|
i think i have a virus
|
|
|
cachee
Junior Member
|
5. June 2009 @ 21:40 |
Link to this message
|
'norton security scan' pop up (i havent installed norton)
and in my internet explorer proxy it had this 'http://164.38.33.5/proxy.pac'
googling that brought me to a site about a 'spiral virus'
i have run:
SUPERAntiSpyware
SUPERAntiSpyware Free Edition
Malwarebytes' Anti-Malware
ATF-Cleaner
all in the appropriate fashion as per other threads and my HJT log is as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:40:12, on 06/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Kontiki\KService.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SVCHOST.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://164.38.33.5/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rundll64.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
--
End of file - 6789 bytes
Thanks all!
There is no spoon...
|
|
Advertisement
|
|
|
|
AfterDawn Addict
|
6. June 2009 @ 02:04 |
Link to this message
|
cachee,
Are you having any problems?
Your HJT Log is Clean?
Java Runtime can be activated by websites, so if there is security vulnerability in any Java version on your machine, it can be exploited by a malicious site to infect your machine. Each new version of Java fixes security vulnerabilities, so it's extremely important to keep up to date, and it's auto-update mechanism isn't considered very reliable. So yes, it's important to regularly check for updates and if you don't use it, then its best removed from your machine.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA
Then run this tool to help cleanup any left over Java
Remove Old Java using JavaRa
Download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer before continuing!***
? Double-click on JavaRa.exe to start the program
? From the drop-down menu, choose English and click on Select
? JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer
? Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK
? A logfile will pop up. Save it to a convenient location
? Click on Additional Tasks then tick Remove Useless JRE Files
? Click Go then OK when prompted & close the program.
Update Java Runtime
? Go to http://java.sun.com/javase/downloads/index.jsp
? Scroll down to Java Runtime Environment (JRE) 6 Update 14 and click on the Download button
? In the Platform box choose Windows
? Check the box to Accept License Agreement and click Continue
? Click on Windows Offline Installation, click on the link under it which says "jre-6u14-windows-i586.exe" and save the downloaded file to your desktop
? Install the new version by running the downloaded file with the Java icon & follow the on-screen instructions
? Reboot your computer
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
scorpNZ
AfterDawn Addict
4 product reviews
|
6. June 2009 @ 04:47 |
Link to this message
|
|
It's about time you started charging for help you'd be a trillionaire in no time if you need any employee's i'm up for it :D
|
AfterDawn Addict
|
6. June 2009 @ 05:00 |
Link to this message
|
|
I just started working on my "Second Trillion"........ Gave up on the First one! LAMO
My moto: Live Fast, Love Hard, Die Young and leave a good looking corpse.. Missed the boat on that one also.. If I'd known I was gonna live this damn long, I'd taken better care of myself.. : (
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
cachee
Junior Member
|
6. June 2009 @ 06:12 |
Link to this message
|
hi mate, java all updated.
regarding the 'norton popup' and the desktop shortcut that magically got there:
what do you reckon i should do ?
There is no spoon...
|
|
cachee
Junior Member
|
6. June 2009 @ 06:12 |
Link to this message
|
|
and shouldnt i remove:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
There is no spoon...
|
AfterDawn Addict
|
6. June 2009 @ 07:07 |
Link to this message
|
cachee,
Yeah, I failed to get that one.. 
I think it was MS messenger or MS Live sign in ?.. since the file is missing it?s dead in the water? You can use HJT to fix that line and knock the dust off your Log : )
I don?t pay a lot of attention to (missing file) or (no file) lines unless it?s an 023 line and then the driver is still on the machine.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
On the Norton thing, right click the shortcut, click properties then follow the path and see if it turns up something? Norton comes on most new machines as a trial version or I guess it could be a link to Norton online scan, maybe?. ?? see what you can find..
Can you not just delete that shortcut??
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
AfterDawn Addict
|
6. June 2009 @ 07:53 |
Link to this message
|
p.s. cachee,
Another thing I missed, I was thinking that your NetworkAccessManager was also an AV but it?s just a chipset firewall.
You really need to install an antivirus. There are some good, free ones.
My Recommendations: 1=Best, 2=Very Good, 3=Good
1. -> Avira Antivir
2. -> Avast 4
3. -> AVG 8.5
Avira AntiVir is my top pick if you're looking for the best protection against viruses. It is very light on resources and the detection rate of viruses and rootkits is outstanding. However, it does not include antispyware protection or e-mail scanning; they are only available in the paid version. For Anti-Spyware use SpywareBlaster. The lack of an e-mail scanner just means that AntiVir won't warn you of infected emails before you open them. However, should you open an infected email; AntiVir will still spring into action, so it doesn't mean that you're not protected from email-based infections. Although AntiVir has advertisements that appear with every update, these ads can be disabled -> HERE!
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
cachee
Junior Member
|
6. June 2009 @ 08:00 |
Link to this message
|
There is no spoon...
|
AfterDawn Addict
|
6. June 2009 @ 08:34 |
Link to this message
|
Hi cache,
You said you had ran MBAM and SAS, they will normally take care of antivirus2008 and the likes..
There were no traces in your HJT Log so I dismissed that..
Do you have any Norton or Symantec folders? Like I said, Follow the Path of the shortcut to locate them and then delete.. There shouldn?t be any registry entries if it has never been installed.
If you want to do some deep digging, then do this:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.
Quote:
"%userprofile%\desktop\combofix.exe" /killall
3. Combo will begin to run DO NOTHING while this is happening.
? It will kill a few processes and disconnect you from the internet.
? If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
? This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
If when it's completed you can not get on the internet just reboot the computer
Post the log from comboFix for me located in
c:\comboFix.txt
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
cachee
Junior Member
|
6. June 2009 @ 09:23 |
Link to this message
|
done.
see below
ComboFix 09-06-05.07 - Chris 06/06/2009 13:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.727 [GMT 1:00]
Running from: c:\documents and settings\Chris\desktop\combofix.exe
Command switches used :: /killall
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-05-06 to 2009-06-06 )))))))))))))))))))))))))))))))
.
2009-06-06 10:10 . 2009-06-06 10:10 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-06 10:08 . 2009-06-06 10:08 152576 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-06 10:05 . 2009-06-06 10:07 -------- d-----w- c:\documents and settings\Chris\.SunDownloadManager
2009-06-06 01:56 . 2009-06-06 01:56 -------- d-----w- c:\windows\system32\scripting
2009-06-06 01:56 . 2009-06-06 01:56 -------- d-----w- c:\windows\l2schemas
2009-06-06 01:56 . 2009-06-06 01:56 -------- d-----w- c:\windows\system32\en
2009-06-06 01:56 . 2009-06-06 01:56 -------- d-----w- c:\windows\system32\bits
2009-06-06 01:40 . 2009-06-06 01:40 -------- d-----w- c:\program files\Trend Micro
2009-06-06 00:19 . 2009-06-06 00:19 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2009-06-06 00:19 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-06 00:19 . 2009-06-06 00:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 00:19 . 2009-06-06 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-06 00:19 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-06 00:12 . 2009-06-06 00:24 117760 ----a-w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-06 00:11 . 2009-06-06 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-06 00:11 . 2009-06-06 00:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-06 00:11 . 2009-06-06 00:11 -------- d-----w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
2009-05-24 10:44 . 2009-05-24 10:44 10134 ----a-r- c:\documents and settings\Chris\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-24 10:44 . 2009-05-24 10:44 -------- d-----w- c:\program files\Microsoft WSE
2009-05-24 10:44 . 2008-09-05 02:22 447752 ----a-w- c:\windows\system32\vp6vfw.dll
2009-05-24 10:44 . 2006-09-28 15:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-05-24 10:44 . 2009-05-24 10:44 -------- d-----w- c:\windows\Logs
2009-05-24 10:38 . 2009-05-24 10:38 -------- d-----w- c:\program files\Electronic Arts
2009-05-18 11:26 . 2009-05-18 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-18 11:26 . 2009-05-18 11:26 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-18 11:26 . 2009-05-18 11:26 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-18 11:22 . 2009-05-18 11:22 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-18 11:22 . 2009-05-18 11:28 -------- d-----w- c:\documents and settings\Vikkyyyy\Application Data\DAEMON Tools Lite
2009-05-14 20:29 . 2009-05-14 20:31 -------- d-----w- c:\windows\system32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-06 13:02 . 2009-01-11 12:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-06-06 11:30 . 2008-12-28 15:51 -------- d-----w- c:\program files\PokerStars
2009-06-06 10:10 . 2008-02-16 15:27 -------- d-----w- c:\program files\Java
2009-06-06 01:58 . 2008-01-21 12:39 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-06 00:11 . 2009-02-08 18:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-03 16:49 . 2008-01-21 13:32 49296 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-02 15:30 . 2008-04-20 15:45 -------- d-----w- c:\program files\Dl_cats
2009-05-24 10:38 . 2008-01-21 14:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-03 17:30 . 2009-05-03 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-03 17:30 . 2008-07-09 23:42 -------- d-----w- c:\program files\iTunes
2009-05-03 17:30 . 2009-05-03 17:30 -------- d-----w- c:\program files\iPod
2009-05-03 17:30 . 2008-07-09 23:41 -------- d-----w- c:\program files\Common Files\Apple
2009-05-03 17:29 . 2009-05-03 17:29 -------- d-----w- c:\program files\QuickTime
2009-05-03 17:29 . 2008-07-09 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-03 17:27 . 2009-05-03 17:27 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-03 17:26 . 2009-05-03 17:26 -------- d-----w- c:\program files\Safari
2009-05-03 17:26 . 2008-07-09 23:42 -------- d-----w- c:\program files\Bonjour
2009-05-01 17:16 . 2009-02-08 18:29 -------- d-----w- c:\program files\Steam
2009-04-23 13:15 . 2009-04-23 13:15 1134024 ----a-w- c:\documents and settings\Vikkyyyy\Application Data\Mozilla\Firefox\Profiles\ggw0tb2c.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
2009-04-10 14:22 . 2008-04-20 20:33 48904 ----a-w- c:\documents and settings\Vikkyyyy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-05 13:42 . 2009-04-05 13:42 965344 ----a-w- c:\documents and settings\Vikkyyyy\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000006.exe
2009-03-19 15:32 . 2009-03-19 15:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 15:32 . 2008-01-29 11:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 10:34 . 2009-04-05 16:19 971776 ----a-w- c:\documents and settings\Vikkyyyy\Application Data\Mozilla\Firefox\Profiles\ggw0tb2c.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-15 106496]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-06 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-11-11 90112]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Vikkyyyy\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-31 344064]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Belkin Wireless USB Network Adapter Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\NVIDIA\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\WINDOWS\\system32\\dlcxcoms.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\i_lost_my_sheep@hotmail.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 nvp2p;NVIDIA PCI to PCI Bridge Filter;c:\windows\system32\drivers\nvp2p.sys [1/23/2008 10:08 PM 8576]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{KEDT456S-FJKR-DG53-8427-45182378KUDG}]
c:\windows\system32\winsetup.exe
.
Contents of the 'Scheduled Tasks' folder
2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:34]
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\hefyupwh.default\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-06 14:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2448)
c:\program files\SUPERAntiSpyware\SASSEH.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlcxcoms.exe
c:\nvidia\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\nvidia\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\Kontiki\KService.exe
c:\nvidia\NetworkAccessManager\bin\nSvcIp.exe
c:\nvidia\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2009-06-06 14:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-06 13:06
Pre-Run: 36,120,113,152 bytes free
Post-Run: 36,710,170,624 bytes free
178 --- E O F --- 2008-11-13 15:46
There is no spoon...
|
AfterDawn Addict
|
6. June 2009 @ 10:10 |
Link to this message
|
Hi cache,
Are you having any problems????
I don't see any Norton leftovers.
ComboFix didn?t find anything except maybe:
c:\\Program Files\\BearShare\\BearShare.exe
Quote:
bearshare.exe is the executable for the BearShare file sharing client. BearShare is a peer to peer media exchange application giving you access to files on desktops connected to the network. This process can be a security risk since it also gives other users on the network access to local files and folders on your system.
I have no use for P2P because you will get a lot of malware, maybe not from the program itself, but from the downloaded torrent files? Your choice.. When you dance, you must pay the fiddler!
Other than that, it all looks OK.
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
cachee
Junior Member
|
6. June 2009 @ 10:13 |
Link to this message
|
|
okay mate no worries. yeah i dont download torrents from that computer so thats okay :)
thanks for your help, next computer coming up! hehe. last one i promise.
There is no spoon...
|
AfterDawn Addict
|
6. June 2009 @ 10:25 |
Link to this message
|
|
Take a number.......
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
scorpNZ
AfterDawn Addict
4 product reviews
|
6. June 2009 @ 16:14 |
Link to this message
|
spywareterminator has all the same functions of the bought version of superspyware except it's free,you can also let it intergrate clamwin as both get updated pretty frequently including version
http://www.spywareterminator.com/
|
|
Advertisement
|
|
|
AfterDawn Addict
|
7. June 2009 @ 08:42 |
Link to this message
|
Opinions are what make Horse Racing.
IMHO, I have never been a fan of Suites, when bundling programs together you may get a great firewall or anti-spyware with a poor anti-virus or vice versa.. When I repair or renovate my Home, I hire a licensed electrician, plumber, carpenter, painter, etc etc not a ?handyman? that tries to do everything.. The same goes for my computer. Lol
2oG, now running Windows 7 and loving it?
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
