----w C:\Program Files\EPSON
2008-07-26 01:32 --------- d-----w C:\Program Files\Setup Files
2008-07-16 03:07 --------- d-----w C:\Program Files\Common Files\Nero
2008-07-16 03:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-07-06 22:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-06 04:11 --------- d-----w C:\Program Files\Lavasoft
2008-07-05 03:23 --------- d-----w C:\Program Files\FirstClass
2008-07-04 01:56 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-04 01:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-01 14:17 --------- d-----w C:\Program Files\AC3Filter
2008-06-24 23:06 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2008-06-21 16:26 --------- d-----w C:\Program Files\YourWare Solutions
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 19:30 524,288 ----a-w C:\WINDOWS\opuc.dll
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 00:42 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-10 01:47 --------- d-----w C:\Program Files\MSI
2008-06-08 16:37 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2008-06-08 16:37 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2008-06-07 04:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-07 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-06 21:54 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2008-06-06 21:54 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2008-05-22 22:22 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-05-16 18:48 446,464 -c--a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-05-09 10:53 90,112 -c--a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 -c--a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 -c--a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 -c--a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 -c--a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 -c--a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 -c--a-w C:\WINDOWS\system32\quartz.dll
2008-02-05 15:21 47,360 -c--a-w C:\Documents and Settings\al daniels\Application Data\pcouffin.sys
2007-10-22 10:49 867,848 -c--a-w C:\Program Files\NOV2007_d3dx10_36_x64.cab
2007-10-22 10:49 807,132 -c--a-w C:\Program Files\NOV2007_d3dx10_36_x86.cab
2007-10-22 10:49 49,392 -c--a-w C:\Program Files\NOV2007_X3DAudio_x64.cab
2007-10-22 10:49 21,744 -c--a-w C:\Program Files\NOV2007_X3DAudio_x86.cab
2007-10-22 10:49 200,010 -c--a-w C:\Program Files\NOV2007_XACT_x64.cab
2007-10-22 10:49 151,512 -c--a-w C:\Program Files\NOV2007_XACT_x86.cab
2007-10-22 10:49 1,805,306 -c--a-w C:\Program Files\NOV2007_d3dx9_36_x64.cab
2007-10-22 10:49 1,712,608 -c--a-w C:\Program Files\NOV2007_d3dx9_36_x86.cab
2007-10-22 10:31 855,886 -c--a-w C:\Program Files\AUG2007_d3dx10_35_x64.cab
2007-10-22 10:31 800,467 -c--a-w C:\Program Files\AUG2007_d3dx10_35_x86.cab
2007-10-22 10:31 702,644 -c--a-w C:\Program Files\JUN2007_d3dx10_34_x64.cab
2007-10-22 10:31 702,072 -c--a-w C:\Program Files\JUN2007_d3dx10_34_x86.cab
2007-10-22 10:31 201,696 -c--a-w C:\Program Files\AUG2007_XACT_x64.cab
2007-10-22 10:31 200,722 -c--a-w C:\Program Files\JUN2007_XACT_x64.cab
2007-10-22 10:31 156,612 -c--a-w C:\Program Files\AUG2007_XACT_x86.cab
2007-10-22 10:31 156,509 -c--a-w C:\Program Files\JUN2007_XACT_x86.cab
2007-10-22 10:31 1,803,760 -c--a-w C:\Program Files\AUG2007_d3dx9_35_x64.cab
2007-10-22 10:31 1,711,752 -c--a-w C:\Program Files\AUG2007_d3dx9_35_x86.cab
2007-10-22 10:31 1,611,374 -c--a-w C:\Program Files\JUN2007_d3dx9_34_x64.cab
2007-10-22 10:31 1,610,886 -c--a-w C:\Program Files\JUN2007_d3dx9_34_x86.cab
2007-04-05 02:04 702,212 -c--a-w C:\Program Files\APR2007_d3dx10_33_x64.cab
2007-04-05 02:04 699,465 -c--a-w C:\Program Files\APR2007_d3dx10_33_x86.cab
2007-04-05 02:04 56,902 -c--a-w C:\Program Files\APR2007_xinput_x86.cab
2007-04-05 02:04 45,305 -c--a-w C:\Program Files\dxdllreg_x86.cab
2007-04-05 02:04 199,366 -c--a-w C:\Program Files\APR2007_XACT_x64.cab
2007-04-05 02:04 154,825 -c--a-w C:\Program Files\APR2007_XACT_x86.cab
2007-04-05 02:04 100,417 -c--a-w C:\Program Files\APR2007_xinput_x64.cab
2007-04-05 02:04 1,610,958 -c--a-w C:\Program Files\APR2007_d3dx9_33_x64.cab
2007-04-05 02:04 1,609,639 -c--a-w C:\Program Files\APR2007_d3dx9_33_x86.cab
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2008-06-21 09:26 1591808]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2008-05-30 14:54 4501912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-06-25 06:48 67112]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-13 17:12 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AudioDeck.lnk]
backup=C:\WINDOWS\pss\AudioDeck.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a--c--- 2008-04-09 10:00 826880 C:\Program Files\dvd43\DVD43_Tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-16 14:01 13529088 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 10:33 1506544 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a--c--- 2004-03-18 09:33 892928 C:\Program Files\Logitech\iTouch\iTouch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Nero BackItUp Scheduler 3"=2 (0x2)
"NVSvc"=2 (0x2)
"AresChatServer"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
R0 ViBus;ViBus;C:\WINDOWS\system32\DRIVERS\ViBus.sys [2008-04-03 15:42]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-09-21 17:49]
R0 ViPrt;VIA SATA IDE Device Driver;C:\WINDOWS\system32\DRIVERS\ViPrt.sys [2008-04-03 15:42]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 17:39]
R2 OcHealthMon;Windows Live OneCare Health Monitor;C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe [2008-06-25 06:47]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 Vsp;Vsp;C:\WINDOWS\system32\drivers\Vsp.sys [2003-05-27 16:45]
*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://sympatico.msn.ca/
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 14:33:16
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-06 14:34:23
ComboFix-quarantined-files.txt 2008-08-06 21:34:15
ComboFix2.txt 2008-02-03 01:00:46
Pre-Run: 60,223,479,808 bytes free
Post-Run: 60,257,800,192 bytes free
238 --- E O F --- 2008-07-24 19:42:40
|
AfterDawn Addict
|
6. August 2008 @ 22:27 |
Link to this message
|
Good job aldan,
Use HijackThis to fix this line, just a leftover:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Congratulations, your log looks CLEAN
There are a few things you must do once you are completely clean:
1. Time for some housekeeping
Please download the OTMoveIt2 by OldTimer
? Save it to your desktop.
? Run the tool by clicking on the icon.
? Click the Cleanup button.
? The tools that we used as well as this one will be removed from your system.
2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.
? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? Click Exit on the Main menu to close the program.
3. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
? Download the latest version of Java Runtime Environment (JRE) 6 Update 7 and save it to your desktop.
? Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications..
? Click the Download button to the right.
? Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
? The page will refresh.
? Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
? Close any programs you may have running - especially your web browser.
? Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
? Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
? Click the Remove or Change/Remove button.
? Repeat as many times as necessary to remove each Java versions.
? Reboot your computer once all Java components are removed.
? Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
4. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
? Go to Start > Programs > Accessories > System Tools and click "System Restore".
? Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
? Then go to Start > Run and type: Cleanmgr
? Click "OK"
Select the drive you want to clean usually C:
Click OK
When it completes the scan:
? Click the "More Options" Tab.
? Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
5. Defragment your Hard Drive
1.Open My Computer.
2.Right-click the local disk volume that you want to defragment, and then click Properties.
3.On the Tools tab, click Defragment Now.
4.Click Defragment.
And here are some tips to reduce the potential for spyware infection in the future:
It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Two good ones are are Comodo Free and Online Armor Personal Firewall
I have recently changed my firewall to Comodo, love it and highly recommend it..
Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.
I strongly recommend installing the following applications:
? Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
Go to these sites and read about these you may decide to use them, I do, because they work.
? Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Malware, Cookies etc) from the sites listed, although you will still be able to connect to the sites.
? MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know Malware sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
And also see TonyKlein's good advice
So how did I get infected in the first place?
Enjoy your clean computer. Any questions?
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
Senior Member
|
6. August 2008 @ 22:42 |
Link to this message
|
|
thank you very much.if you ever need advice on car repairs,i am a licenced automotive mechanic.cheers al.
|
|
Advertisement
|
|
|
AfterDawn Addict
|
6. August 2008 @ 22:51 |
Link to this message
|
|
You're welcome.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
