virus/malware

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

virus/malware

Post by sarah1215 on 31st July 2009, 10:22 am

i am running xp. i have some type of virus that keeps opening up a nexplore page and changes all my search results.i also keep getting windows explorer pop ups saying my computer is infected. i ran malwarebytes, and superanitspyware, and nothing seems to finds it. here is my hijackthis log......

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:49 AM, on 7/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Transparent Windows\Transparent.exe
C:\Program Files\UniversalCallerID\UniversalCallerID.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\sarah g.SARAH.000\Desktop\winlogon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: 1Club.FM Toolbar - {3a9262ef-45b5-46fc-b460-7053539c9176} - C:\Program Files\1Club.FM\tb1Cl0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {28AED1AF-B164-44CD-B435-CF04AA955015} - (no file)
O2 - BHO: 1Club.FM Toolbar - {3a9262ef-45b5-46fc-b460-7053539c9176} - C:\Program Files\1Club.FM\tb1Cl0.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: 1Club.FM Toolbar - {3a9262ef-45b5-46fc-b460-7053539c9176} - C:\Program Files\1Club.FM\tb1Cl0.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: (no name) - {28AED1AF-B164-44CD-B435-CF04AA955015} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Transparent Windows.lnk = ?
O4 - Startup: UniversalCallerID.lnk = C:\Program Files\UniversalCallerID\UniversalCallerID.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: f0f624a5649 - C:\WINDOWS\System32\icardie32.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--


hope you can help me! thanks so much!

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Belahzur on 31st July 2009, 8:29 pm

Hello.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {28AED1AF-B164-44CD-B435-CF04AA955015} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
    O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O3 - Toolbar: (no name) - {28AED1AF-B164-44CD-B435-CF04AA955015} - (no file)
    O20 - Winlogon Notify: f0f624a5649 - C:\WINDOWS\System32\icardie32.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 31st July 2009, 11:21 pm

here is the mbam log:
Malwarebytes' Anti-Malware 1.39
Database version: 2537
Windows 5.1.2600 Service Pack 2

7/31/2009 7:00:20 PM
mbam-log-2009-07-31 (19-00-20).txt

Scan type: Quick Scan
Objects scanned: 97612
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 70

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\__c00C6299.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00c6299 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f70dc94.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\Application Data\DoubleD (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\DoubleD\Desktop Smiley Toolbar (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\Application Data\Internet Saving Optimizer (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160 (Adware.DoubleD) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\sarah g.sarah.000\local settings\temp\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\temp\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\config.md (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\ipdata.md (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090603-081411.843.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090603-093350.796.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090603-154859.671.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090603-160353.625.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090604-062950.406.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090604-094901.828.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090604-094936.562.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090604-094945.250.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090604-125311.312.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090604-125312.640.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090605-065130.281.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090605-092404.875.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090605-104543.703.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090605-104659.453.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090605-123657.671.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090605-134743.953.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090605-134745.703.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090605-143923.703.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090605-143925.390.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090606-073902.312.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090606-073903.859.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090606-083817.687.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090606-164247.328.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090606-173919.406.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090606-174110.968.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090606-214906.171.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090606-214910.250.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090607-080114.656.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090607-081648.812.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090607-081651.234.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090607-123229.968.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090607-123231.000.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090607-221103.718.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090608-072452.437.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090608-072557.218.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090609-072919.637.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090609-073050.215.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090609-085630.902.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090609-090352.215.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090609-092048.777.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090610-133428.859.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090618-163439.027.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090618-163550.246.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090621-211415.515.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090621-211710.546.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090621-213127.578.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090621-213128.125.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090622-133830.578.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090622-134914.578.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090622-143141.000.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090623-113035.546.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090624-180455.093.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090624-180844.359.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090624-181110.687.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090624-181215.890.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090625-060815.500.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090625-062553.828.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090625-062703.781.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090625-091552.312.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090626-152828.406.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090626-202638.781.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\NP_20090627-054629.296.log (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\application data\internet saving optimizer\3.3.0.4160\rstatus.md (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\documents and settings\sarah g.sarah.000\local settings\temp\_A00F70DC94.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00C6299.dat (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\sarah g.SARAH.000\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

my searches are getting redirected to bestwebsearch.com? i also use firefox but i have a bunch of windows popping up in ie. i also have some data execution prevention window popping up. i have no idea what that is. my system restore does not work also.

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Belahzur on 1st August 2009, 1:26 am

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Mcafee)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 1st August 2009, 2:11 am

ComboFix 09-07-31.04 - sarah g 07/31/2009 21:59.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2037.1639 [GMT -4:00]
Running from: c:\documents and settings\sarah g.SARAH.000\Desktop\Combo-fix.exe
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:\documents and settings\sarah g.SARAH.000\Application Data\02000000ec975e43649C.manifest
c:\documents and settings\sarah g.SARAH.000\Application Data\02000000ec975e43649O.manifest
c:\documents and settings\sarah g.SARAH.000\Application Data\02000000ec975e43649P.manifest
c:\documents and settings\sarah g.SARAH.000\Application Data\02000000ec975e43649S.manifest
c:\windows\GnuHashes.ini
c:\windows\system32\__c0070D84.dat
c:\windows\system32\GroupPolicy000.dat
C:\xcrashdump.dat

.((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.2009-08-01 02:03 . 2009-08-01 02:03 -------- d-sh--w- c:\windows\system32\SystemX86
2009-07-31 22:53 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-31 22:53 . 2009-07-31 22:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-31 22:53 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-30 14:15 . 2009-07-30 14:15 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- c:\program files\Pando Networks
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- C:\users
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- c:\program files\AIM Toolbar
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- c:\program files\1Club.FM
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AIM Toolbar
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- c:\program files\Opera
2009-07-30 01:21 . 2009-07-30 01:21 -------- d--h--r- c:\documents and settings\sarah g.SARAH.000\Application Data\SecuROM
2009-07-30 01:00 . 2009-07-30 01:00 10134 ----a-r- c:\documents and settings\sarah g.SARAH.000\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-07-30 01:00 . 2009-07-30 00:28 447752 ----a-w- c:\windows\system32\vp6vfw.dll
2009-07-30 01:00 . 2009-07-30 01:00 -------- d-----w- c:\program files\Microsoft WSE
2009-07-30 00:57 . 2006-09-28 20:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-07-30 00:57 . 2009-07-30 00:57 -------- d-----w- c:\windows\Logs
2009-07-29 23:48 . 2009-07-29 23:48 -------- d-----w- c:\program files\ESET
2009-07-29 23:21 . 2009-07-29 23:26 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2009-07-29 23:20 . 2009-07-30 01:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2009-07-29 22:29 . 2009-08-01 01:49 -------- d-----w- c:\documents and settings\sarah g.SARAH.000\Application Data\SUPERAntiSpyware.com
2009-07-29 21:09 . 2009-07-29 21:09 -------- d-----w- C:\ProgramData
2009-07-29 21:09 . 2009-07-29 21:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Electronic Arts
2009-07-29 21:08 . 2009-07-30 00:46 -------- d-----w- c:\program files\Electronic Arts
2009-07-29 19:53 . 2009-07-29 19:53 120320 ----a-w- c:\windows\system32\icardie32.dll
2009-07-28 14:35 . 2009-07-28 14:35 4096 ----a-w- c:\windows\d3dx.dat
2009-07-28 14:35 . 2009-07-30 14:08 -------- d-----w- c:\program files\Kudos Demo
2009-07-13 19:30 . 2009-07-13 19:30 1078 ----a-r- c:\documents and settings\sarah g.SARAH.000\Application Data\Microsoft\Installer\{26E30F32-01C0-47EF-930B-D36B676B86A9}\_294823.exe
2009-07-13 19:30 . 2009-07-13 19:30 1078 ----a-r- c:\documents and settings\sarah g.SARAH.000\Application Data\Microsoft\Installer\{26E30F32-01C0-47EF-930B-D36B676B86A9}\_18be6784.exe
2009-07-13 19:30 . 2009-07-30 14:08 -------- d-----w- c:\program files\Transparent Windows

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-01 02:03 . 2009-08-01 02:03 374272 --sha-w- c:\windows\system32\3.tmp
2009-08-01 01:57 . 2008-09-27 16:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-08-01 01:55 . 2008-05-15 15:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-01 01:49 . 2008-05-15 16:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-30 20:25 . 2009-07-29 20:00 541 ----a-w- c:\documents and settings\sarah g.SARAH.000\udpcrawl.tmp
2009-07-30 14:16 . 2008-05-17 22:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2009-07-30 14:14 . 2009-06-27 14:39 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-30 14:14 . 2009-06-09 13:38 -------- d-----w- c:\program files\Safari
2009-07-30 14:14 . 2008-05-17 22:55 -------- d-----w- c:\program files\AIM6
2009-07-30 14:14 . 2009-06-27 14:36 -------- d-----w- c:\program files\Freeze.com
2009-07-30 14:14 . 2009-06-09 13:38 -------- d-----w- c:\program files\Bonjour
2009-07-30 14:10 . 2009-06-27 13:41 -------- d-----w- c:\program files\RegGenie
2009-07-30 14:08 . 2008-11-25 09:37 -------- d-----w- c:\program files\LimeWire
2009-07-30 01:07 . 2009-07-29 23:24 1328 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-07-30 00:46 . 2008-05-10 03:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-30 00:11 . 2008-05-15 15:58 -------- d-----w- c:\program files\LabelCommand
2009-07-29 22:49 . 2008-05-22 13:55 12720 ----a-w- c:\documents and settings\sarah g.SARAH.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-29 22:09 . 2008-11-25 09:38 -------- d-----w- c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire
2009-07-04 20:45 . 2008-07-29 22:42 -------- d-----w- c:\program files\SIM Edit Tool
2009-06-29 16:12 . 2006-03-04 03:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-27 14:44 . 2009-06-27 14:44 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-27 14:43 . 2009-06-27 14:43 152576 ----a-w- c:\documents and settings\sarah g.SARAH.000\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-27 14:39 . 2009-06-27 14:40 38208 ----a-w- c:\documents and settings\sarah g.SARAH.000\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-06-21 21:14 . 2008-05-10 03:02 -------- d-----w- c:\program files\Java
2009-06-19 14:05 . 2009-06-19 14:05 -------- d-----w- c:\documents and settings\john\Application Data\Apple Computer
2009-06-16 14:55 . 2004-08-04 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 20:50 . 2008-11-17 15:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL Downloads
2009-06-09 13:38 . 2009-06-09 13:38 12736 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-09 13:38 . 2008-08-07 22:28 -------- d-----w- c:\documents and settings\sarah g.SARAH.000\Application Data\Apple Computer
2009-06-07 12:00 . 2009-03-26 16:57 -------- d-----w- c:\program files\MySpace
2009-06-05 21:43 . 2009-06-05 21:43 69632 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\Safari 4.30.17.0\SetupAdmin.exe
2009-06-05 19:24 . 2008-05-10 03:06 -------- d-----w- c:\program files\Google
2009-06-03 19:27 . 2004-08-04 10:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-08 12:48 . 2008-05-16 18:00 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-07 15:44 . 2004-08-04 10:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 15:44 . 2004-08-04 10:00 344064 ----a-w- c:\windows\system32\localspl(2).dll
2009-07-26 18:29 . 2009-06-27 13:29 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{3a9262ef-45b5-46fc-b460-7053539c9176}"= "c:\program files\1Club.FM\tb1Cl0.dll" [2009-07-06 2215960]

[HKEY_CLASSES_ROOT\clsid\{3a9262ef-45b5-46fc-b460-7053539c9176}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3a9262ef-45b5-46fc-b460-7053539c9176}]
2009-07-06 12:40 2215960 ----a-w- c:\program files\1Club.FM\tb1Cl0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3a9262ef-45b5-46fc-b460-7053539c9176}"= "c:\program files\1Club.FM\tb1Cl0.dll" [2009-07-06 2215960]

[HKEY_CLASSES_ROOT\clsid\{3a9262ef-45b5-46fc-b460-7053539c9176}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3A9262EF-45B5-46FC-B460-7053539C9176}"= "c:\program files\1Club.FM\tb1Cl0.dll" [2009-07-06 2215960]

[HKEY_CLASSES_ROOT\clsid\{3a9262ef-45b5-46fc-b460-7053539c9176}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-27 148888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-26 16132608]

c:\documents and settings\sarah g.SARAH.000\Start Menu\Programs\Startup\
Transparent Windows.lnk - c:\documents and settings\sarah g.SARAH.000\Application Data\Microsoft\Installer\{26E30F32-01C0-47EF-930B-D36B676B86A9}\_294823.exe [2009-7-13 1078]
UniversalCallerID.lnk - c:\program files\UniversalCallerID\UniversalCallerID.exe [2008-12-20 21504]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-16 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\f0f624a5649]
2009-07-29 19:53 120320 ----a-w- c:\windows\system32\icardie32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-16 20:29 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
.
Contents of the 'Scheduled Tasks' folder

2009-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-2052111302-839522115-1004Core.job
- c:\documents and settings\sarah g.SARAH.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-09 13:24]

2009-08-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-2052111302-839522115-1004UA.job
- c:\documents and settings\sarah g.SARAH.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-09 13:24]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &AIM Toolbar Search - c:\documents and settings\All Users.WINDOWS\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\sarah g.SARAH.000\Application Data\Mozilla\Firefox\Profiles\ttwtci6p.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-31 22:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 1st August 2009, 2:11 am

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-2052111302-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:a3,85,53,d7,dc,88,73,d3,d2,32,52,cc,00,09,bd,76,9a,4b,f2,6d,0f,
0c,31,0c,39,6c,c4,6d,ab,b0,88,ac,4f,7f,d3,fc,44,1a,74,fb,b0,c1,2f,78,5a,35,\
"rkeysecu"=hex:d7,bf,6d,a3,f2,23,61,a2,a3,46,99,5e,81,b4,79,7b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\System32\icardie32.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3832)
c:\windows\system32\WININET.dll
c:\program files\Transparent Windows\TRANSDLL.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\browselc.dll
c:\windows\system32\ieframe.dll
c:\windows\System32\icardie32.dll
c:\windows\system32\3.tmp
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Transparent Windows\Transparent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 1st August 2009, 2:14 am

i turned off the firewall and everything. i dont believe i have mcafee? i dont see it

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Origin on 1st August 2009, 2:51 am

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If Limewire is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Limewire


Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\3.tmp
c:\documents and settings\sarah g.SARAH.000\udpcrawl.tmp

Folder::
c:\program files\Freeze.com
c:\program files\LimeWire
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 1st August 2009, 10:21 am

i had already deleted limewire the other day, as i believe that is how this all started. my friend had used it to put stuff on her cell phone and she obviously downloaded a bunch of crap. after she used that program thats when this all started.

ComboFix 09-07-31.04 - sarah g 08/01/2009 6:02.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2037.1589 [GMT -4:00]
Running from: c:\documents and settings\sarah g.SARAH.000\Desktop\Combo-fix.exe
Command switches used :: c:\documents and settings\sarah g.SARAH.000\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\sarah g.SARAH.000\udpcrawl.tmp"
"c:\windows\system32\3.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\SARAHG~1.000\LOCALS~1\Temp\6.tmp
c:\documents and settings\sarah g.SARAH.000\Application Data\02000000ec975e43649C.manifest
c:\documents and settings\sarah g.SARAH.000\Application Data\02000000ec975e43649O.manifest
c:\documents and settings\sarah g.SARAH.000\Application Data\02000000ec975e43649P.manifest
c:\documents and settings\sarah g.SARAH.000\Application Data\02000000ec975e43649S.manifest
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\active.mojito
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\createtimes.cache
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\downloads.dat
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\fileurns.bak
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\fileurns.cache
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\filters.props
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\installation.props
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\library.dat
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\limewire.props
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\mojito.props
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\passive.mojito
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(10).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(11).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(12).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(13).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(14).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(15).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(16).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(17).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(18).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(19).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(2).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(20).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(21).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(22).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(23).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(24).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(25).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(26).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(27).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(28).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(29).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(3).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(30).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(31).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(32).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(33).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(34).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(35).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(36).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(37).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(38).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(4).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(5).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(6).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(7).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(8).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb(9).lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb.lck
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb.log
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\questions.props
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\simpp.xml
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\tables.props
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\version.xml
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\versions.props
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\sarah g.SARAH.000\Application Data\LimeWire\xml\data\video.sxml2
c:\documents and settings\sarah g.SARAH.000\Local Settings\temp\6.tmp
c:\documents and settings\sarah g.SARAH.000\udpcrawl.tmp
c:\program files\Freeze.com
c:\program files\Freeze.com\Living Marine Aquarium 2 Full\freeze.ico
c:\program files\Freeze.com\Living Marine Aquarium 2 Full\marine.ico
c:\program files\Freeze.com\Living Marine Aquarium 2 Full\PTest.exe
c:\program files\Freeze.com\Living Marine Aquarium 2 Full\remove.exe
c:\program files\Freeze.com\Living Marine Aquarium 2 Full\undata.exe
c:\program files\Freeze.com\Living Marine Aquarium 2 Full\undata.ini
c:\program files\Freeze.com\Living Marine Aquarium 2 Full\UNINSTAL.EXE
c:\program files\LimeWire
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-codec-1.3.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-net.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\dnsjava.jar
c:\program files\LimeWire\lib\forms.jar
c:\program files\LimeWire\lib\foxtrot.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\guice-1.0.jar
c:\program files\LimeWire\lib\hsqldb.jar
c:\program files\LimeWire\lib\httpclient-4.0-alpha5-20080522.192134-5.jar
c:\program files\LimeWire\lib\httpcore-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\jaudiotagger.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\looks.jar
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\onion-common.jar
c:\program files\LimeWire\lib\onion-fec.jar
c:\program files\LimeWire\lib\ProgressTabs.jar
c:\program files\LimeWire\lib\swt.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\themes.jar
c:\program files\LimeWire\lib\tray.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire.exe
c:\windows\GnuHashes.ini
c:\windows\system32\__c00D5EF7.dat
c:\windows\system32\3.tmp
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\SystemX86
c:\windows\system32\SystemX86\237.crack.zip
c:\windows\system32\SystemX86\237.crack.zip.kwd
c:\windows\system32\SystemX86\238.keygen.zip
c:\windows\system32\SystemX86\238.keygen.zip.kwd
c:\windows\system32\SystemX86\239.serial.zip
c:\windows\system32\SystemX86\239.serial.zip.kwd
c:\windows\system32\SystemX86\240.setup.zip
c:\windows\system32\SystemX86\240.setup.zip.kwd
c:\windows\system32\SystemX86\241.music.au
c:\windows\system32\SystemX86\241.music.au.kwd
c:\windows\system32\SystemX86\242.music2.au
c:\windows\system32\SystemX86\242.music2.au.kwd
c:\windows\system32\SystemX86\243.music3.au
c:\windows\system32\SystemX86\243.music3.au.kwd
c:\windows\system32\SystemX86\244.music.snd
c:\windows\system32\SystemX86\244.music.snd.kwd

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 1st August 2009, 10:22 am

.
((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-08-01 10:07 . 2009-08-01 10:07 -------- d-sh--w- c:\windows\system32\SystemX86
2009-07-31 22:53 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-31 22:53 . 2009-07-31 22:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-31 22:53 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-30 14:15 . 2009-07-30 14:15 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- c:\program files\Pando Networks
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- C:\users
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- c:\program files\AIM Toolbar
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- c:\program files\1Club.FM
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AIM Toolbar
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- c:\program files\Opera
2009-07-30 01:21 . 2009-07-30 01:21 -------- d--h--r- c:\documents and settings\sarah g.SARAH.000\Application Data\SecuROM
2009-07-30 01:00 . 2009-07-30 01:00 10134 ----a-r- c:\documents and settings\sarah g.SARAH.000\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-07-30 01:00 . 2009-07-30 00:28 447752 ----a-w- c:\windows\system32\vp6vfw.dll
2009-07-30 01:00 . 2009-07-30 01:00 -------- d-----w- c:\program files\Microsoft WSE
2009-07-30 00:57 . 2006-09-28 20:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-07-30 00:57 . 2009-07-30 00:57 -------- d-----w- c:\windows\Logs
2009-07-29 23:48 . 2009-07-29 23:48 -------- d-----w- c:\program files\ESET
2009-07-29 23:21 . 2009-07-29 23:26 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2009-07-29 23:20 . 2009-07-30 01:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2009-07-29 22:29 . 2009-08-01 01:49 -------- d-----w- c:\documents and settings\sarah g.SARAH.000\Application Data\SUPERAntiSpyware.com
2009-07-29 21:09 . 2009-07-29 21:09 -------- d-----w- C:\ProgramData
2009-07-29 21:09 . 2009-07-29 21:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Electronic Arts
2009-07-29 21:08 . 2009-07-30 00:46 -------- d-----w- c:\program files\Electronic Arts
2009-07-29 19:53 . 2009-07-29 19:53 120320 ----a-w- c:\windows\system32\icardie32.dll
2009-07-28 14:35 . 2009-07-28 14:35 4096 ----a-w- c:\windows\d3dx.dat
2009-07-28 14:35 . 2009-07-30 14:08 -------- d-----w- c:\program files\Kudos Demo
2009-07-13 19:30 . 2009-07-13 19:30 1078 ----a-r- c:\documents and settings\sarah g.SARAH.000\Application Data\Microsoft\Installer\{26E30F32-01C0-47EF-930B-D36B676B86A9}\_294823.exe
2009-07-13 19:30 . 2009-07-13 19:30 1078 ----a-r- c:\documents and settings\sarah g.SARAH.000\Application Data\Microsoft\Installer\{26E30F32-01C0-47EF-930B-D36B676B86A9}\_18be6784.exe
2009-07-13 19:30 . 2009-07-30 14:08 -------- d-----w- c:\program files\Transparent Windows

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-01 01:57 . 2008-09-27 16:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-08-01 01:55 . 2008-05-15 15:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-01 01:49 . 2008-05-15 16:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-30 14:16 . 2008-05-17 22:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2009-07-30 14:14 . 2009-06-27 14:39 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-30 14:14 . 2009-06-09 13:38 -------- d-----w- c:\program files\Safari
2009-07-30 14:14 . 2008-05-17 22:55 -------- d-----w- c:\program files\AIM6
2009-07-30 14:14 . 2009-06-09 13:38 -------- d-----w- c:\program files\Bonjour
2009-07-30 14:10 . 2009-06-27 13:41 -------- d-----w- c:\program files\RegGenie
2009-07-30 01:07 . 2009-07-29 23:24 1328 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-07-30 00:46 . 2008-05-10 03:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-30 00:11 . 2008-05-15 15:58 -------- d-----w- c:\program files\LabelCommand
2009-07-29 22:49 . 2008-05-22 13:55 12720 ----a-w- c:\documents and settings\sarah g.SARAH.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 20:45 . 2008-07-29 22:42 -------- d-----w- c:\program files\SIM Edit Tool
2009-06-29 16:12 . 2006-03-04 03:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-27 14:44 . 2009-06-27 14:44 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-27 14:43 . 2009-06-27 14:43 152576 ----a-w- c:\documents and settings\sarah g.SARAH.000\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-27 14:39 . 2009-06-27 14:40 38208 ----a-w- c:\documents and settings\sarah g.SARAH.000\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-06-21 21:14 . 2008-05-10 03:02 -------- d-----w- c:\program files\Java
2009-06-19 14:05 . 2009-06-19 14:05 -------- d-----w- c:\documents and settings\john\Application Data\Apple Computer
2009-06-16 14:55 . 2004-08-04 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 20:50 . 2008-11-17 15:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL Downloads
2009-06-09 13:38 . 2009-06-09 13:38 12736 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-09 13:38 . 2008-08-07 22:28 -------- d-----w- c:\documents and settings\sarah g.SARAH.000\Application Data\Apple Computer
2009-06-07 12:00 . 2009-03-26 16:57 -------- d-----w- c:\program files\MySpace
2009-06-05 21:43 . 2009-06-05 21:43 69632 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\Safari 4.30.17.0\SetupAdmin.exe
2009-06-05 19:24 . 2008-05-10 03:06 -------- d-----w- c:\program files\Google
2009-06-03 19:27 . 2004-08-04 10:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-08 12:48 . 2008-05-16 18:00 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-07 15:44 . 2004-08-04 10:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 15:44 . 2004-08-04 10:00 344064 ----a-w- c:\windows\system32\localspl(2).dll
2009-07-26 18:29 . 2009-06-27 13:29 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-01 10:07 . 2009-08-01 10:07 16384 c:\windows\Temp\Perflib_Perfdata_1e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{3a9262ef-45b5-46fc-b460-7053539c9176}"= "c:\program files\1Club.FM\tb1Cl0.dll" [2009-07-06 2215960]

[HKEY_CLASSES_ROOT\clsid\{3a9262ef-45b5-46fc-b460-7053539c9176}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3a9262ef-45b5-46fc-b460-7053539c9176}]
2009-07-06 12:40 2215960 ----a-w- c:\program files\1Club.FM\tb1Cl0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3a9262ef-45b5-46fc-b460-7053539c9176}"= "c:\program files\1Club.FM\tb1Cl0.dll" [2009-07-06 2215960]

[HKEY_CLASSES_ROOT\clsid\{3a9262ef-45b5-46fc-b460-7053539c9176}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3A9262EF-45B5-46FC-B460-7053539C9176}"= "c:\program files\1Club.FM\tb1Cl0.dll" [2009-07-06 2215960]

[HKEY_CLASSES_ROOT\clsid\{3a9262ef-45b5-46fc-b460-7053539c9176}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-27 148888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-26 16132608]

c:\documents and settings\sarah g.SARAH.000\Start Menu\Programs\Startup\
Transparent Windows.lnk - c:\documents and settings\sarah g.SARAH.000\Application Data\Microsoft\Installer\{26E30F32-01C0-47EF-930B-D36B676B86A9}\_294823.exe [2009-7-13 1078]
UniversalCallerID.lnk - c:\program files\UniversalCallerID\UniversalCallerID.exe [2008-12-20 21504]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-16 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\f0f624a5649]
2009-07-29 19:53 120320 ----a-w- c:\windows\system32\icardie32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-16 20:29 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-2052111302-839522115-1004Core.job
- c:\documents and settings\sarah g.SARAH.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-09 13:24]

2009-08-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-2052111302-839522115-1004UA.job
- c:\documents and settings\sarah g.SARAH.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-09 13:24]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &AIM Toolbar Search - c:\documents and settings\All Users.WINDOWS\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\sarah g.SARAH.000\Application Data\Mozilla\Firefox\Profiles\ttwtci6p.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-01 06:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-2052111302-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:a3,85,53,d7,dc,88,73,d3,d2,32,52,cc,00,09,bd,76,9a,4b,f2,6d,0f,
0c,31,0c,39,6c,c4,6d,ab,b0,88,ac,4f,7f,d3,fc,44,1a,74,fb,b0,c1,2f,78,5a,35,\
"rkeysecu"=hex:d7,bf,6d,a3,f2,23,61,a2,a3,46,99,5e,81,b4,79,7b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\System32\icardie32.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(1372)
c:\windows\system32\WININET.dll
c:\program files\Transparent Windows\TRANSDLL.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\browselc.dll
c:\windows\system32\ieframe.dll
c:\windows\System32\icardie32.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Transparent Windows\Transparent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-01 6:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-01 10:10
ComboFix2.txt 2009-08-01 02:06

Pre-Run: 111,740,727,296 bytes free
Post-Run: 111,701,237,760 bytes free

376 --- E O F --- 2009-07-30 10:36

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Origin on 1st August 2009, 6:19 pm

Run another Malwarebytes scan and post the results back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 1st August 2009, 8:25 pm

its not finding anything but i still get a windows pop up saying my computer is infected and then something starts scanning. my searches are not get redirected anymore though. here is the log

Malwarebytes' Anti-Malware 1.39
Database version: 2537
Windows 5.1.2600 Service Pack 2

8/1/2009 4:22:45 PM
mbam-log-2009-08-01 (16-22-45).txt

Scan type: Quick Scan
Objects scanned: 94383
Time elapsed: 2 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



i appreciate the help!

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Origin on 2nd August 2009, 5:59 pm

Please download [You must be registered and logged in to see this link.]

  • Next run the file; *Note: If running vista right click and select run as administrator
  • Once opened, navigate to the log tab and select all the areas including the hidden objects only box and click on the create log button
  • A scan will start and then a window will pop up with two options, select scan all drives
  • Once finished it will give you a location where it was saved, navigate to that place usually the desktop, and open the log, post all the contents of the log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 2nd August 2009, 10:27 pm

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: genmsjyg.sys
Service Name: ---
Module Base: BA0A8000
Module End: BA0B7000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: A7805000
Module End: A781D000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA5E4000
Module End: BA5E6000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: SARAH:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: SARAH:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: SARAH:5152
Remote Address: LOCALHOST:3979
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: SARAH:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: SARAH:1394
Remote Address: LOCALHOST:4082
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: SARAH:1394
Remote Address: LOCALHOST:4081
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: SARAH:1394
Remote Address: LOCALHOST:4080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: SARAH:1394
Remote Address: LOCALHOST:4079
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: SARAH:1394
Remote Address: LOCALHOST:4078
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: SARAH:1394
Remote Address: LOCALHOST:4077
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: SARAH:1394
Remote Address: LOCALHOST:4076
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: SARAH:1394
Remote Address: LOCALHOST:4070
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: SARAH:1394
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\explorer.exe
State: LISTENING

Local Address: SARAH:1034
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: SARAH.HSD1.PA.COMCAST.NET.:1184
Remote Address: A96-17-168-41.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jusched.exe
State: CLOSE_WAIT

Local Address: SARAH.HSD1.PA.COMCAST.NET.:1025
Remote Address: IM.COMCAST.NET:5222
Type: TCP
Process: C:\Program Files\UniversalCallerID\UniversalCallerID.exe
State: ESTABLISHED

Local Address: SARAH.HSD1.PA.COMCAST.NET.:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: SARAH:6877
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Electronic Arts\EADM\Core.exe
State: LISTENING

Local Address: SARAH:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: SARAH:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: SARAH:3116
Remote Address: NA
Type: UDP
Process: C:\Program Files\Electronic Arts\EADM\Core.exe
State: NA

Local Address: SARAH:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: SARAH:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: SARAH.HSD1.PA.COMCAST.NET.:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: SARAH.HSD1.PA.COMCAST.NET.:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: SARAH.HSD1.PA.COMCAST.NET.:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: SARAH.HSD1.PA.COMCAST.NET.:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: SARAH.HSD1.PA.COMCAST.NET.:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: SARAH:49332
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: SARAH:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: SARAH:1027
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: SARAH:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: SARAH:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\sarah g.SARAH.000\My Documents\LimeWire\Incomplete\HRSKBXPZSLQQNK7SV6JYXTVXMSENEWB6\The Sims 3 - Razor1911 Final MAXSPEED\The Sims 3 - Razor1911 MAXSPEED [You must be registered and logged in to see this link.] Sims 3 - Razor1911 MAXSPEED [You must be registered and logged in to see this link.]
Status: Hidden

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 2nd August 2009, 11:39 pm

i deleted limewire but i still have a limewire folder in my documents. that hidden file is in there, i have no idea what it is?

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Belahzur on 3rd August 2009, 8:08 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Folders to delete:
C:\Documents and Settings\sarah g.SARAH.000\My Documents\LimeWire

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 3rd August 2009, 10:19 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\Documents and Settings\sarah g.SARAH.000\My Documents\LimeWire" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 3rd August 2009, 10:34 pm

i think that fixed it! the only thing happening now is that i am getting a ton of ie pop ups even when i am on firefox. how can i prevent that? i thank you guys so much! i really appreciate it!

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 4th August 2009, 5:31 pm

i was wrong, a window still pops open saying computer is infected, when i try to close it, something starts scanning.

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Belahzur on 4th August 2009, 6:51 pm

Post a new Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 4th August 2009, 8:41 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:07 PM, on 8/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Transparent Windows\Transparent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\sarah g.SARAH.000\My Documents\winlogon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: 1Club.FM Toolbar - {3a9262ef-45b5-46fc-b460-7053539c9176} - C:\Program Files\1Club.FM\tb1Cl0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: 1Club.FM Toolbar - {3a9262ef-45b5-46fc-b460-7053539c9176} - C:\Program Files\1Club.FM\tb1Cl0.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: 1Club.FM Toolbar - {3a9262ef-45b5-46fc-b460-7053539c9176} - C:\Program Files\1Club.FM\tb1Cl0.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [A00F325224.exe] C:\DOCUME~1\SARAHG~1.000\LOCALS~1\Temp\_A00F325224.exe
O4 - HKCU\..\Run: [A00F581C415.exe] C:\DOCUME~1\SARAHG~1.000\LOCALS~1\Temp\_A00F581C415.exe
O4 - HKCU\..\Run: [A00F17B65.exe] C:\DOCUME~1\SARAHG~1.000\LOCALS~1\Temp\_A00F17B65.exe
O4 - Startup: Transparent Windows.lnk = ?
O4 - Startup: UniversalCallerID.lnk = C:\Program Files\UniversalCallerID\UniversalCallerID.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: f0f624a5649 - C:\WINDOWS\System32\icardie32.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O20 - Winlogon Notify: __c00E4400 - C:\WINDOWS\system32\__c00E4400.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7370 bytes

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 4th August 2009, 9:11 pm

i am still getting redirected to mybestwebearch.net but when i have no script on it prevents it from changing.

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Belahzur on 5th August 2009, 5:36 pm

Hello.
More malware jumped back on your machine.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [A00F325224.exe] C:\DOCUME~1\SARAHG~1.000\LOCALS~1\Temp\_A00F325224.exe
    O4 - HKCU\..\Run: [A00F581C415.exe] C:\DOCUME~1\SARAHG~1.000\LOCALS~1\Temp\_A00F581C415.exe
    O4 - HKCU\..\Run: [A00F17B65.exe] C:\DOCUME~1\SARAHG~1.000\LOCALS~1\Temp\_A00F17B65.exe
    O20 - Winlogon Notify: f0f624a5649 - C:\WINDOWS\System32\icardie32.dll
    O20 - Winlogon Notify: __c00E4400 - C:\WINDOWS\system32\__c00E4400.dat


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 5th August 2009, 6:18 pm

the first 3 you told me to check did not show up in hijack this log. i already have mbam installed so i ran that and here is the log

Malwarebytes' Anti-Malware 1.39
Database version: 2537
Windows 5.1.2600 Service Pack 2

8/5/2009 2:11:27 PM
mbam-log-2009-08-05 (14-11-27).txt

Scan type: Quick Scan
Objects scanned: 94289
Time elapsed: 2 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\3.tmp (Trojan.Tracur) -> Delete on reboot.
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\7.tmp (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00DC182.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00e6396 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00fd0659.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\3.tmp (Trojan.Tracur) -> Delete on reboot.
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\7.tmp (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\sarah g.sarah.000\local settings\temp\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\_A00FD0659.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c00DC182.dat (Trojan.Agent) -> Delete on reboot.

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 5th August 2009, 10:05 pm

i think i have the antispyware 2009 virus. thats what starts scanning when i try to close windows explorer message saying my computer is infected. could mbam be not removing it because i had that installed when i obtained the virus?

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 5th August 2009, 11:53 pm

i ran mbam again and here is the log

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\3.tmp (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00C0D52.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00EF2E1.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00c0d52 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f1a284.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f127b7.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f44f726.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\3.tmp (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\_A00F1A284.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\_A00F44F726.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\_A00F127B7.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\18.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\19.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\4.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00C0D52.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\__c0098149.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00EF2E1.dat (Trojan.Agent) -> Delete on reboot.

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Belahzur on 6th August 2009, 3:35 pm

Re-run Combofix and post a new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 6th August 2009, 3:57 pm

ComboFix 09-07-31.04 - sarah g 08/06/2009 11:41.5.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1533 [GMT -4:00]
Running from: c:\documents and settings\sarah g.SARAH.000\Desktop\Combo-fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\sarah g.SARAH.000\Application Data\02000000ec975e43649C.manifest
c:\documents and settings\sarah g.SARAH.000\Application Data\02000000ec975e43649O.manifest
c:\documents and settings\sarah g.SARAH.000\Application Data\02000000ec975e43649P.manifest
c:\documents and settings\sarah g.SARAH.000\Application Data\02000000ec975e43649S.manifest
c:\documents and settings\sarah g.SARAH.000\My Documents\winlogon.exe
c:\windows\GnuHashes.ini
c:\windows\system32\__c0015940.dat
c:\windows\system32\__c00F6660.dat
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\SystemX86
c:\windows\system32\SystemX86\245.crack.zip
c:\windows\system32\SystemX86\245.crack.zip.kwd
c:\windows\system32\SystemX86\246.keygen.zip
c:\windows\system32\SystemX86\246.keygen.zip.kwd
c:\windows\system32\SystemX86\247.serial.zip
c:\windows\system32\SystemX86\247.serial.zip.kwd
c:\windows\system32\SystemX86\248.setup.zip
c:\windows\system32\SystemX86\248.setup.zip.kwd
c:\windows\system32\SystemX86\249.music.au
c:\windows\system32\SystemX86\249.music.au.kwd
c:\windows\system32\SystemX86\250.music2.au
c:\windows\system32\SystemX86\250.music2.au.kwd
c:\windows\system32\SystemX86\251.music3.au
c:\windows\system32\SystemX86\251.music3.au.kwd
c:\windows\system32\SystemX86\252.music.snd
c:\windows\system32\SystemX86\252.music.snd.kwd
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-06 15:47 . 2009-08-06 15:47 557 --sha-w- c:\windows\system32\GroupPolicy000.dat
2009-08-06 15:47 . 2009-08-06 15:47 -------- d-sh--w- c:\windows\system32\SystemX86
2009-08-06 00:12 . 2009-08-06 00:25 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-08-05 23:45 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-05 23:45 . 2009-08-05 23:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 23:45 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-05 22:18 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-08-05 22:18 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-08-05 22:18 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-08-05 22:11 . 2009-08-05 22:11 -------- d-----w- c:\windows\system32\scripting
2009-08-05 22:11 . 2009-08-05 22:11 -------- d-----w- c:\windows\system32\en
2009-08-05 22:11 . 2009-08-05 22:11 -------- d-----w- c:\windows\l2schemas
2009-08-05 22:11 . 2009-08-05 22:11 -------- d-----w- c:\windows\system32\bits
2009-08-05 22:10 . 2009-08-05 22:10 -------- d-----w- c:\windows\ServicePackFiles
2009-08-05 22:06 . 2009-08-05 22:06 -------- d-----w- c:\windows\EHome
2009-08-04 21:52 . 2009-08-04 21:53 -------- d-----w- c:\windows\system32\NtmsData
2009-08-04 21:38 . 2009-08-04 21:38 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-07-30 14:15 . 2009-07-30 14:15 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- c:\program files\Pando Networks
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- C:\users
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- c:\program files\AIM Toolbar
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AIM Toolbar
2009-07-30 14:14 . 2009-07-30 14:14 -------- d-----w- c:\program files\Opera
2009-07-30 01:21 . 2009-07-30 01:21 -------- d--h--r- c:\documents and settings\sarah g.SARAH.000\Application Data\SecuROM
2009-07-30 01:00 . 2009-07-30 01:00 10134 ----a-r- c:\documents and settings\sarah g.SARAH.000\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-07-30 01:00 . 2009-07-30 00:28 447752 ----a-w- c:\windows\system32\vp6vfw.dll
2009-07-30 01:00 . 2009-07-30 01:00 -------- d-----w- c:\program files\Microsoft WSE
2009-07-30 00:57 . 2006-09-28 20:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-07-30 00:57 . 2009-07-30 00:57 -------- d-----w- c:\windows\Logs
2009-07-29 23:48 . 2009-07-29 23:48 -------- d-----w- c:\program files\ESET
2009-07-29 23:21 . 2009-07-29 23:26 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2009-07-29 23:20 . 2009-07-30 01:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2009-07-29 22:29 . 2009-08-01 01:49 -------- d-----w- c:\documents and settings\sarah g.SARAH.000\Application Data\SUPERAntiSpyware.com
2009-07-29 21:09 . 2009-07-29 21:09 -------- d-----w- C:\ProgramData
2009-07-29 21:09 . 2009-07-29 21:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Electronic Arts
2009-07-29 21:08 . 2009-07-30 00:46 -------- d-----w- c:\program files\Electronic Arts
2009-07-29 19:53 . 2009-07-29 19:53 120320 ----a-w- c:\windows\system32\icardie32.dll
2009-07-28 14:35 . 2009-07-28 14:35 4096 ----a-w- c:\windows\d3dx.dat
2009-07-28 14:35 . 2009-07-30 14:08 -------- d-----w- c:\program files\Kudos Demo
2009-07-13 19:30 . 2009-08-04 21:26 -------- d-----w- c:\program files\Transparent Windows

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 15:47 . 2009-08-06 15:47 518144 --sha-w- c:\windows\system32\3.tmp
2009-08-06 14:03 . 2009-08-06 12:06 117 ----a-w- c:\documents and settings\sarah g.SARAH.000\udpcrawl.tmp
2009-08-06 12:06 . 2009-08-06 12:06 518144 --sha-w- c:\windows\system32\1E.tmp
2009-08-06 10:57 . 2009-08-06 10:57 0 ----a-w- c:\windows\system32\4.tmp
2009-08-06 00:42 . 2008-09-27 16:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-08-05 22:13 . 2008-05-16 18:00 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-01 01:55 . 2008-05-15 15:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-01 01:49 . 2008-05-15 16:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-30 14:16 . 2008-05-17 22:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2009-07-30 14:14 . 2009-06-27 14:39 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-30 14:14 . 2009-06-09 13:38 -------- d-----w- c:\program files\Safari
2009-07-30 14:14 . 2008-05-17 22:55 -------- d-----w- c:\program files\AIM6
2009-07-30 14:14 . 2009-06-09 13:38 -------- d-----w- c:\program files\Bonjour
2009-07-30 14:10 . 2009-06-27 13:41 -------- d-----w- c:\program files\RegGenie
2009-07-30 01:07 . 2009-07-29 23:24 1328 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-07-30 00:46 . 2008-05-10 03:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-30 00:11 . 2008-05-15 15:58 -------- d-----w- c:\program files\LabelCommand
2009-07-29 22:49 . 2008-05-22 13:55 12720 ----a-w- c:\documents and settings\sarah g.SARAH.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 20:45 . 2008-07-29 22:42 -------- d-----w- c:\program files\SIM Edit Tool
2009-06-29 16:12 . 2006-03-04 03:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-27 14:44 . 2009-06-27 14:44 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-27 14:43 . 2009-06-27 14:43 152576 ----a-w- c:\documents and settings\sarah g.SARAH.000\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-27 14:39 . 2009-06-27 14:40 38208 ----a-w- c:\documents and settings\sarah g.SARAH.000\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-06-21 21:14 . 2008-05-10 03:02 -------- d-----w- c:\program files\Java
2009-06-19 14:05 . 2009-06-19 14:05 -------- d-----w- c:\documents and settings\john\Application Data\Apple Computer
2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 20:50 . 2008-11-17 15:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL Downloads
2009-06-09 13:38 . 2009-06-09 13:38 12736 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-09 13:38 . 2008-08-07 22:28 -------- d-----w- c:\documents and settings\sarah g.SARAH.000\Application Data\Apple Computer
2009-06-05 21:43 . 2009-06-05 21:43 69632 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\Safari 4.30.17.0\SetupAdmin.exe
2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-08-04 21:41 . 2009-06-27 13:29 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 6th August 2009, 4:03 pm

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-18 00:37 . 2008-04-14 00:12 57344 c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcirt.dll
+ 2008-09-18 00:37 . 2008-04-14 00:12 74802 c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
- 2008-05-17 10:37 . 2007-01-19 20:15 74802 c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 50688 c:\windows\twain_32.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 50688 c:\windows\twain_32.dll
+ 2009-08-06 15:47 . 2009-08-06 15:47 16384 c:\windows\Temp\Perflib_Perfdata_1fc.dat
+ 2008-05-16 17:57 . 2008-04-14 00:12 11776 c:\windows\system32\xolehlp.dll
- 2008-05-16 17:57 . 2006-03-01 19:42 11776 c:\windows\system32\xolehlp.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 50176 c:\windows\system32\xmlprovi.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 50176 c:\windows\system32\xmlprovi.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 30720 c:\windows\system32\xcopy.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 30720 c:\windows\system32\xcopy.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 91648 c:\windows\system32\xactsrv.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 91648 c:\windows\system32\xactsrv.dll
+ 2004-08-04 00:56 . 2008-04-14 00:12 52736 c:\windows\system32\wzcsapi.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 18432 c:\windows\system32\wtsapi32.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 18432 c:\windows\system32\wtsapi32.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 50688 c:\windows\system32\wstdecod.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 50688 c:\windows\system32\wstdecod.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 22528 c:\windows\system32\wsock32.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 22528 c:\windows\system32\wsock32.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 41984 c:\windows\system32\wsnmp32.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 19456 c:\windows\system32\wshtcpip.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 11264 c:\windows\system32\wshrm.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 14336 c:\windows\system32\wship6.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 14336 c:\windows\system32\wship6.dll
+ 2004-08-04 10:00 . 2008-05-09 10:53 90112 c:\windows\system32\wshext.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 36864 c:\windows\system32\wshcon.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 80896 c:\windows\system32\wscsvc.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 13824 c:\windows\system32\wscntfy.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 13824 c:\windows\system32\wscntfy.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 19968 c:\windows\system32\ws2help.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 19968 c:\windows\system32\ws2help.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 82432 c:\windows\system32\ws2_32.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 11264 c:\windows\system32\wpnpinst.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 32256 c:\windows\system32\wpabaln.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 32256 c:\windows\system32\wpabaln.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 20480 c:\windows\system32\wmpui.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 20480 c:\windows\system32\wmpui.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 20480 c:\windows\system32\wmpcore.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 20480 c:\windows\system32\wmpcore.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 20480 c:\windows\system32\wmpcd.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 20480 c:\windows\system32\wmpcd.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 92672 c:\windows\system32\wlnotify.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 92672 c:\windows\system32\wlnotify.dll
+ 2008-09-18 00:38 . 2008-04-14 00:12 69120 c:\windows\system32\wlanapi.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 53760 c:\windows\system32\winsta.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 53760 c:\windows\system32\winsta.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 17408 c:\windows\system32\winshfhc.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 17408 c:\windows\system32\winshfhc.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 99328 c:\windows\system32\winscard.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 99328 c:\windows\system32\winscard.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 16896 c:\windows\system32\winrnr.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 16896 c:\windows\system32\winrnr.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 32256 c:\windows\system32\winipsec.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 75776 c:\windows\system32\wiascr.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 75776 c:\windows\system32\wiascr.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 65024 c:\windows\system32\wextract.exe
- 2004-08-04 10:00 . 2006-01-04 03:35 68096 c:\windows\system32\webclnt.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 68096 c:\windows\system32\webclnt.dll
- 2004-08-04 00:56 . 2004-08-04 07:56 23552 c:\windows\system32\wdmaud.drv
+ 2004-08-04 00:56 . 2008-04-14 00:12 23552 c:\windows\system32\wdmaud.drv
+ 2004-08-04 10:00 . 2008-04-14 00:12 49152 c:\windows\system32\wdigest.dll
- 2004-08-04 10:00 . 2006-03-24 04:37 49152 c:\windows\system32\wdigest.dll

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 6th August 2009, 4:04 pm

- 2008-05-16 17:57 . 2004-08-04 10:00 95232 c:\windows\system32\wbem\wmiutils.dll
+ 2008-05-16 17:57 . 2008-04-14 00:12 95232 c:\windows\system32\wbem\wmiutils.dll
+ 2008-05-16 17:57 . 2008-04-14 00:12 41472 c:\windows\system32\wbem\wmipsess.dll
- 2008-05-16 17:57 . 2004-08-04 10:00 41472 c:\windows\system32\wbem\wmipsess.dll
+ 2008-05-16 17:57 . 2008-04-14 00:12 62464 c:\windows\system32\wbem\wmipjobj.dll
+ 2008-05-16 17:57 . 2008-04-14 00:12 61952 c:\windows\system32\wbem\wmipiprt.dll
+ 2008-05-16 17:57 . 2008-04-14 00:12 60928 c:\windows\system32\wbem\wmicookr.dll
- 2008-05-16 17:57 . 2004-08-04 10:00 60928 c:\windows\system32\wbem\wmicookr.dll
+ 2008-05-16 17:57 . 2008-04-14 00:12 88576 c:\windows\system32\wbem\wmiaprpl.dll
- 2008-05-16 17:57 . 2004-08-04 10:00 43520 c:\windows\system32\wbem\wbemsvc.dll
+ 2008-05-16 17:57 . 2008-04-14 00:12 43520 c:\windows\system32\wbem\wbemsvc.dll
+ 2008-05-16 17:57 . 2008-04-14 00:12 18944 c:\windows\system32\wbem\wbemprox.dll
- 2008-05-16 17:57 . 2004-08-04 10:00 18944 c:\windows\system32\wbem\wbemprox.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 43008 c:\windows\system32\wbem\wbemperf.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 43008 c:\windows\system32\wbem\wbemperf.dll
+ 2008-05-16 17:57 . 2008-04-14 00:12 71680 c:\windows\system32\wbem\wbemcons.dll
- 2008-05-16 17:57 . 2004-08-04 10:00 71680 c:\windows\system32\wbem\wbemcons.dll
+ 2008-05-16 17:57 . 2008-04-14 00:12 86528 c:\windows\system32\wbem\stdprov.dll
- 2008-05-16 17:57 . 2004-08-04 10:00 86528 c:\windows\system32\wbem\stdprov.dll
+ 2008-05-16 17:57 . 2008-04-14 00:12 36352 c:\windows\system32\wbem\scrcons.exe
+ 2008-05-16 17:57 . 2008-04-14 00:12 47104 c:\windows\system32\wbem\ncprov.dll
- 2008-05-16 17:57 . 2004-08-04 10:00 47104 c:\windows\system32\wbem\ncprov.dll
+ 2008-05-16 17:57 . 2008-04-14 00:12 16384 c:\windows\system32\wbem\mofcomp.exe
- 2008-05-16 17:57 . 2004-08-04 10:00 16384 c:\windows\system32\wbem\mofcomp.exe
- 2008-05-16 17:57 . 2004-08-04 10:00 24576 c:\windows\system32\wbem\krnlprov.dll
+ 2008-05-16 17:57 . 2008-04-14 00:11 24576 c:\windows\system32\wbem\krnlprov.dll
+ 2004-08-04 10:00 . 2008-04-14 00:11 21504 c:\windows\system32\wbem\evntrprv.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 17664 c:\windows\system32\watchdog.sys
+ 2004-08-04 10:00 . 2008-04-13 18:44 17664 c:\windows\system32\watchdog.sys
+ 2004-08-04 10:00 . 2008-04-14 00:12 15872 c:\windows\system32\w3ssl.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 15872 c:\windows\system32\w3ssl.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 18944 c:\windows\system32\version.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 18944 c:\windows\system32\version.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 26624 c:\windows\system32\verifier.dll
- 2006-03-17 00:38 . 2006-03-17 00:38 28672 c:\windows\system32\verclsid.exe
+ 2006-03-17 00:38 . 2008-04-14 00:12 28672 c:\windows\system32\verclsid.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 51712 c:\windows\system32\vdmredir.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 51712 c:\windows\system32\vdmredir.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 26112 c:\windows\system32\vdmdbg.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 26112 c:\windows\system32\vdmdbg.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 30749 c:\windows\system32\vbajet32.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 30749 c:\windows\system32\vbajet32.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 50176 c:\windows\system32\utilman.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 50176 c:\windows\system32\utilman.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 19968 c:\windows\system32\usmt\log.dll
+ 2004-08-04 10:00 . 2008-04-14 00:11 19968 c:\windows\system32\usmt\log.dll
+ 2008-09-18 00:37 . 2008-04-13 16:44 17920 c:\windows\system32\usmt\cobramsg.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 26112 c:\windows\system32\userinit.exe
- 2008-05-16 10:54 . 2004-08-04 07:56 74240 c:\windows\system32\usbui.dll
+ 2008-05-16 10:54 . 2008-04-14 00:12 74240 c:\windows\system32\usbui.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 16896 c:\windows\system32\usbmon.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 16896 c:\windows\system32\usbmon.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 18432 c:\windows\system32\ups.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 18432 c:\windows\system32\ups.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 16896 c:\windows\system32\upnpcont.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 16896 c:\windows\system32\upnpcont.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 13824 c:\windows\system32\uniplat.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 13824 c:\windows\system32\uniplat.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 74240 c:\windows\system32\unimdmat.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 74240 c:\windows\system32\unimdmat.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 35840 c:\windows\system32\umandlg.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 35840 c:\windows\system32\umandlg.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 26624 c:\windows\system32\udhisapi.dll
+ 2007-11-13 11:31 . 2008-04-14 00:12 60416 c:\windows\system32\tzchange.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 57856 c:\windows\system32\twext.dll
+ 2008-09-18 00:38 . 2008-04-14 00:12 50688 c:\windows\system32\tspkg.dll
+ 2008-09-18 00:38 . 2008-04-14 00:12 53248 c:\windows\system32\tsgqec.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 12168 c:\windows\system32\tsddd.dll
+ 2004-08-04 10:00 . 2008-04-14 00:13 12168 c:\windows\system32\tsddd.dll
+ 2008-05-16 17:57 . 2008-04-14 00:12 93696 c:\windows\system32\tscfgwmi.dll
- 2008-05-16 17:57 . 2004-08-04 10:00 93696 c:\windows\system32\tscfgwmi.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 90112 c:\windows\system32\trkwks.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 12800 c:\windows\system32\tree.com
+ 2004-08-04 10:00 . 2008-04-14 00:12 12288 c:\windows\system32\tracert.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 12288 c:\windows\system32\tracert.exe
- 2004-08-04 10:00 . 2005-05-10 23:45 75776 c:\windows\system32\telnet.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 75776 c:\windows\system32\telnet.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 45568 c:\windows\system32\tcpmonui.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 45568 c:\windows\system32\tcpmonui.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 45568 c:\windows\system32\tcpmon.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 45568 c:\windows\system32\tcpmon.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 14848 c:\windows\system32\tcpmib.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 14848 c:\windows\system32\tcpmib.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 57856 c:\windows\system32\synceng.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 57856 c:\windows\system32\synceng.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 14336 c:\windows\system32\svchost.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 75776 c:\windows\system32\strmfilt.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 75776 c:\windows\system32\strmfilt.dll
- 2008-05-16 10:53 . 2004-08-04 00:56 74752 c:\windows\system32\storprop.dll

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 6th August 2009, 4:06 pm

+ 2008-05-16 10:53 . 2008-04-14 00:12 74752 c:\windows\system32\storprop.dll
+ 2009-08-06 00:12 . 1996-01-12 21:00 24576 c:\windows\system32\STKIT432.DLL
- 2004-08-04 10:00 . 2004-08-04 10:00 14848 c:\windows\system32\stimon.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 14848 c:\windows\system32\stimon.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 68096 c:\windows\system32\sti.dll
+ 2008-05-16 17:57 . 2008-04-14 00:12 59392 c:\windows\system32\stclient.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 14336 c:\windows\system32\ssstars.scr
- 2004-08-04 10:00 . 2004-08-04 10:00 14336 c:\windows\system32\ssstars.scr
+ 2004-08-04 10:00 . 2008-04-14 00:12 18944 c:\windows\system32\ssmyst.scr
- 2004-08-04 10:00 . 2004-08-04 10:00 18944 c:\windows\system32\ssmyst.scr
- 2004-08-04 10:00 . 2004-08-04 10:00 47104 c:\windows\system32\ssmypics.scr
+ 2004-08-04 10:00 . 2008-04-14 00:12 47104 c:\windows\system32\ssmypics.scr
+ 2004-08-04 10:00 . 2008-04-14 00:12 20992 c:\windows\system32\ssmarque.scr
- 2004-08-04 10:00 . 2004-08-04 10:00 20992 c:\windows\system32\ssmarque.scr
+ 2004-08-04 10:00 . 2008-04-14 00:12 71680 c:\windows\system32\ssdpsrv.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 71680 c:\windows\system32\ssdpsrv.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 34816 c:\windows\system32\ssdpapi.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 34816 c:\windows\system32\ssdpapi.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 19968 c:\windows\system32\ssbezier.scr
+ 2004-08-04 10:00 . 2008-04-14 00:12 19968 c:\windows\system32\ssbezier.scr
- 2004-08-04 10:00 . 2004-12-07 19:32 96768 c:\windows\system32\srvsvc.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 96768 c:\windows\system32\srvsvc.dll
+ 2008-05-16 17:58 . 2008-04-14 00:12 67584 c:\windows\system32\srclient.dll
- 2008-05-16 17:58 . 2004-08-04 10:00 67584 c:\windows\system32\srclient.dll
+ 2008-09-18 00:38 . 2008-04-14 00:12 20992 c:\windows\system32\spupdwxp.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
- 2004-08-04 10:00 . 2005-06-10 23:53 57856 c:\windows\system32\spoolsv.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 75264 c:\windows\system32\spoolss.dll
+ 2004-08-04 10:00 . 2008-04-14 12:42 11264 c:\windows\system32\spnpinst.exe
+ 2008-11-13 05:53 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
- 2008-11-13 05:53 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 24576 c:\windows\system32\sort.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 18944 c:\windows\system32\snmpapi.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 18944 c:\windows\system32\snmpapi.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 50688 c:\windows\system32\smss.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 50688 c:\windows\system32\smss.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 89600 c:\windows\system32\smlogsvc.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 89600 c:\windows\system32\smlogsvc.exe
+ 2008-09-18 00:38 . 2008-04-14 00:12 73796 c:\windows\system32\slserv.exe
+ 2008-09-18 00:38 . 2008-04-14 00:12 32866 c:\windows\system32\slrundll.exe
+ 2008-09-18 00:38 . 2008-04-14 00:12 73832 c:\windows\system32\slcoinst.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 98304 c:\windows\system32\slbiop.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 98304 c:\windows\system32\slbiop.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 25088 c:\windows\system32\slayerxp.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 25088 c:\windows\system32\slayerxp.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 26112 c:\windows\system32\skeys.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 26112 c:\windows\system32\skeys.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 70144 c:\windows\system32\sigverif.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 70144 c:\windows\system32\sigverif.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 13312 c:\windows\system32\sigtab.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 13312 c:\windows\system32\sigtab.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 19456 c:\windows\system32\shutdown.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 19456 c:\windows\system32\shutdown.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 27648 c:\windows\system32\shscrap.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 27648 c:\windows\system32\shscrap.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 77824 c:\windows\system32\shrpubw.exe
- 2004-08-04 10:00 . 2004-08-04 10:00 77824 c:\windows\system32\shrpubw.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 45056 c:\windows\system32\shmgrate.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 65024 c:\windows\system32\shimeng.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 68096 c:\windows\system32\shgina.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 68096 c:\windows\system32\shgina.dll
- 2004-08-04 10:00 . 2004-08-04 10:00 25088 c:\windows\system32\shfolder.dll
+ 2004-08-04 10:00 . 2008-04-14 00:12 25088 c:\windows\system32\shfolder.dll
+ 2008-09-18 00:38 . 2008-04-14 00:12 32768 c:\windows\system32\setupn.exe

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 6th August 2009, 4:13 pm

i will be here all day posting it! it is pages and pages long? is there an easier way? i dont know why it is so long. that is only some of it that i posted.

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 6th August 2009, 4:55 pm

[You must be registered and logged in to see this link.]
MD5: 75EC90CCCA16BD75EA5C05293316523D

here is a link to it

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 6th August 2009, 4:57 pm

it seems to be running ok now. im not getting anymore pop ups. i will know for sure if i am on the internet a little longer to tell.

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Belahzur on 6th August 2009, 6:29 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 6th August 2009, 7:16 pm

its driving me crazy, i am still getting ie add pop ups. i did not get the windows explorer message saying my computer is infected so thats good. but i still think the virus is there. when i do a google search, i get results to download antispyware 2009 and still get redirected to this:
[You must be registered and logged in to see this link.]

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 6th August 2009, 7:17 pm

should i wait to do that last step since the virus is still there?

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Origin on 6th August 2009, 7:39 pm

Run a Malwarebytes full scan and post the results back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 6th August 2009, 9:10 pm

Malwarebytes' Anti-Malware 1.40
Database version: 2566
Windows 5.1.2600 Service Pack 3

8/6/2009 4:49:26 PM
mbam-log-2009-08-06 (16-49-26).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 242953
Time elapsed: 37 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 56

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\1E.tmp (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c0072706.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0072706 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f7be9ec.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\SystemX86 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\1E.tmp (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\sarah g.SARAH.000\Local Settings\temp\_A00F7BE9EC.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\sarah g.SARAH.000\LOCALS~1\temp\6.tmp.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\3.tmp.vir (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP475\A0063879.dll (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP415\A0045264.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP415\A0045257.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP415\A0045268.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP415\A0045269.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP415\A0045271.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP415\A0045273.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP415\A0045274.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP415\A0045275.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP415\A0045277.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP415\A0045278.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP415\A0045279.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP415\A0045280.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP415\A0045281.exe (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP420\A0045680.dll (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP461\A0062756.DLL (Adware.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP466\A0062811.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP466\A0062818.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP466\A0062822.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP466\A0062823.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP466\A0062825.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP466\A0062827.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP466\A0062828.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP466\A0062829.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP466\A0062830.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP466\A0062831.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP466\A0062832.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP467\A0063774.dll (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP467\A0063775.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP467\A0063777.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP467\A0063778.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP467\A0063780.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB73696F-3811-48E4-B049-40D6F55838F7}\RP467\A0063781.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\245.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\245.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\246.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\246.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\247.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\247.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\248.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\248.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\249.music.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\249.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\250.music2.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\250.music2.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\251.music3.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\251.music3.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\252.music.snd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\252.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c0072706.dat (Trojan.Vundo) -> Delete on reboot.

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Belahzur on 6th August 2009, 11:33 pm

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 7th August 2009, 12:05 am

its ok as of right now but it usually starts again when i am on the computer for awhile. i will post back and let you know. i thank you so much for all your help!

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 7th August 2009, 1:09 am

so far no crazy pop ups but the antivirus 2009 still shows up in google searches where the sponsored links are.

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 7th August 2009, 10:15 am

it was doing ok till this morning when something called net scan started scanning my computer

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Belahzur on 7th August 2009, 6:15 pm

Rescan with Combofix AGAIN and upload the log to rapidshare


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 7th August 2009, 8:34 pm

[You must be registered and logged in to see this link.]
MD5: 90498D1A11DFF7A847FB59D376E365AC

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Belahzur on 7th August 2009, 11:33 pm

That looks like it should have removed it again.
You are possibly visiting a bad site, that's why it came back.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 8th August 2009, 12:44 am

but i only go on google for searches or facebook. i dont really use the computer for anything else. all the pop up ads i get are from internet explorer when i am on firefox. the other things are windows pop ups with messages saying my computer is infected trying to get me to buy stuff like the antispyware 2009.

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Origin on 8th August 2009, 12:46 am

Please download GooredFix from one of the locations below and save it to your Desktop
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by sarah1215 on 8th August 2009, 12:58 am

GooredFix by jpshortstuff (12.07.09)
Log created at 20:57 on 07/08/2009 (sarah g)
Firefox version 3.0.13 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [13:29 27/06/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [14:44 27/06/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"myspacefftb@myspace.com"="C:\Program Files\MySpace\Toolbar\1.0.28.0_1\" []
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [21:14 21/06/2009]

-=E.O.F=-

sarah1215
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-07-31
OS OS : xp
Points Points : 26912
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/malware

Post by Origin on 8th August 2009, 1:00 am

I don't see any sign of infection, do the following, I want to make sure there isn't anything left:

Please use the Internet Explorer browser, and do an online scan with [You must be registered and logged in to see this link.]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

    **Note**

    To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum