system security.

View previous topic View next topic Go down

Re: system security.

Post by Belahzur on 14th June 2009, 12:45 am

Hello.
Do the same again for this file.

c:\Program Files\Common Files\qfrw\qfrwm.exe


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on 14th June 2009, 12:47 am

Scan finished. 18 out of 20 scanners reported malware.

[ArcaVir]
2009-06-13 Downloader.Tsupdate.N
[F-Secure Anti-Virus]
2009-06-13 Adware:W32/TargetSaver.B
[Emsisoft A-squared]
2009-06-14 Trojan-Downloader.Win32.TSUpdate!IK
[Ikarus]
2009-06-13 Trojan-Downloader.Win32.TSUpdate
[Avast! antivirus]
2009-06-13 Win32:Tsupdate-C
[Kaspersky Anti-Virus]
2009-06-14 Trojan-Downloader.Win32.TSUpdate.n
[Grisoft AVG Anti-Virus]
2009-06-13 Downloader.Generic.JAD
[ESET NOD32]
2009-06-13 Win32/TrojanDownloader.TSUpdate.N
[Avira AntiVir]
2009-06-12 TR/Drop.TSUpdat.A.3
[Norman Virus Control]
2009-06-12 W32/DLoader.QKD
[Softwin BitDefender]
2009-06-13 Trojan.Downloader.Tsupdate.N
[Panda Antivirus]
2009-06-12 Adware/Sqwire
[ClamAV]
2009-06-13 Trojan.Downloader.TSUp-11
[Quick Heal]
2009-06-12 TrojanDownloader.TSUpdate.n
[CPsecure]
2009-06-14 Troj.Downloader.W32.TSUpdate.N
[Sophos]
2009-06-13 Found nothing
[Dr.Web]
2009-06-14 Adware.TargetServer
[VirusBlokAda VBA32]
2009-06-12 Found nothing
[Frisk F-Prot Antivirus]
2009-06-13 W32/Downloader.JWS
[VirusBuster]
2009-06-13 Trojan.DL.TSUpdate.J

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29850
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on 14th June 2009, 1:02 am

Haha, that's what brought it back.

Now open a new notepad file.
Input this into the notepad file:

Driver::
podmena

Folder::
c:\progra~1\COMMON~1\qfrw

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qfrw"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"podmena"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on 14th June 2009, 1:12 am

ComboFix 09-06-13.03 - Cesar Ramos 06/13/2009 21:07.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.283 [GMT -7:00]
Running from: c:\documents and settings\Cesar Ramos\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Cesar Ramos\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\COMMON~1\qfrw
c:\progra~1\COMMON~1\qfrw\qfrwa.exe
c:\progra~1\COMMON~1\qfrw\qfrwa.lck
c:\progra~1\COMMON~1\qfrw\qfrwd\class-barrel
c:\progra~1\COMMON~1\qfrw\qfrwd\qfrwc.dll
c:\progra~1\COMMON~1\qfrw\qfrwd\vocabulary
c:\progra~1\COMMON~1\qfrw\qfrwh
c:\progra~1\COMMON~1\qfrw\qfrwl.exe
c:\progra~1\COMMON~1\qfrw\qfrwl.lck
c:\progra~1\COMMON~1\qfrw\qfrwm.exe
c:\progra~1\COMMON~1\qfrw\qfrwm.lck
c:\progra~1\COMMON~1\qfrw\qfrwp.exe
c:\progra~1\COMMON~1\qfrw\qfrwp.lck

.
((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
.

2009-06-14 03:00 . 2009-06-14 03:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-14 02:54 . 2009-06-14 02:54 -------- d-----w- c:\program files\Trend Micro
2009-06-14 01:31 . 2009-06-14 01:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-12 21:26 . 2009-06-12 21:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-06-12 21:26 . 2009-06-12 21:26 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft
2009-06-10 14:01 . 2009-06-10 14:01 -------- d-sh--w- c:\documents and settings\Cesar Ramos\IECompatCache
2009-06-10 14:00 . 2009-06-10 14:00 -------- d-sh--w- c:\documents and settings\Cesar Ramos\PrivacIE
2009-06-10 13:58 . 2009-06-10 13:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-10 13:57 . 2009-06-10 13:57 -------- d-sh--w- c:\documents and settings\Cesar Ramos\IETldCache
2009-06-10 10:55 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 10:55 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 10:55 . 2009-06-10 10:56 -------- d-----w- c:\windows\ie8updates
2009-06-10 10:55 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-10 10:51 . 2009-06-10 10:54 -------- dc-h--w- c:\windows\ie8
2009-06-10 08:13 . 2009-06-10 08:13 -------- d-----w- C:\.jagex_cache_32
2009-06-01 12:50 . 2009-06-11 01:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-01 12:50 . 2009-06-11 01:00 -------- d-----w- c:\program files\Norton Security Scan
2009-06-01 09:21 . 2009-06-01 09:21 -------- d-----w- c:\windows\system32\Adobe
2009-05-30 02:05 . 2009-06-10 11:13 -------- d-----w- c:\docume~1\CESARR~1\APPLIC~1\Xfire
2009-05-30 02:05 . 2009-06-10 11:13 -------- d-s---w- c:\program files\Xfire
2009-05-29 22:51 . 2009-05-29 22:52 -------- d-----w- c:\program files\QuickTime
2009-05-29 18:39 . 2009-05-29 18:39 -------- d-----w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\Yahoo
2009-05-29 18:33 . 2009-05-27 02:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-28 16:16 . 2009-05-28 16:16 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-05-28 06:45 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-28 06:45 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-28 06:45 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-28 06:45 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-28 06:45 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-28 06:45 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-28 06:45 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-28 06:45 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-28 06:45 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-28 06:40 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-28 06:40 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-05-28 05:43 . 2009-06-12 10:32 34 ----a-w- c:\documents and settings\Cesar Ramos\jagex_runescape_preferences.dat
2009-05-28 02:44 . 2009-06-11 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ijjigame
2009-05-28 02:19 . 2009-05-28 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-05-28 02:16 . 2009-05-28 02:16 -------- d-----w- c:\program files\Messenger Plus! Live
2009-05-28 01:57 . 2009-05-28 01:57 -------- d-----w- c:\docume~1\CESARR~1\APPLIC~1\acccore
2009-05-28 01:57 . 2009-05-28 01:57 -------- d-----w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\AOL OCP
2009-05-28 01:57 . 2009-05-28 01:57 -------- d-----w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\AOL
2009-05-28 01:56 . 2009-05-28 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-05-28 01:56 . 2009-06-01 23:58 -------- d-----w- c:\program files\Common Files\AOL
2009-05-28 01:50 . 2009-06-14 03:31 -------- d-----w- c:\documents and settings\Cesar Ramos\Tracing
2009-05-28 01:49 . 2009-05-28 01:49 -------- d-----w- c:\program files\Microsoft
2009-05-28 01:48 . 2009-05-28 01:48 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-28 01:48 . 2009-05-28 01:48 -------- d-----w- c:\program files\Windows Live
2009-05-28 01:45 . 2009-05-28 01:45 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-25 19:51 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-05-25 19:51 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 03:05 . 2006-03-21 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-11 06:02 . 2006-03-25 02:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-29 22:51 . 2006-03-25 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-29 18:35 . 2006-12-19 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-29 18:35 . 2006-03-21 02:57 -------- d-----w- c:\program files\Yahoo!
2009-05-29 18:35 . 2007-06-25 02:27 -------- d-----w- c:\docume~1\CESARR~1\APPLIC~1\Yahoo!
2009-05-28 16:14 . 2007-07-15 12:06 -------- d--h--w- c:\docume~1\CESARR~1\APPLIC~1\ijjigame
2009-05-28 01:49 . 2006-04-24 00:23 41576 ----a-w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 05:15 . 2006-06-23 19:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2002-08-29 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2002-08-29 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2007-07-31 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cesar Ramos^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Cesar Ramos\Start Menu\Programs\Startup\IMVU.lnk

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29850
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on 14th June 2009, 1:12 am

backup=c:\windows\pss\IMVU.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R3 vgadrv;vgadrv;c:\windows\system32\drivers\vgadrv.sys [3/17/2006 10:04 AM 8078]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\Norton Security Scan for Cesar Ramos.job
- c:\program files\Norton Security Scan\Nss.exe [2009-03-13 02:04]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Cesar Ramos\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} - [You must be registered and logged in to see this link.]
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-13 21:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-688789844-1060284298-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-14 21:12
ComboFix-quarantined-files.txt 2009-06-14 04:12
ComboFix2.txt 2009-06-14 03:35
ComboFix3.txt 2009-06-14 02:36

Pre-Run: 22,852,427,776 bytes free
Post-Run: 22,839,398,400 bytes free

167 --- E O F --- 2009-06-10 10:56

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29850
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on 14th June 2009, 1:18 am

Hello.
That got it. It hasn't come back this time.

Please install Avira antivirus otherwise you won't be protected.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on 14th June 2009, 2:06 am

sorry about the delayed response. my computer is now running quite well. little to no lag, no pop-ups out of nowhere and of course no silly system security telling me that of all things ms paint is infected(seriously...what?) thank you for the anti-virus software. and of course thank you for all your assistance.


Thank You!

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29850
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum