winifighter

View previous topic View next topic Go down

winifighter

Post by FREDDYELL on 6th August 2009, 11:37 am

Having received a warning of being unprotected I thought I was downloading a windows[Microsoft] file to radicate this. It evidently turned out to be this winifighter software. After having done this it started opening warning pop ups re infections ect. and did a search finding your site.

Prior to this[which I'll also open in a new topic] I have had several bluescreens with the following codes:
230709 23:58 0x50 netid; 170709 10:34 0x7f_d_mfehid......; 13070910:27 0x8e_mpfp+7482...; 080609 13:05 fault bucket IP_misaligned_ntfs.sys; 050609 7:47 0x24_ntfschangeattributevalue_+2GA.... stopping me automatically updating windows, mcafee and backing up files and also stops downloads from web sites including windows and superantispyware

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:09, on 06/08/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\On Demand Distribution\OD2 Music Manager\OD2MediaBar_VistaFileManager.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\WinTV\EPG Services\System\EPGClient.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Trust\Trust R-series Mouse And Keyboard\MouseDrv.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\WiniFighter Software\WiniFighter\WiniFighter.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
c:\Users\Peter\Downloads\winlogon hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Trust\Trust R-series Mouse And Keyboard\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MediaBarFileManager] C:\Program Files\On Demand Distribution\OD2 Music Manager\OD2MediaBar_VistaFileManager.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [EPGServiceTool] C:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [setup2.exe] C:\Users\Peter\AppData\Local\Temp\setup2.exe
O4 - HKCU\..\Run: [WiniFighter] C:\Program Files\WiniFighter Software\WiniFighter\WiniFighter.exe -min
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC863B08-197D-4966-BD12-011CE8A56626}: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS1\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS5\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPGService - Hauppauge Computer Works - C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
O23 - Service: Google Update Service (gupdate1c9b388460b2a0) (gupdate1c9b388460b2a0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Trust\Trust R-series Mouse And Keyboard\KMWDSrv.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: WiniFighter Security Service (WiniFighterSvc) - Unknown owner - C:\Program Files\WiniFighter Software\WiniFighter\WiniFighterSvc.exe

--
End of file - 9371 bytes

FREDDYELL
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-08-06
OS OS : vISTA
Points Points : 26844
# Likes # Likes : 0

View user profile

Back to top Go down

Re: winifighter

Post by Belahzur on 6th August 2009, 2:45 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [setup2.exe] C:\Users\Peter\AppData\Local\Temp\setup2.exe
    O4 - HKCU\..\Run: [WiniFighter] C:\Program Files\WiniFighter Software\WiniFighter\WiniFighter.exe -min
    O17 - HKLM\System\CCS\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FC863B08-197D-4966-BD12-011CE8A56626}: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CS1\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CS2\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CS5\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
    O23 - Service: WiniFighter Security Service (WiniFighterSvc) - Unknown owner - C:\Program Files\WiniFighter Software\WiniFighter\WiniFighterSvc.exe


  • Press "Fix Checked"
  • Close Hijack This.

Next,
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

winifighter reply part 3 of 3

Post by FREDDYELL on 6th August 2009, 6:35 pm

THREE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys
-------\Service_WiniFighterSvc


((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-06 16:53 . 2009-08-06 16:57 -------- d-----w- c:\users\Peter\AppData\Local\temp
2009-08-06 16:53 . 2009-08-06 16:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-06 16:53 . 2009-08-06 16:53 -------- d-----w- c:\users\Family\AppData\Local\temp
2009-07-20 23:40 . 2009-07-20 23:40 -------- d-----w- c:\program files\iPod
2009-07-20 23:40 . 2009-07-20 23:40 -------- d-----w- c:\program files\iTunes
2009-07-20 22:56 . 2009-07-20 22:56 75040 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-17 10:29 . 2009-07-17 10:29 -------- d-----w- c:\program files\Coupon Printer
2009-07-17 10:29 . 2009-07-17 10:29 31 ---ha-w- c:\windows\UKCpInfo.sys
2009-07-07 21:58 . 2009-07-07 21:58 -------- d-----w- c:\users\Peter\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-07-07 21:57 . 2009-07-07 21:57 -------- d-----w- c:\program files\BBC iPlayer Desktop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 16:54 . 2008-12-04 15:23 12 ----a-w- c:\windows\bthservsdp.dat
2009-08-06 10:11 . 2008-11-13 10:48 1 ----a-w- c:\users\Peter\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-30 15:21 . 2008-07-29 13:11 1356 ----a-w- c:\users\Peter\AppData\Local\d3d9caps.dat
2009-07-23 16:39 . 2008-07-30 17:09 41662 ----a-w- c:\users\Peter\AppData\Roaming\nvModes.dat
2009-07-20 23:40 . 2008-12-05 00:32 -------- d-----w- c:\program files\Common Files\Apple
2009-07-20 23:40 . 2008-12-05 00:32 -------- d-----w- c:\programdata\Apple Computer
2009-07-13 19:47 . 2008-07-30 19:48 -------- d-----w- c:\program files\Java
2009-07-10 08:57 . 2008-09-14 22:03 -------- d-----w- c:\program files\Virticon Millennium
2009-06-16 15:34 . 2008-07-31 19:44 -------- d-----w- c:\program files\Google
2009-06-15 14:48 . 2009-01-30 17:42 -------- d-----w- c:\program files\QuickTime
2009-06-13 08:32 . 2009-06-13 08:32 456304 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb509E.tmp.exe
2009-06-08 13:06 . 2009-06-08 13:06 -------- d-----w- c:\users\Peter\AppData\Roaming\Malwarebytes
2009-06-08 13:06 . 2009-06-08 13:06 -------- d-----w- c:\programdata\Malwarebytes
2009-05-21 10:33 . 2008-12-03 11:13 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-09 05:50 . 2009-06-11 16:52 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-11 16:52 71680 ----a-w- c:\windows\system32\iesetup.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WireLessMouse"="c:\program files\Trust\Trust R-series Mouse And Keyboard\StartAutorun.exe" [2007-03-06 212992]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8534560]
"MediaBarFileManager"="c:\program files\On Demand Distribution\OD2 Music Manager\OD2MediaBar_VistaFileManager.exe" [2007-06-25 30024]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]
"EPGServiceTool"="c:\progra~1\WinTV\EPG Services\System\EPGClient.exe" [2008-05-15 688128]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

c:\users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2009-4-7 110647]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E48E695E-757F-45E7-9E26-5DAD893558E1}"= UDP:c:\program files\VoipCheapCom\VoipCheapCom.exe:VoipCheapCom
"{7DB69C50-14CD-4CF5-8D0A-50029A85BD89}"= TCP:c:\program files\VoipCheapCom\VoipCheapCom.exe:VoipCheapCom
"{06D92161-69F3-448D-8E10-A8966C41E30C}"= UDP:c:\program files\VoipCheap\VoipCheap.exe:VoipCheap
"{6F3B96D2-E51A-4861-9921-6697A01DCCE9}"= TCP:c:\program files\VoipCheap\VoipCheap.exe:VoipCheap
"{7966196E-A629-4817-A36D-C9EE02A6E850}"= UDP:c:\program files\VoipCheap\VoipCheap.exe:VoipCheap
"{BD1DE243-98B1-4505-91A5-22717675F17A}"= TCP:c:\program files\VoipCheap\VoipCheap.exe:VoipCheap
"{869342DA-9BF6-43FF-8244-89666691AA1B}"= UDP:990:LocalSubnet:LocalSubnet|IF={EC3A455E-04C2-4EA5-96D4-A7AFE9DF8041}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{A5E43CC7-4066-48F2-B1A8-DE8A781D878D}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{C60CDA06-71D5-4D8E-A8BA-BC5059F60939}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{E5E07D79-1C59-4F62-A4A6-BFA9D4C1EBD0}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E80E6618-C9D3-4658-81C6-99900925393B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DD82058B-0CDF-4D45-9896-64DAB2C0D405}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{8D1CB9E1-496D-4844-BDAE-273F221C9B4D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 EPGService;EPGService;c:\progra~1\WinTV\EPG Services\System\EPGService.exe [07/04/2009 11:09 437248]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Trust\Trust R-series Mouse And Keyboard\KMWDSrv.exe [28/02/2007 19:12 208896]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [17/03/2009 13:00 210216]
S2 gupdate1c9b388460b2a0;Google Update Service (gupdate1c9b388460b2a0);c:\program files\Google\Update\GoogleUpdate.exe [02/04/2009 12:41 133104]
S3 hcw66xxx;WinTV HVR-900H;c:\windows\System32\drivers\hcw66xxx.sys [07/04/2009 11:01 420096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-02 11:41]

2009-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-02 11:41]

2009-03-19 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-17 10:53]

2009-03-19 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-17 10:53]

2009-08-06 c:\windows\Tasks\User_Feed_Synchronization-{1923B4D2-3EC8-476A-BB45-325A84424E6C}.job
- c:\windows\system32\msfeedssync.exe [2009-05-13 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
Trusted Zone: microsoft.com\support
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-06 17:57
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2160)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\windows\System32\rundll32.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
.
**************************************************************************
.
Completion time: 2009-08-06 18:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-06 17:04

Pre-Run: 62,967,402,496 bytes free
Post-Run: 64,168,984,576 bytes free

931 --- E O F --- 2009-06-21 18:47

FREDDYELL
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-08-06
OS OS : vISTA
Points Points : 26844
# Likes # Likes : 0

View user profile

Back to top Go down

Re: winifighter

Post by FREDDYELL on 6th August 2009, 6:36 pm

TWO

c:\windows\system32\1z3ethreat31695.ocx
c:\windows\system32\1z75995rm5a4.ocx
c:\windows\system32\1zdc9ddwa5e1869.bin
c:\windows\system32\1zf5vir479.ocx
c:\windows\system32\20b2s5y9are19z0.cpl
c:\windows\system32\21099wozm655.ocx
c:\windows\system32\212315ro91ez.dll
c:\windows\system32\2153zot-a-vir9s3f.cpl
c:\windows\system32\2189not-a-vi5us719z.ocx
c:\windows\system32\21c55hreatz58639.bin
c:\windows\system32\2282b5czdoor397.dll
c:\windows\system32\22894spy5z9.exe
c:\windows\system32\22956tzoj539.exe
c:\windows\system32\22z8hackto5l5999.ocx
c:\windows\system32\233449pazbot5b9.dll
c:\windows\system32\23658hzcktool7529.ocx
c:\windows\system32\239z9s9y6775.cpl
c:\windows\system32\2424ztro965f.cpl
c:\windows\system32\2458th5e950z.dll
c:\windows\system32\24694no5-a-virus6ez.ocx
c:\windows\system32\2476z9pambo5205.exe
c:\windows\system32\25318troz5729.cpl
c:\windows\system32\253z59orm44c.bin
c:\windows\system32\254z1wo9m58a.exe
c:\windows\system32\25600spam5ot4z49.cpl
c:\windows\system32\2599tzoj75f.exe
c:\windows\system32\25f7threatz095.cpl
c:\windows\system32\26025woz9477.dll
c:\windows\system32\26418wz5m769.dll
c:\windows\system32\26520wormz389.bin
c:\windows\system32\26z58virus3759.exe
c:\windows\system32\27156not-a-virusz99.exe
c:\windows\system32\27309hack5oolz17.cpl
c:\windows\system32\2731h5cktzol59.ocx
c:\windows\system32\27375troj39az.dll
c:\windows\system32\27418not-a-vi5us7z79.ocx
c:\windows\system32\275z2not-a-vi5us49d.dll
c:\windows\system32\277359roj47z.ocx
c:\windows\system32\2799worm5az5.ocx
c:\windows\system32\279z4sp5mbot59e.exe
c:\windows\system32\28199spa5bzt2d2.ocx
c:\windows\system32\290z5not-a-vi9us54c.cpl
c:\windows\system32\294zspa59e1483.ocx
c:\windows\system32\295415zoj7fa.exe
c:\windows\system32\2956back9oor1500z.cpl
c:\windows\system32\29575s5y997z.bin
c:\windows\system32\2975z9roj3e1.ocx
c:\windows\system32\2990sz9ware1555.ocx
c:\windows\system32\29951spambot6f5z.ocx
c:\windows\system32\299zaddware2535.cpl
c:\windows\system32\29c7adz59re2348.ocx
c:\windows\system32\29z59ir378.bin
c:\windows\system32\2a2et9izf925.ocx
c:\windows\system32\2a95add9ar577z.bin
c:\windows\system32\2bc3spar9e567z.exe
c:\windows\system32\2cacba9kdzor8195.cpl
c:\windows\system32\2d119hi5fz05.exe
c:\windows\system32\2eb5zir13239.ocx
c:\windows\system32\2ee6s5ywarz1695.exe
c:\windows\system32\2z597spy3b5.ocx
c:\windows\system32\2z95spy3d9.dll
c:\windows\system32\2z98495ojf9.cpl
c:\windows\system32\2zf5vir169.bin
c:\windows\system32\30z4addw59e715.exe
c:\windows\system32\31250w9r53z6.dll
c:\windows\system32\31751not-z5vi9us307.dll
c:\windows\system32\31819no5-a-vir9s1zd.cpl
c:\windows\system32\31910not-az59rus5c.bin
c:\windows\system32\31z45virus795.exe
c:\windows\system32\32269zroj275.cpl
c:\windows\system32\325019ackzool5d6.ocx
c:\windows\system32\3259hizf2425.bin
c:\windows\system32\328azac9do5r2059.exe
c:\windows\system32\33185zarse1999.bin
c:\windows\system32\3398zd5ware9293.bin
c:\windows\system32\33aethre9tz5434.dll
c:\windows\system32\3516s5arze1793.bin
c:\windows\system32\353ztro958a.ocx
c:\windows\system32\3568vi541z9.exe
c:\windows\system32\35936spambot4zc.bin
c:\windows\system32\359509ozmb8.bin
c:\windows\system32\3666downl9ader3z645.bin
c:\windows\system32\3868stz9l5756.bin
c:\windows\system32\38z5vir39.exe
c:\windows\system32\3990bacz5oor1671.dll
c:\windows\system32\3993ad5ware2z56.bin
c:\windows\system32\39eeszar5e2909.bin
c:\windows\system32\39efsz9war51624.cpl
c:\windows\system32\39z9tr5j22d.bin
c:\windows\system32\3ad0t5ief9690z.exe
c:\windows\system32\3z0275p9mbot75b.dll
c:\windows\system32\3z2245rojb39.exe
c:\windows\system32\3z88do9nloader2352.exe
c:\windows\system32\3za4ba9kdoor2550.ocx
c:\windows\system32\4007v9ru5zb.dll
c:\windows\system32\41z59hief1396.exe
c:\windows\system32\4289th5ef7z6.exe
c:\windows\system32\432ddownload9r253z.ocx
c:\windows\system32\4382ad95arz1762.cpl
c:\windows\system32\449ebackz5or2908.dll
c:\windows\system32\45089parse298z.cpl
c:\windows\system32\45259pzrse1510.bin
c:\windows\system32\4831h9zkt5ol7ab.dll
c:\windows\system32\484zad5ware3039.bin
c:\windows\system32\4909tzief2551.dll
c:\windows\system32\4979thi5f296z.cpl
c:\windows\system32\499zaddw5re2690.bin
c:\windows\system32\49zadownloade51573.bin
c:\windows\system32\4d5threatz52039.bin
c:\windows\system32\4d9fv9r3z215.bin
c:\windows\system32\4f5fspzrse9409.ocx
c:\windows\system32\50334zroj3889.cpl
c:\windows\system32\50669acktzol575.cpl
c:\windows\system32\507289orm63z.dll
c:\windows\system32\5079dow9loazer3078.ocx
c:\windows\system32\50dest9zl1688.exe
c:\windows\system32\50e5zhreat24659.bin
c:\windows\system32\50z2hackto9l45.exe
c:\windows\system32\519zth5eat28519.bin
c:\windows\system32\51c3bzckdoor5190.exe
c:\windows\system32\51z5vi92962.exe
c:\windows\system32\52379pazbot6b35.exe
c:\windows\system32\52385ownloazer94.bin
c:\windows\system32\52459not9a-vizusef.ocx
c:\windows\system32\5259t59efz505.exe
c:\windows\system32\529c9zyware5334.exe
c:\windows\system32\52c2azdw5re2590.bin
c:\windows\system32\52cdt9izf1645.cpl
c:\windows\system32\5345s9y336z.ocx
c:\windows\system32\5359thiez24899.dll
c:\windows\system32\53805not-a-vi9usz1.cpl
c:\windows\system32\5395troj7ze.ocx
c:\windows\system32\53aeaddware1895z.exe
c:\windows\system32\53c7t5iez2297.dll
c:\windows\system32\53dcspars92578z.bin
c:\windows\system32\53e9szea9877.cpl
c:\windows\system32\544z9hi5f866.ocx
c:\windows\system32\545ez5r996.dll
c:\windows\system32\5507zot-a-viru91fc.exe
c:\windows\system32\5519spyz99.dll
c:\windows\system32\55429pazse273.bin
c:\windows\system32\5559addware269z5.dll
c:\windows\system32\5595thief5z2.exe
c:\windows\system32\55b29hreat31z40.ocx
c:\windows\system32\55z09hreat21850.exe
c:\windows\system32\55zbsteal1093.cpl
c:\windows\system32\563f9ir12z9.exe
c:\windows\system32\5651spar9e2z50.bin
c:\windows\system32\5655sparse9561z.ocx
c:\windows\system32\5679n5tza-virusf2.ocx
c:\windows\system32\56cthief1z9.ocx
c:\windows\system32\572559izus605.dll
c:\windows\system32\57409tr9z79.cpl
c:\windows\system32\57z4sp92cf.bin
c:\windows\system32\58428spambot92z.cpl
c:\windows\system32\585b5tez92105.bin
c:\windows\system32\58677szy5f9.cpl
c:\windows\system32\58789hacktooz62c.bin
c:\windows\system32\58z4s95al1987.bin
c:\windows\system32\592zthief2768.ocx
c:\windows\system32\59622hazktool778.ocx
c:\windows\system32\59baspyzare25.exe
c:\windows\system32\59fathie5292z.ocx
c:\windows\system32\59zbackdoor708.exe
c:\windows\system32\5a14zpywar5769.dll
c:\windows\system32\5azv9r7255.ocx
c:\windows\system32\5ba9threat9152z.cpl
c:\windows\system32\5c49addware1z98.ocx
c:\windows\system32\5c69downloadzr5459.dll
c:\windows\system32\5c8bsza9se5520.exe
c:\windows\system32\5cfzdow9loader1823.bin
c:\windows\system32\5d01vir89z.ocx
c:\windows\system32\5d4895eaz1913.bin
c:\windows\system32\5db0spywzre9231.dll
c:\windows\system32\5e06stea91484z.cpl
c:\windows\system32\5e469ackd5or16z7.exe
c:\windows\system32\5fdzsparse3599.cpl
c:\windows\system32\5zb5thie922435.cpl
c:\windows\system32\60fcspaz591152.bin
c:\windows\system32\617bz9a5se221.exe
c:\windows\system32\6241not-a-vi9zs7105.cpl
c:\windows\system32\629backzoo914185.bin
c:\windows\system32\6379down9zader8165.ocx
c:\windows\system32\63e9bzckdoor577.bin
c:\windows\system32\6498t5ief1z99.cpl
c:\windows\system32\64z2th5eat19489.bin
c:\windows\system32\6596ste5l21z1.cpl
c:\windows\system32\65b8s9eaz5953.cpl
c:\windows\system32\65zcthief977.dll
c:\windows\system32\6691azdware17335.bin
c:\windows\system32\68e25ackdoo9203z.ocx
c:\windows\system32\6989downlozder584.ocx
c:\windows\system32\69eesp5rse1z01.cpl
c:\windows\system32\6bdcthrea916995z.bin
c:\windows\system32\6c49downloader3z95.dll
c:\windows\system32\6z8bdownlo9de51131.dll
c:\windows\system32\701sparse15z59.exe
c:\windows\system32\7090thi5fz245.bin
c:\windows\system32\70ffaddwa951857z.exe
c:\windows\system32\7165zorm7a9.exe
c:\windows\system32\7295v9rzs69.ocx
c:\windows\system32\74bzs5arse953.dll
c:\windows\system32\7522sz5ware69.ocx
c:\windows\system32\7542troz960.ocx
c:\windows\system32\7559ba5kdoorz95.ocx
c:\windows\system32\7571hazkt9ol3725.bin
c:\windows\system32\75979zrm5c6.exe
c:\windows\system32\7599zackdoor948.dll
c:\windows\system32\7628hzcktoo9652.cpl
c:\windows\system32\76efthzea925681.exe
c:\windows\system32\7791zo5m6a9.ocx
c:\windows\system32\7803wo9552z.ocx
c:\windows\system32\7949spyw9re50z8.exe
c:\windows\system32\79535hief8z3.bin
c:\windows\system32\7955stzal930.exe
c:\windows\system32\795bback9oor1725z.dll
c:\windows\system32\7963z5rus549.cpl
c:\windows\system32\79z4steal2715.ocx
c:\windows\system32\7aa8dow5lzade91342.ocx
c:\windows\system32\7dbcback9o5z1626.ocx
c:\windows\system32\7dz5back9o5r3211.exe
c:\windows\system32\7f3bbackdoz9524.cpl
c:\windows\system32\7f65threaz29659.exe
c:\windows\system32\806zh9ckt5ol581.ocx
c:\windows\system32\81109o5m79z.bin
c:\windows\system32\8381vz5us429.cpl
c:\windows\system32\841sparze55039.bin
c:\windows\system32\8596sp9mbot6z35.cpl
c:\windows\system32\8597not-azvirus5b1.ocx
c:\windows\system32\90d5azdwa5e2476.dll
c:\windows\system32\913threa9252z0.bin
c:\windows\system32\9175downl5adez1730.ocx
c:\windows\system32\92263nzt-5-virus34d.exe
c:\windows\system32\9235hazktoola8.cpl
c:\windows\system32\927z2spambot1955.dll
c:\windows\system32\93121wzr576e.dll
c:\windows\system32\9481downloazer595.ocx
c:\windows\system32\94z5troj757.dll
c:\windows\system32\94zest5al2017.bin
c:\windows\system32\95278vzrus52a.exe
c:\windows\system32\953athief1z66.cpl
c:\windows\system32\95543spzmbot1bd.cpl
c:\windows\system32\9559zhack5ool625.dll
c:\windows\system32\95fbdownloadzr1604.dll
c:\windows\system32\95vi59s6z3.ocx
c:\windows\system32\9605vi9us2z8.dll
c:\windows\system32\9941zhackt5ol4a5.dll
c:\windows\system32\9a5thr95z29360.exe
c:\windows\system32\9f9bac9door352z.ocx
c:\windows\system32\9z244sp5mbot726.cpl
c:\windows\system32\9z5threa931288.cpl
c:\windows\system32\a359pazse683.bin
c:\windows\system32\c1fd5wnloa9er25z6.dll
c:\windows\system32\c6z9p5ware76.cpl
c:\windows\system32\cdc9hief53z1.cpl
c:\windows\system32\d3dth5eat13z98.dll
c:\windows\system32\dc5b59kdoor2012z.bin
c:\windows\system32\ddf5pywar92z39.exe
c:\windows\system32\drivers\MSIVXdpqbcsmqsitfdmpimiitovpwixytxtkv.sys
c:\windows\system32\e3aste9l159z.dll
c:\windows\system32\ezcbac9door5830.ocx
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXcrjdvhxvebuflvsrnoufeojopbwvisfm.dll
c:\windows\system32\MSIVXebwqeilcreenaenpxvjomwqtxwhtreob.dll
c:\windows\system32\setup2.exe
c:\windows\system32\z0568hackt95l2c4.cpl
c:\windows\system32\z0958troj24b.bin
c:\windows\system32\z17539ro57fc.dll
c:\windows\system32\z1905spy597.ocx
c:\windows\system32\z1905worm7489.bin
c:\windows\system32\z1vir31995.bin
c:\windows\system32\z2309wo5m459.ocx
c:\windows\system32\z23spy9are5713.dll
c:\windows\system32\z24abackdoo52909.bin
c:\windows\system32\z259vir1733.exe
c:\windows\system32\z27759roj3d9.exe
c:\windows\system32\z4555wor9332.dll
c:\windows\system32\z4594virus753.exe
c:\windows\system32\z479thief1354.exe
c:\windows\system32\z50dspy9a5e546.dll
c:\windows\system32\z554worm2d9.cpl
c:\windows\system32\z5735no9-a-virus35e.exe
c:\windows\system32\z5950troj729.exe
c:\windows\system32\z5c1vir91925.bin
c:\windows\system32\z819h5cktool2bb.ocx
c:\windows\system32\z82915roj31a.bin
c:\windows\system32\z8598hack5o9l9c.dll
c:\windows\system32\z89vir957.ocx
c:\windows\system32\z91495eal1276.cpl
c:\windows\system32\z9753w5rm594.bin
c:\windows\system32\z9995ir884.cpl
c:\windows\system32\z9e4thi5f2959.bin
c:\windows\system32\za71sparse5009.exe
c:\windows\system32\zc20vir9351.bin
c:\windows\system32\zf1csp5ware9031.bin
c:\windows\system32\zf39steal8555.dll
c:\windows\system32\zf49back5oor996.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\z0409pywa5e593.bin
c:\windows\z050virus5d9.ocx
c:\windows\z1601troj259.bin
c:\windows\z19avir21395.dll
c:\windows\z286hack9o5lfc.ocx
c:\windows\z3856vi9us753.exe
c:\windows\z3b49hre5t12311.cpl
c:\windows\z452addware1903.dll
c:\windows\z499v5rus1d2.bin
c:\windows\z6289not5a-virus556.bin
c:\windows\z67415iru9287.ocx
c:\windows\z723tro9685.bin
c:\windows\z7435pars92579.exe
c:\windows\z7754spam9ot556.exe
c:\windows\z799spar5e1468.ocx
c:\windows\z7bbackdoo93150.ocx
c:\windows\z8264not-5-v9rus2bf.bin
c:\windows\z895s9y4f05.cpl
c:\windows\z9090troj25.bin
c:\windows\z939ro5394.bin
c:\windows\z959steal1533.exe
c:\windows\z9a7vi95542.ocx
c:\windows\zbdaddware25579.exe
c:\windows\zc33b9ckdoor2548.dll
c:\windows\zde5addware8839.ocx

FREDDYELL
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-08-06
OS OS : vISTA
Points Points : 26844
# Likes # Likes : 0

View user profile

Back to top Go down

Re: winifighter

Post by FREDDYELL on 6th August 2009, 6:37 pm

ONE of Three

Thanks Belahzur - I followed the above instructiona and ran combofix which found first three errors in c:\windows\system32\MSIVX and leters of various tipes to a .sys and two .dll extensions -- then it got into the winifighter files

Hope this is the end of the winifighter!!
Thanks again

I'll split this accross two posts

ONE
ComboFix 09-08-04.04 - Peter 06/08/2009 17:36.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.958.426 [GMT 1:00]
Running from: c:\users\Peter\Downloads\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\program files\WiniFighter Software
c:\program files\WiniFighter Software\WiniFighter\data.bin
c:\program files\WiniFighter Software\WiniFighter\license.txt
c:\program files\WiniFighter Software\WiniFighter\uninstall.exe
c:\program files\WiniFighter Software\WiniFighter\WiniFighter.exe
c:\program files\WiniFighter Software\WiniFighter\WiniFighterSvc.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\WiniFighter
c:\programdata\Microsoft\Windows\Start Menu\Programs\WiniFighter\1 WiniFighter.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\WiniFighter\2 Homepage.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\WiniFighter\3 Uninstall.lnk
c:\users\Public\Desktop\WiniFighter.lnk
c:\windows\1020zspy95b.dll
c:\windows\10f79a5kdoor593z.dll
c:\windows\10z7not-a-9irus395.cpl
c:\windows\110athzef30915.dll
c:\windows\1119ztroj548.dll
c:\windows\11579wzrm62e.ocx
c:\windows\11zas95al309.bin
c:\windows\12049tzoj6c5.ocx
c:\windows\125z59p57e0.exe
c:\windows\12736ha5ktzo94e9.bin
c:\windows\13349hzckt5oled.cpl
c:\windows\1359zvir9s154.ocx
c:\windows\135zsparse2889.dll
c:\windows\139295ackt9ol51z.bin
c:\windows\140z5h9cktool57f.ocx
c:\windows\1455159z4cc.dll
c:\windows\1474back9oorz7755.exe
c:\windows\15255szy79f.exe
c:\windows\15285no9-z-virus551.cpl
c:\windows\15295sp935z.bin
c:\windows\15449v9zusc15.exe
c:\windows\1550zhackto9l550.exe
c:\windows\15544not-a-virus95cz.exe
c:\windows\1557b5ckdoo9z34.cpl
c:\windows\15696s9zmbot507.bin
c:\windows\156bv9r542z.cpl
c:\windows\158ebackdoz91799.bin
c:\windows\1591zworm2b9.ocx
c:\windows\159925zrus167.cpl
c:\windows\15994spyzd9.ocx
c:\windows\15bzspar9e1182.ocx
c:\windows\15z509roj56e.exe
c:\windows\15z66vir5s1079.bin
c:\windows\16955zroj96.exe
c:\windows\16989tr5j4fez.ocx
c:\windows\16997t9oj5z.exe
c:\windows\16z80vir596e7.dll
c:\windows\17594hackzool317.dll
c:\windows\17748viz9s55e.ocx
c:\windows\179tzief2495.ocx
c:\windows\179z3spy1d5.exe
c:\windows\17dz9ir2555.exe
c:\windows\1815acktool9zf.bin
c:\windows\18181w95m1zd.ocx
c:\windows\184z3tr9j58.cpl
c:\windows\186695ywarez628.dll
c:\windows\18dcd5w9zoader528.dll
c:\windows\18z58sp9mbot51e.exe
c:\windows\19119spz14b5.exe
c:\windows\19321h5cktozl23e.exe
c:\windows\19432z592aa.dll
c:\windows\19514szy266.dll
c:\windows\19532trzj5879.ocx
c:\windows\1975zspambot581.exe
c:\windows\1979hacktoo521z.exe
c:\windows\19948spambo598z.ocx
c:\windows\19987not-9-vzrus548.dll
c:\windows\19z0thief2735.cpl
c:\windows\19z90worm185.bin
c:\windows\1b49z5dware30269.exe
c:\windows\1b56vir323z9.bin
c:\windows\1c8z5pyware996.bin
c:\windows\1z1sp9rse2956.exe
c:\windows\1z224viru5559.bin
c:\windows\1z352viru965c.exe
c:\windows\1z453spam5ot589.ocx
c:\windows\1z503ha9ktool1de.exe
c:\windows\1z556v9rus7ff.exe
c:\windows\1z8dstea9955.dll
c:\windows\2056zp9rse2826.cpl
c:\windows\20639wzrm1035.dll
c:\windows\20847sp95zot316.cpl
c:\windows\20z129irus245.bin
c:\windows\21185spambzt5919.ocx
c:\windows\21848no5-a-vi9usze.ocx
c:\windows\21d09ackdoorz065.exe
c:\windows\21db9t5alz24.cpl
c:\windows\22439ackdoor2z52.bin
c:\windows\2319sparse5z59.bin
c:\windows\2335zparse4079.bin
c:\windows\23390ha5ktooz95c.exe
c:\windows\23558not-a-zir5s96d.cpl
c:\windows\23f9v9z5756.exe
c:\windows\24051spzmbo9635.dll
c:\windows\240ct5rzat90699.bin
c:\windows\24345ddwa9e299z.exe
c:\windows\248559azktool503.exe
c:\windows\24899ackdoor50z.ocx
c:\windows\24929virus15az.bin
c:\windows\24z63tr9j589.ocx
c:\windows\25010zorm9975.bin
c:\windows\2524zworm35a9.ocx
c:\windows\25347not-5-v9zus312.cpl
c:\windows\2535zn9t-a-virus69b.ocx
c:\windows\254z4v9ru51be.dll
c:\windows\26200zi9u5367.bin
c:\windows\2627stea950z3.dll
c:\windows\26512zir5sf9.exe
c:\windows\26592zacktool5eb9.dll
c:\windows\268579izus5405.cpl
c:\windows\268bzpy9are925.exe
c:\windows\26971not-9-virusz45.ocx
c:\windows\26992zi5us438.cpl
c:\windows\27718t9oj58ez.cpl
c:\windows\279899roz55f.exe
c:\windows\27bbs5zware32439.dll
c:\windows\28075viruz493.cpl
c:\windows\2824z9py5f85.exe
c:\windows\288dspyw9ze2575.dll
c:\windows\2911zworm4549.ocx
c:\windows\295dszars5971.cpl
c:\windows\29869w9zm551.dll
c:\windows\29937not-a-ziru59e.exe
c:\windows\29cab5ckzoo91964.dll
c:\windows\2b1bthr9at15z945.exe
c:\windows\2dfadownloaderz529.bin
c:\windows\2z549spy24e9.ocx
c:\windows\2z99download5r2513.dll
c:\windows\30251z9y721.cpl
c:\windows\30490hack5zol32b.ocx
c:\windows\30690viru541z9.bin
c:\windows\3072not95-zirus64c.bin
c:\windows\3083b9ckdoor755z.bin
c:\windows\3105s9560ez.ocx
c:\windows\31459hacktozl698.ocx
c:\windows\31491haczto5lee.exe
c:\windows\3175z9orm2b9.cpl
c:\windows\31z91v5ru9b3.exe
c:\windows\32234w9rz215.exe
c:\windows\32392n5t9azvirus75c.dll
c:\windows\32504spam9oz53f.exe
c:\windows\3425v9z331.ocx
c:\windows\3508spywa9e32z1.cpl
c:\windows\351espar9e155z.bin
c:\windows\353bt9rzat54908.ocx
c:\windows\35d3dzwnl9ader422.cpl
c:\windows\35faspy9are9z6.dll
c:\windows\36d95tzal592.bin
c:\windows\37ez5ir9235.dll
c:\windows\3902no5-9-vzrus440.exe
c:\windows\3912t5reat253z8.dll
c:\windows\3949z9dware3504.dll
c:\windows\3955downloade519z2.exe
c:\windows\395bszyware2153.cpl
c:\windows\3994wo5mzf9.cpl
c:\windows\39d95hief2z47.bin
c:\windows\39z0vir2259.ocx
c:\windows\3be6t9rzat25345.cpl
c:\windows\3c9fzparse1965.ocx
c:\windows\3d62ste95705z.cpl
c:\windows\3dbeb5ckzoo9978.ocx
c:\windows\3de39ackzoo52285.dll
c:\windows\3z001wor9459.ocx
c:\windows\3z25s9y4fe.bin
c:\windows\3zd4downloade98135.cpl
c:\windows\4052wozm491.exe
c:\windows\40d5st9zl2640.bin
c:\windows\4109thi5f2934z.cpl
c:\windows\410esp95zre49.bin
c:\windows\42z8vir30559.ocx
c:\windows\431addw9ze1520.exe
c:\windows\4391spz257.dll
c:\windows\4535hac9tool25z.bin
c:\windows\4551downloa9ez2879.bin
c:\windows\4594zi5456.dll
c:\windows\4595steal15z8.bin
c:\windows\460zd9wnloade53116.exe
c:\windows\4639spazse1395.cpl
c:\windows\4673thze59436.exe
c:\windows\4955spambzt629.exe
c:\windows\49acbzc59oor888.bin
c:\windows\49b0adzwar924555.bin
c:\windows\49z7vir589.dll
c:\windows\49z9virus458.cpl
c:\windows\49zbsparse5000.cpl
c:\windows\4bfbzckdo9r251.ocx
c:\windows\4d159zr765.cpl
c:\windows\4d95vir9859z.ocx
c:\windows\4f04bac9zoor395.dll
c:\windows\4f25addw9rz5034.exe
c:\windows\4f935pywarz3259.ocx
c:\windows\500dthr5at1z759.dll
c:\windows\5017doz5loader2967.ocx
c:\windows\50735pzrse10959.cpl
c:\windows\5078az5war92165.ocx
c:\windows\507z6spam9ot523.dll
c:\windows\5089notza-9irus576.ocx
c:\windows\509bsparze1776.ocx
c:\windows\509cbaczdoor9658.cpl
c:\windows\50d9addware9z6.dll
c:\windows\50ebth59fz76.exe
c:\windows\5148stz9l326.dll
c:\windows\51dt95eat284z9.dll
c:\windows\52379spambzt90e.cpl
c:\windows\52619tr9jzb.cpl
c:\windows\53a9spyware9z4.dll
c:\windows\5419spyw9re8z4.ocx
c:\windows\54226z9y6b0.cpl
c:\windows\544z29acktool19f.cpl
c:\windows\54d2stez9688.ocx
c:\windows\5509thizf955.ocx
c:\windows\5576v9zus786.cpl
c:\windows\55dzvir5359.ocx
c:\windows\55eeza9kdoor5623.dll
c:\windows\55f0dz9n5oader2607.exe
c:\windows\560zackd9or2068.ocx
c:\windows\56916zroj25e.cpl
c:\windows\56982vizus98.cpl
c:\windows\56a5spywar92971z.ocx
c:\windows\56c2azdwar59739.dll
c:\windows\5785wor940cz.cpl
c:\windows\57959zpy765.ocx
c:\windows\5806zro9418.cpl
c:\windows\58345ir1z559.exe
c:\windows\5866st5az2972.ocx
c:\windows\5879steal53z4.exe
c:\windows\58f9spyw5re286z.exe
c:\windows\590z6spambot6b3.exe
c:\windows\591vi5uz780.bin
c:\windows\59266viruszfb.bin
c:\windows\59274z9ojef.exe
c:\windows\5939threat59z79.dll
c:\windows\593czackdoor992.exe
c:\windows\5951zhreat20848.exe
c:\windows\5959sparse25z4.exe
c:\windows\595z5spy75a.exe
c:\windows\596z9ackdoor1562.bin
c:\windows\5990azdware5225.bin
c:\windows\59923trojz6.ocx
c:\windows\5993hacztool35a9.exe
c:\windows\599bspzware356.dll
c:\windows\59a0baczd9or1328.ocx
c:\windows\59ccv5z2085.ocx
c:\windows\5a5fbackzo9r1751.dll
c:\windows\5b95virz848.cpl
c:\windows\5c52szarse229.cpl
c:\windows\5c78ad9wa5e112z.bin
c:\windows\5c7z9parse2838.cpl
c:\windows\5ca7st9al55z.cpl
c:\windows\5cc6sza9se159.bin
c:\windows\5cez9teal940.exe
c:\windows\5cfzthief1399.exe
c:\windows\5e24downloader192z9.exe
c:\windows\5e7zspywar9722.bin
c:\windows\5ed99hreat53z23.exe
c:\windows\5f2dthi5f95z7.cpl
c:\windows\5f70dow9loader137z.dll
c:\windows\5z3ds9yware1585.dll
c:\windows\5z41s9arse587.bin
c:\windows\5z56s9eal29405.ocx
c:\windows\5z9st9al1755.ocx
c:\windows\5zc9sparse292.cpl
c:\windows\5zdfthrea91372.dll
c:\windows\6070bac5d9zr3062.cpl
c:\windows\60f75ow9loader828z.dll
c:\windows\6122spar5z2759.exe
c:\windows\6196downlo5der3z74.bin
c:\windows\6212th9eat59z1.bin
c:\windows\62f2sp95sez91.ocx
c:\windows\6394do9nlozd5r2621.exe
c:\windows\644d5hre9t5z21.exe
c:\windows\652zhief4359.exe
c:\windows\6544t5zj289.ocx
c:\windows\6571sparze9595.exe
c:\windows\658spazse499.cpl
c:\windows\65fa9parsez652.exe
c:\windows\66z9downloade52207.dll
c:\windows\6920wz5me6.exe
c:\windows\6937zparse29045.dll
c:\windows\69z6spywar52540.cpl
c:\windows\6a0edo9nl5aderz509.ocx
c:\windows\6a54spywarz5989.ocx
c:\windows\6azest9al16645.ocx
c:\windows\6c6b9zarse653.dll
c:\windows\6dc55ownloadz93082.dll
c:\windows\6z49spyware1588.dll
c:\windows\6z59thief2659.dll
c:\windows\6z87thie53029.bin
c:\windows\6zf7b95kdoor2564.ocx
c:\windows\709cvir1355z.ocx
c:\windows\70z99d5ware590.bin
c:\windows\7111th9z52784.bin
c:\windows\71289pazb5t1a.exe
c:\windows\715zteal9800.exe
c:\windows\7229wor5z79.bin
c:\windows\74f59dd5are1711z.dll
c:\windows\751d9ackdooz2753.cpl
c:\windows\7536vzr9s466.exe
c:\windows\759d9ownloaderz93.exe
c:\windows\75bbthre9t17z56.exe
c:\windows\7795stezl2155.dll
c:\windows\77e9do9nl5zder1840.exe
c:\windows\785zt9oj525.exe
c:\windows\78desz9r5e958.exe
c:\windows\793a5parse2z00.exe
c:\windows\7959thzef1060.cpl
c:\windows\7995azd5are2646.cpl
c:\windows\79e3spywa5e712z.cpl
c:\windows\79fbs5arse1z829.dll
c:\windows\79fes5ez9722.ocx
c:\windows\79zb9te5l965.dll
c:\windows\7b09stez52525.cpl
c:\windows\7b0zh9ef2675.exe
c:\windows\7b125te9lz01.bin
c:\windows\7cf1thzeat25494.bin
c:\windows\7fa59ownl5adzr2560.ocx
c:\windows\809spamb5t182z.dll
c:\windows\852vzr956.dll
c:\windows\8559virzs207.bin
c:\windows\9091worm3z55.ocx
c:\windows\9125zy526.ocx
c:\windows\91559spzmbot3a1.bin
c:\windows\922175iruz558.ocx
c:\windows\934azir5891.ocx
c:\windows\94539trojz5a.ocx
c:\windows\945esparse316z.exe
c:\windows\94869ir5s4fz.dll
c:\windows\95055vzrus89.ocx
c:\windows\9507sparse841z.cpl
c:\windows\9515zrm7c6.dll
c:\windows\95375spy42z.cpl
c:\windows\9575spazse2914.cpl
c:\windows\95z7backdoor3561.cpl
c:\windows\960stzal597.cpl
c:\windows\9612vzr5698.bin
c:\windows\96e1downlzad5r336.dll
c:\windows\97529szy595.bin
c:\windows\97793zpy522.dll
c:\windows\9794not-a-virzs7885.bin
c:\windows\97z7steal1156.exe
c:\windows\9851not-z-vir5sc6.cpl
c:\windows\9942hac9t5olzf5.bin
c:\windows\99599troj31z.cpl
c:\windows\99815spyz34.ocx
c:\windows\9d98adzware24115.exe
c:\windows\9e72downlo5der2957z.bin
c:\windows\9z6dthief959.exe
c:\windows\a3ddownzoa9er3595.dll
c:\windows\c79v9r4z5.cpl
c:\windows\c85backdo9rz515.dll
c:\windows\cd2spywar9315z.cpl
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\e86spywarz5599.bin
c:\windows\fa9stezl2995.dll
c:\windows\fe29ownzoader345.dll
c:\windows\Installer\1744810.msi
c:\windows\system32\10735wo9m184z.bin
c:\windows\system32\10a59ownloadzr282.bin
c:\windows\system32\10z9ste5l1940.ocx
c:\windows\system32\11519hacztoo97e5.cpl
c:\windows\system32\1157not-a-v9r5z3da.exe
c:\windows\system32\11881tro95z5.exe
c:\windows\system32\11e9azdwa5e1443.dll
c:\windows\system32\11ecspy59rez40.exe
c:\windows\system32\11z78spamb5ta9.cpl
c:\windows\system32\12259z-a-virus3d8.ocx
c:\windows\system32\12525vi9uz220.cpl
c:\windows\system32\1254th9eat598z.dll
c:\windows\system32\12595zp59bot349.cpl
c:\windows\system32\12960spzmbo5613.exe
c:\windows\system32\12z795p91e2.bin
c:\windows\system32\12z9spa5bot54.exe
c:\windows\system32\13265virus99cz.exe
c:\windows\system32\13459sp9az5.exe
c:\windows\system32\13490spambot45z.exe
c:\windows\system32\13558zo9m37.bin
c:\windows\system32\13982s9ambzt355.bin
c:\windows\system32\14099v9zus5d65.exe
c:\windows\system32\14495not-azvir5s495.ocx
c:\windows\system32\14598not-5-vzrus9db.exe
c:\windows\system32\146z1tro53f79.dll
c:\windows\system32\147zs59mbot795.exe
c:\windows\system32\14893trzj56a.bin
c:\windows\system32\1499sp5ware11z0.ocx
c:\windows\system32\1506z9a5ktool754.cpl
c:\windows\system32\151385r9j7d1z.exe
c:\windows\system32\15276hac5tool9a2z.bin
c:\windows\system32\15518z9amb5tee.cpl
c:\windows\system32\15604ha5ktool3za9.dll
c:\windows\system32\1561zpy9are2271.ocx
c:\windows\system32\15638spambo96z5.ocx
c:\windows\system32\15688s5ambzt7d79.dll
c:\windows\system32\1588s9ywa5e28z.ocx
c:\windows\system32\158z15or95b3.dll
c:\windows\system32\1593z5orm94e.dll
c:\windows\system32\1594zspy42.bin
c:\windows\system32\15z80no9-a-virus1e2.exe
c:\windows\system32\1605zhackt9ol485.dll
c:\windows\system32\16068z9y17a5.cpl
c:\windows\system32\16072not5a9virusz8.dll
c:\windows\system32\1657thzeat95904.dll
c:\windows\system32\17655t5z96e5.ocx
c:\windows\system32\18528vz9us98.dll
c:\windows\system32\18604wo5m59z.dll
c:\windows\system32\18715hreat9z759.exe
c:\windows\system32\18736s5zmbot998.bin
c:\windows\system32\18964virus5z1.ocx
c:\windows\system32\18e9vir30z5.exe
c:\windows\system32\1929vi5usz11.exe
c:\windows\system32\19453spambzt659.bin
c:\windows\system32\19540w5rm4dz.ocx
c:\windows\system32\195z4worm56e.exe
c:\windows\system32\19657not-a-ziru5400.ocx
c:\windows\system32\19662zroj751.cpl
c:\windows\system32\196695irzs7039.exe
c:\windows\system32\1972spywarez315.dll
c:\windows\system32\19733virzs675.exe
c:\windows\system32\19803zroj51.exe
c:\windows\system32\1czds5yware9170.ocx
c:\windows\system32\1dezvir19405.ocx
c:\windows\system32\1e1aaddw9rz2005.ocx
c:\windows\system32\1e955parze204.cpl

FREDDYELL
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-08-06
OS OS : vISTA
Points Points : 26844
# Likes # Likes : 0

View user profile

Back to top Go down

Re: winifighter

Post by Belahzur on 6th August 2009, 6:52 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: winifighter

Post by FREDDYELL on 9th August 2009, 10:07 pm

On Typing combofix /u in the 'start search window' [= to run in vista I think?] and clicking on the file listed combofix /u it opens the following window saying "windows cannot find 'Combo -fix.exe'. Make sure you typed the name correctly, and then try again". I eventually right clicked the file name and on open as administrator which opened the combo-fix.exe window which I abandoned.

Should I have let it run?
I have re- enabled the firewall and virus checker, If I run the file will I have to diable them?
Thanks

FREDDYELL
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-08-06
OS OS : vISTA
Points Points : 26844
# Likes # Likes : 0

View user profile

Back to top Go down

Re: winifighter

Post by Belahzur on 10th August 2009, 12:06 am

Leave it for now, the malware is gone, lets not fix what isn't broken. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: winifighter

Post by FREDDYELL on 10th August 2009, 4:10 pm

I think your right - I've had no more bluescreens either.

Thanks for all your help belahzur Thank You!

FREDDYELL
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-08-06
OS OS : vISTA
Points Points : 26844
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum