trojan and virus overload

View previous topic View next topic Go down

trojan and virus overload

Post by adamjac on 31st October 2009, 3:22 am

About a week ago, I downloaded a torrent that when opened infected my computer. It disabeled my McAfee, and Windows scan capabilities. Also, I can now only browse by means of internet explorer. My computer is constantly redirecting me to different sites.

One of the first successful scans gave me Trj/zlob.KH. Subsequent scans also included Downloader-BWS Trojan and DNSchanger.t

Since I have McAfee running again it has shown numerous Artemis trojans and an Exploit-ByteVerify. I'm desperate to reclaim my computer!!!

adamjac
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-10-22
Gender Gender : Male
OS OS : xp pro
Points Points : 26055
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan and virus overload

Post by Dr Jay on 31st October 2009, 4:45 am

Please download ComboFix from [You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13812
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302439
# Likes # Likes : 10

View user profile

Back to top Go down

ran ComboFix

Post by adamjac on 31st October 2009, 4:47 pm

finished the combofix program, here are the results. Thank you for your time.

ComboFix 09-10-30.01 - Adam 10/31/2009 11:05.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3001 [GMT -5:00]
Running from: c:\documents and settings\Adam\Desktop\Commy.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\ZangoSA
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA_kyf_update.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAau.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAEula.mht
c:\documents and settings\Tiffany\Application Data\Zango
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.idx
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.dat
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.txt
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\default.cdf
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_511745-514279.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_bidzC_ZT_IE-ca.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_bidzC_ZT_IE-us.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_categorize.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_comparison.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_explorer-Mails.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_explorer-people.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_favorites.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_Games.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_Hide.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_hotbarcom.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_Hotmail.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_hsskin.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_jemster.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_jemsterie.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_jemsteruk.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_jobsearch.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_Mails.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_new.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_premium.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_reun.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_ringtones.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_SearchBoxTrapper.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_searchfor.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_searchgo.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_weather.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_yellowpages.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\email-def-511724-548964.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\email-def-511724-9595.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.idx
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.dat
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.cdf
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.txt
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.txt
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip
c:\program files\Freeze.com Toolbar
c:\program files\Freeze.com Toolbar\basis.xml
c:\program files\Freeze.com Toolbar\freeze.bmp
c:\program files\Freeze.com Toolbar\frzToolbar_logo.bmp
c:\program files\Freeze.com Toolbar\icons.bmp
c:\program files\Freeze.com Toolbar\options.html
c:\program files\Freeze.com Toolbar\powered_yahoo_search.bmp
c:\program files\Freeze.com Toolbar\version.txt
c:\windows\kb913800.exe
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\1028_DELL_XPS_Dell DXP051 .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DXP051 .MRK
F:\Autorun.inf

Infected copy of c:\windows\system32\drivers\iastor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 )))))))))))))))))))))))))))))))
.

2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-10-29 15:23 . 2009-10-29 15:23 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-25 06:11 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-22 16:33 . 2009-09-16 15:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-22 16:33 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-22 16:32 . 2009-10-22 16:33 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-22 16:32 . 2009-10-22 16:32 -------- d-----w- c:\program files\McAfee.com
2009-10-22 16:30 . 2009-09-16 15:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-22 13:19 . 2009-10-31 16:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\Adam\Application Data\SUPERAntiSpyware.com
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\Adam\Application Data\Malwarebytes
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 01:11 . 2009-10-22 01:11 -------- d-----w- c:\program files\Common Files\eSellerate
2009-10-21 19:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-21 19:41 . 2009-10-21 19:41 -------- d-----w- c:\program files\Panda Security
2009-10-21 15:14 . 2009-10-21 15:14 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-21 13:48 . 2009-10-21 13:49 -------- d-----w- c:\program files\ATT-SST
2009-10-21 13:23 . 2009-10-21 13:29 -------- d-----w- c:\program files\ATT-PRT22-WISE
2009-10-21 12:59 . 2009-07-20 17:25 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-10-21 06:16 . 2009-10-25 19:26 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-21 04:30 . 2009-10-21 15:15 0 ----a-w- c:\windows\win32k.sys
2009-10-21 04:30 . 2009-10-21 04:30 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\pelf.vbs
2009-10-21 04:27 . 2009-10-21 04:27 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\hlgp.vbs
2009-10-16 15:00 . 2009-10-20 18:49 -------- d-----w- c:\windows\system32\Adobe
2009-10-04 16:46 . 2009-10-21 18:20 -------- d-----w- c:\documents and settings\Adam\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 16:21 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\DNA
2009-10-31 16:21 . 2006-03-13 00:04 -------- d-----w- c:\program files\DNA
2009-10-31 16:02 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\BitTorrent
2009-10-31 00:06 . 2007-11-08 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-30 19:55 . 2005-12-24 05:00 -------- d-----w- c:\program files\Dl_cats
2009-10-30 03:32 . 2008-12-08 03:48 -------- d-----w- c:\program files\WinTV
2009-10-30 00:19 . 2005-12-16 08:29 -------- d-----w- c:\program files\McAfee
2009-10-22 16:35 . 2005-12-16 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-22 16:19 . 2005-12-16 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-10-22 14:56 . 2005-12-16 08:25 -------- d-----w- c:\program files\WildTangent
2009-10-22 14:54 . 2008-11-23 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-10-22 14:51 . 2005-12-27 04:53 -------- d-----w- c:\program files\EarthLink
2009-10-22 14:48 . 2008-01-29 00:52 -------- d-----w- c:\program files\Cap'n Crunch
2009-10-22 14:48 . 2005-12-16 08:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-22 14:04 . 2005-12-16 08:22 -------- d-----w- c:\program files\Viewpoint
2009-10-22 11:10 . 2005-12-16 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-21 15:30 . 2008-01-03 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 14:58 . 2009-01-12 14:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-21 14:39 . 2007-06-24 22:11 -------- d-----w- c:\program files\Common Files\Motive
2009-10-21 14:37 . 2007-06-24 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-10-21 14:32 . 2007-07-01 04:53 -------- d-----w- c:\documents and settings\Adam\Application Data\Motive
2009-10-21 13:00 . 2009-03-06 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-10-21 12:59 . 2009-01-02 21:34 -------- d-----w- c:\program files\Common Files\Logitech
2009-10-21 06:52 . 2006-03-29 23:29 120816 -c--a-w- c:\documents and settings\Tiffany\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 15:25 . 2009-08-27 18:12 -------- d-----w- c:\documents and settings\Adam\Application Data\dvdcss
2009-10-14 19:06 . 2008-10-12 06:16 101188 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 12:25 . 2005-12-27 03:01 120816 -c--a-w- c:\documents and settings\Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 08:05 . 2008-01-03 02:18 -------- d-----w- c:\program files\Microsoft Works
2009-09-17 19:43 . 2009-09-17 19:43 -------- d-----w- c:\documents and settings\Adam\Application Data\McAfee
2009-09-17 19:22 . 2007-12-12 03:32 -------- d-----w- c:\program files\The Weather Channel FW
2009-09-16 15:40 . 2009-01-02 21:40 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-09-16 15:40 . 2009-09-16 15:40 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-09-16 15:22 . 2009-09-16 15:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 15:57 . 2005-12-16 08:12 -------- d-----w- c:\program files\Java
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-07 00:24 . 2005-08-16 10:40 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2005-08-16 10:40 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-08-16 10:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2005-08-16 10:40 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2005-08-16 10:18 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2005-08-16 10:40 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-01-03 03:25 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2008-01-03 03:25 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2005-08-16 10:40 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2005-08-16 10:18 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 04:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-02-16 19:18 . 2009-02-16 19:18 4823040 -c----w- c:\program files\ehthumbs.db
2006-11-05 22:36 . 2006-11-05 22:36 774144 -c--a-w- c:\program files\RngInterstitial.dll
2008-05-03 21:01 . 2005-12-27 03:00 104 -csh--r- c:\windows\system32\7D6C9378DC.sys
2008-05-03 21:01 . 2005-12-27 03:00 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2004-08-10 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-11-30 1945600]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-03 342848]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-28 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-13 180269]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-09 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2009-06-17 55824]

c:\documents and settings\Tiffany\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\Adam\Start Menu\Programs\Startup\
Memeo AutoBackup Launcher.lnk - c:\documents and settings\Adam\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe [2009-10-21 73728]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-12-22 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-12-16 156784]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-6-24 217088]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-16 24576]
Event Reminder.lnk - c:\program files\PrintMaster 16\pmremind.exe [2004-1-20 339968]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-5 813584]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-02-18 18:01 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/21/2009 2:41 PM 28552]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/22/2009 11:35 AM 203280]
R3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\system32\drivers\hcw72ADFilter.sys [7/8/2008 7:35 PM 27904]
R3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\system32\drivers\hcw72ATV.sys [7/8/2008 7:37 PM 1198720]
R3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\system32\drivers\hcw72DTV.sys [7/8/2008 7:41 PM 1191552]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Medcin;Medcin;c:\program files\Medicomp Systems, Inc\Server\medcinserv --> c:\program files\Medicomp Systems, Inc\Server\medcinserv [?]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 krdpdre;krdpdre;\??\c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-05 03:39]

2009-10-22 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]

2009-10-22 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = 127.0.0.1;
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-OneStep - c:\program files\OneStep\uninstall.exe
AddRemove-SBC Self Support Tool - c:\docume~1\Adam\LOCALS~1\Temp\SST\CustomUninstall.exe
AddRemove-SBC.MCCInstall - c:\windows\Motive\SBC\MCCUninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-31 11:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys sfsync02.sys hal.dll iastor.sys
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

iastor.sys @ 0xB9E36000 0xD4E80 bytes

\Driver\iastor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0xB9E48B10 != 0xBA0C98B4 sfsync02.sys
\Driver\iastor IRP hooks detected !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Medcin]
"ImagePath"="c:\program files\Medicomp Systems, Inc\Server\medcinserv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(4868)
c:\windows\system32\WININET.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\CTsvcCDA.EXE
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\windows\eHome\ehmsas.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\dlcccoms.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\windows\system32\dllhost.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\SBC Self Support Tool\bin\mpbtn.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
c:\program files\Memeo\AutoBackup\MemeoBackup.exe
.
**************************************************************************
.
Completion time: 2009-10-31 11:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-31 16:27

Pre-Run: 90,154,369,024 bytes free
Post-Run: 90,055,925,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - CB139586E6036DB46EAD6BFB98D68A41

adamjac
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-10-22
Gender Gender : Male
OS OS : xp pro
Points Points : 26055
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan and virus overload

Post by Dr Jay on 31st October 2009, 8:40 pm

There are dangerous backdoor trojans on your system (2). This is a sign of total system compromise.
[You must be registered and logged in to see this link.] are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
Guides for format and reinstall: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

If you do not have the resources to reformat and reinstall, or would rather clean the computer - Please do the following:



  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    FCopy::
    c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\system32\eventlog.dll

    NetSvc::
    krdpdre

    File::
    c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys

    FileLook::
    sfsync02.sys

    Driver::
    iastor

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13812
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302439
# Likes # Likes : 10

View user profile

Back to top Go down

Re: trojan and virus overload

Post by adamjac on 1st November 2009, 2:37 am

Well i was hoping for a little more positive information, but i guess it doesnt always end well. At the moment I am unemployed and in a unemployment dispute for my compensation so having the resources to reformat is out of the question. This computer is a family trove of treasures which now i am desperately trying to copy all important information on to discs, pictures, music, and movies, ect. there is no chance of having infected media is there. should i be worried about my backup harddrive. if you cant clean this computer then i will have to wait to reformat until i can offload all important info, which at the moment is subject to financing. here is the new log, when windows restarted it failed and i had to restart with last known workable configurations. Again I truly appreciate your help, even if it doesn't turn out the way i hope.


ComboFix 09-10-30.01 - Adam 10/31/2009 20:53.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2658 [GMT -5:00]
Running from: c:\documents and settings\Adam\Desktop\commy.exe
Command switches used :: c:\documents and settings\Adam\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_iastor


((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-11-01 01:53 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-11-01 01:53 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-01 01:36 . 2009-11-01 01:36 -------- d-----w- c:\windows\LastGood
2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-10-29 15:23 . 2009-10-29 15:23 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-25 06:11 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-22 16:33 . 2009-09-16 15:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-22 16:33 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-22 16:32 . 2009-10-22 16:33 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-22 16:32 . 2009-10-22 16:32 -------- d-----w- c:\program files\McAfee.com
2009-10-22 16:30 . 2009-09-16 15:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-22 13:19 . 2009-11-01 02:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\Adam\Application Data\SUPERAntiSpyware.com
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\Adam\Application Data\Malwarebytes
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 01:11 . 2009-10-22 01:11 -------- d-----w- c:\program files\Common Files\eSellerate
2009-10-21 19:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-21 19:41 . 2009-10-21 19:41 -------- d-----w- c:\program files\Panda Security
2009-10-21 15:14 . 2009-10-21 15:14 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-21 13:48 . 2009-10-21 13:49 -------- d-----w- c:\program files\ATT-SST
2009-10-21 13:23 . 2009-10-21 13:29 -------- d-----w- c:\program files\ATT-PRT22-WISE
2009-10-21 12:59 . 2009-07-20 17:25 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-10-21 06:16 . 2009-10-25 19:26 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-21 04:30 . 2009-10-21 15:15 0 ----a-w- c:\windows\win32k.sys
2009-10-21 04:30 . 2009-10-21 04:30 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\pelf.vbs
2009-10-21 04:27 . 2009-10-21 04:27 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\hlgp.vbs
2009-10-16 15:00 . 2009-10-20 18:49 -------- d-----w- c:\windows\system32\Adobe
2009-10-08 19:57 . 2009-10-08 19:57 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
2009-10-04 16:46 . 2009-10-21 18:20 -------- d-----w- c:\documents and settings\Adam\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-01 02:10 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\DNA
2009-11-01 02:10 . 2006-03-13 00:04 -------- d-----w- c:\program files\DNA
2009-11-01 02:03 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\BitTorrent
2009-10-31 00:06 . 2007-11-08 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-30 19:55 . 2005-12-24 05:00 -------- d-----w- c:\program files\Dl_cats
2009-10-30 03:32 . 2008-12-08 03:48 -------- d-----w- c:\program files\WinTV
2009-10-30 00:19 . 2005-12-16 08:29 -------- d-----w- c:\program files\McAfee
2009-10-22 16:35 . 2005-12-16 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-22 16:19 . 2005-12-16 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-10-22 14:56 . 2005-12-16 08:25 -------- d-----w- c:\program files\WildTangent
2009-10-22 14:54 . 2008-11-23 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-10-22 14:51 . 2005-12-27 04:53 -------- d-----w- c:\program files\EarthLink
2009-10-22 14:48 . 2008-01-29 00:52 -------- d-----w- c:\program files\Cap'n Crunch
2009-10-22 14:48 . 2005-12-16 08:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-22 14:04 . 2005-12-16 08:22 -------- d-----w- c:\program files\Viewpoint
2009-10-22 11:10 . 2005-12-16 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-21 15:30 . 2008-01-03 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 14:58 . 2009-01-12 14:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-21 14:39 . 2007-06-24 22:11 -------- d-----w- c:\program files\Common Files\Motive
2009-10-21 14:37 . 2007-06-24 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-10-21 14:32 . 2007-07-01 04:53 -------- d-----w- c:\documents and settings\Adam\Application Data\Motive
2009-10-21 13:00 . 2009-03-06 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-10-21 12:59 . 2009-01-02 21:34 -------- d-----w- c:\program files\Common Files\Logitech
2009-10-21 06:52 . 2006-03-29 23:29 120816 -c--a-w- c:\documents and settings\Tiffany\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 15:25 . 2009-08-27 18:12 -------- d-----w- c:\documents and settings\Adam\Application Data\dvdcss
2009-10-14 19:06 . 2008-10-12 06:16 101188 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 12:25 . 2005-12-27 03:01 120816 -c--a-w- c:\documents and settings\Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 08:05 . 2008-01-03 02:18 -------- d-----w- c:\program files\Microsoft Works
2009-10-08 19:57 . 2009-10-08 19:57 611328 ----a-w- c:\windows\system32\SETD2.tmp
2009-10-08 19:57 . 2009-10-08 19:57 220160 ----a-w- c:\windows\system32\SETD0.tmp
2009-10-08 19:56 . 2009-10-08 19:56 20480 ----a-w- c:\windows\system32\SETD1.tmp
2009-09-17 19:43 . 2009-09-17 19:43 -------- d-----w- c:\documents and settings\Adam\Application Data\McAfee
2009-09-17 19:22 . 2007-12-12 03:32 -------- d-----w- c:\program files\The Weather Channel FW
2009-09-16 15:40 . 2009-01-02 21:40 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-09-16 15:40 . 2009-09-16 15:40 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-09-16 15:22 . 2009-09-16 15:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 15:57 . 2005-12-16 08:12 -------- d-----w- c:\program files\Java
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-07 00:24 . 2005-08-16 10:40 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2005-08-16 10:40 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-08-16 10:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2005-08-16 10:40 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2005-08-16 10:18 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2005-08-16 10:40 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-01-03 03:25 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2008-01-03 03:25 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2005-08-16 10:40 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2005-08-16 10:18 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 04:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-02-16 19:18 . 2009-02-16 19:18 4823040 -c----w- c:\program files\ehthumbs.db
2006-11-05 22:36 . 2006-11-05 22:36 774144 -c--a-w- c:\program files\RngInterstitial.dll
2008-05-03 21:01 . 2005-12-27 03:00 104 -csh--r- c:\windows\system32\7D6C9378DC.sys
2008-05-03 21:01 . 2005-12-27 03:00 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-01 02:08 . 2009-11-01 02:08 16384 c:\windows\Temp\Perflib_Perfdata_460.dat
+ 2005-08-17 03:06 . 2009-03-23 15:50 26488 c:\windows\system32\spupdsvc.exe
- 2005-08-17 03:06 . 2008-05-06 21:16 26488 c:\windows\system32\spupdsvc.exe
+ 2009-08-01 16:49 . 2009-03-23 15:50 17272 c:\windows\system32\spmsg.dll
- 2009-08-01 16:49 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2005-12-24 04:38 . 2009-10-31 22:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-12-24 04:38 . 2009-10-31 13:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-31 17:20 . 2009-10-31 22:05 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-11-30 1945600]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-03 342848]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-28 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-13 180269]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-09 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2009-06-17 55824]

c:\documents and settings\Tiffany\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\Adam\Start Menu\Programs\Startup\
Memeo AutoBackup Launcher.lnk - c:\documents and settings\Adam\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe [2009-10-21 73728]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-12-22 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-12-16 156784]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-6-24 217088]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-16 24576]
Event Reminder.lnk - c:\program files\PrintMaster 16\pmremind.exe [2004-1-20 339968]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-5 813584]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-02-18 18:01 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/21/2009 2:41 PM 28552]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/22/2009 11:35 AM 203280]
R3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\system32\drivers\hcw72ADFilter.sys [7/8/2008 7:35 PM 27904]
R3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\system32\drivers\hcw72ATV.sys [7/8/2008 7:37 PM 1198720]
R3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\system32\drivers\hcw72DTV.sys [7/8/2008 7:41 PM 1191552]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Medcin;Medcin;c:\program files\Medicomp Systems, Inc\Server\medcinserv --> c:\program files\Medicomp Systems, Inc\Server\medcinserv [?]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 krdpdre;krdpdre;\??\c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-05 03:39]

2009-11-01 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = 127.0.0.1;
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-31 21:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys sfsync02.sys hal.dll iastor.sys
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

iastor.sys @ 0xB9E36000 0xD4E80 bytes

\Driver\iastor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0xB9E48B10 != 0xBA0C98B4 sfsync02.sys
\Driver\iastor IRP hooks detected !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Medcin]
"ImagePath"="c:\program files\Medicomp Systems, Inc\Server\medcinserv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3284)
c:\windows\system32\WININET.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\CTsvcCDA.EXE
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\dlcccoms.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
c:\program files\Memeo\AutoBackup\MemeoBackup.exe
c:\progra~1\mcafee\msc\mcupdmgr.exe
.
**************************************************************************
.
Completion time: 2009-11-01 21:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-01 02:16
ComboFix2.txt 2009-10-31 16:27

Pre-Run: 80,900,530,176 bytes free
Post-Run: 80,834,650,112 bytes free

- - End Of File - - BBAAC81D4249C7859AEEF6D25742CBDB

adamjac
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-10-22
Gender Gender : Male
OS OS : xp pro
Points Points : 26055
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan and virus overload

Post by Dr Jay on 1st November 2009, 2:47 am

Let's try to smash it...ok Cheers Mate

Please download [You must be registered and logged in to see this link.] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13812
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302439
# Likes # Likes : 10

View user profile

Back to top Go down

Re: trojan and virus overload

Post by adamjac on 1st November 2009, 4:17 am

unsure what a hijackthis log is but here are the results of the report, again thank you.



SDFix: Version 1.240
Run by Administrator on Sat 10/31/2009 at 10:45 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-31 22:54:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden services & system hive ...

scanning hȋdden registry entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden processes: 0
hȋdden services: 0
hȋdden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:AT&T Yahoo! Music Jukebox"
"C:\\Program Files\\Yahoo! Games\\Hamsterball\\Hamsterball.exe"="C:\\Program Files\\Yahoo! Games\\Hamsterball\\Hamsterball.exe:*:Disabled:Hamsterball"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with hȋdden Attributes :

Mon 26 Dec 2005 56 A.SHR --- "C:\i386\7D6C9378DC.sys"
Mon 26 Dec 2005 2,516 A.SH. --- "C:\i386\KGyGaAvL.sys"
Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Sat 3 May 2008 104 ..SHR --- "C:\WINDOWS\system32\7D6C9378DC.sys"
Sat 3 May 2008 3,350 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Tue 14 Feb 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 24 May 2009 10,053,112 A..H. --- "C:\Program Files\Google\Picasa3\setup.exe"
Thu 22 Oct 2009 20,688 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Thu 22 Oct 2009 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Thu 13 Jul 2006 1,675,264 ...H. --- "C:\Program Files\PopCap Games\Bejeweled 2 Deluxe\game.exe"
Wed 19 Jul 2006 1,675,264 ...H. --- "C:\Program Files\PopCap Games\Bejeweled 2 Deluxe\game2.exe"
Sat 1 Aug 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 31 Oct 2009 6,004 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE7.tmp"
Sat 31 Oct 2009 5,946 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE8.tmp"

Finished!

adamjac
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-10-22
Gender Gender : Male
OS OS : xp pro
Points Points : 26055
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan and virus overload

Post by Dr Jay on 1st November 2009, 6:22 pm

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13812
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302439
# Likes # Likes : 10

View user profile

Back to top Go down

Re: trojan and virus overload

Post by adamjac on 2nd November 2009, 2:19 am

Well, seems everything was quarantined and removed without a glitch. First here is the infection log.
Malwarebytes' Anti-Malware 1.41
Database version: 3081
Windows 5.1.2600 Service Pack 3

11/1/2009 8:01:12 PM
mbam-log-2009-11-01 (20-01-01).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 285486
Time elapsed: 2 hour(s), 24 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\Zango@Zango.com (Adware.Zango) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> No action taken.

Files Infected:
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> No action taken.

------------------------------------------------------------------------------------------------
and the finished log

Malwarebytes' Anti-Malware 1.41
Database version: 3081
Windows 5.1.2600 Service Pack 3

11/1/2009 8:01:24 PM
mbam-log-2009-11-01 (20-01-24).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 285486
Time elapsed: 2 hour(s), 24 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\Zango@Zango.com (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

As always thank you for your patience and help.

adamjac
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-10-22
Gender Gender : Male
OS OS : xp pro
Points Points : 26055
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan and virus overload

Post by Dr Jay on 2nd November 2009, 2:54 am

Please re-run ComboFix as noted above, and post a new log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13812
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302439
# Likes # Likes : 10

View user profile

Back to top Go down

Re: trojan and virus overload

Post by adamjac on 2nd November 2009, 3:42 am

Here is the new combofix report


ComboFix 09-10-30.01 - Adam 11/01/2009 21:24.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2847 [GMT -6:00]
Running from: c:\documents and settings\Adam\desktop\commy.exe
Command switches used :: /stepdel
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-11-02 03:22 . 2009-11-02 03:22 -------- d-----w- C:\32788R22FWJFW
2009-11-01 22:41 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 22:41 . 2009-11-01 22:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 22:41 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 03:44 . 2009-11-01 03:44 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-11-01 03:41 . 2009-11-01 03:42 -------- d-----w- c:\windows\ERUNT
2009-11-01 03:25 . 2009-11-01 03:58 -------- d-----w- C:\SDFix
2009-11-01 01:53 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-01 01:53 . 2008-04-14 00:11 56320 ------w- c:\windows\system32\eventlog.dll
2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-10-29 15:23 . 2009-10-29 15:23 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-25 06:11 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-22 16:33 . 2009-09-16 15:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-22 16:33 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-22 16:32 . 2009-10-22 16:33 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-22 16:32 . 2009-10-22 16:32 -------- d-----w- c:\program files\McAfee.com
2009-10-22 16:30 . 2009-09-16 15:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-22 13:19 . 2009-11-02 03:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\Adam\Application Data\SUPERAntiSpyware.com
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\Adam\Application Data\Malwarebytes
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 01:11 . 2009-10-22 01:11 -------- d-----w- c:\program files\Common Files\eSellerate
2009-10-21 19:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-21 19:41 . 2009-10-21 19:41 -------- d-----w- c:\program files\Panda Security
2009-10-21 15:14 . 2009-10-21 15:14 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-21 13:48 . 2009-10-21 13:49 -------- d-----w- c:\program files\ATT-SST
2009-10-21 13:23 . 2009-10-21 13:29 -------- d-----w- c:\program files\ATT-PRT22-WISE
2009-10-21 12:59 . 2009-07-20 17:25 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-10-21 06:16 . 2009-10-25 19:26 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-21 04:30 . 2009-10-21 04:30 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\pelf.vbs
2009-10-21 04:27 . 2009-10-21 04:27 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\hlgp.vbs
2009-10-16 15:00 . 2009-10-20 18:49 -------- d-----w- c:\windows\system32\Adobe
2009-10-08 19:57 . 2009-10-08 19:57 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
2009-10-04 16:46 . 2009-10-21 18:20 -------- d-----w- c:\documents and settings\Adam\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 03:24 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\DNA
2009-11-02 03:10 . 2007-11-08 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-02 02:04 . 2006-03-13 00:04 -------- d-----w- c:\program files\DNA
2009-11-02 02:01 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\BitTorrent
2009-11-02 02:00 . 2008-12-08 03:48 -------- d-----w- c:\program files\WinTV
2009-10-30 19:55 . 2005-12-24 05:00 -------- d-----w- c:\program files\Dl_cats
2009-10-30 00:19 . 2005-12-16 08:29 -------- d-----w- c:\program files\McAfee
2009-10-22 16:35 . 2005-12-16 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-22 16:19 . 2005-12-16 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-10-22 14:56 . 2005-12-16 08:25 -------- d-----w- c:\program files\WildTangent
2009-10-22 14:54 . 2008-11-23 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-10-22 14:51 . 2005-12-27 04:53 -------- d-----w- c:\program files\EarthLink
2009-10-22 14:48 . 2008-01-29 00:52 -------- d-----w- c:\program files\Cap'n Crunch
2009-10-22 14:48 . 2005-12-16 08:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-22 14:04 . 2005-12-16 08:22 -------- d-----w- c:\program files\Viewpoint
2009-10-22 11:10 . 2005-12-16 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-21 15:30 . 2008-01-03 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 14:58 . 2009-01-12 14:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-21 14:39 . 2007-06-24 22:11 -------- d-----w- c:\program files\Common Files\Motive
2009-10-21 14:37 . 2007-06-24 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-10-21 14:32 . 2007-07-01 04:53 -------- d-----w- c:\documents and settings\Adam\Application Data\Motive
2009-10-21 13:00 . 2009-03-06 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-10-21 12:59 . 2009-01-02 21:34 -------- d-----w- c:\program files\Common Files\Logitech
2009-10-21 06:52 . 2006-03-29 23:29 120816 -c--a-w- c:\documents and settings\Tiffany\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 15:25 . 2009-08-27 18:12 -------- d-----w- c:\documents and settings\Adam\Application Data\dvdcss
2009-10-14 19:06 . 2008-10-12 06:16 101188 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 12:25 . 2005-12-27 03:01 120816 -c--a-w- c:\documents and settings\Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 08:05 . 2008-01-03 02:18 -------- d-----w- c:\program files\Microsoft Works
2009-10-08 19:57 . 2009-10-08 19:57 611328 ----a-w- c:\windows\system32\SETD2.tmp
2009-10-08 19:57 . 2009-10-08 19:57 220160 ----a-w- c:\windows\system32\SETD0.tmp
2009-10-08 19:56 . 2009-10-08 19:56 20480 ----a-w- c:\windows\system32\SETD1.tmp
2009-09-17 19:43 . 2009-09-17 19:43 -------- d-----w- c:\documents and settings\Adam\Application Data\McAfee
2009-09-17 19:22 . 2007-12-12 03:32 -------- d-----w- c:\program files\The Weather Channel FW
2009-09-16 15:40 . 2009-01-02 21:40 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-09-16 15:40 . 2009-09-16 15:40 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-09-16 15:22 . 2009-09-16 15:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 15:57 . 2005-12-16 08:12 -------- d-----w- c:\program files\Java
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-07 00:24 . 2005-08-16 10:40 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2005-08-16 10:40 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-08-16 10:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2005-08-16 10:40 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2005-08-16 10:18 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2005-08-16 10:40 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-01-03 03:25 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2008-01-03 03:25 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2005-08-16 10:40 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2005-08-16 10:18 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 04:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-02-16 19:18 . 2009-02-16 19:18 4823040 -c----w- c:\program files\ehthumbs.db
2006-11-05 22:36 . 2006-11-05 22:36 774144 -c--a-w- c:\program files\RngInterstitial.dll
2008-05-03 21:01 . 2005-12-27 03:00 104 -csh--r- c:\windows\system32\7D6C9378DC.sys
2008-05-03 21:01 . 2005-12-27 03:00 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2005-08-17 03:06 . 2008-05-06 21:16 26488 c:\windows\system32\spupdsvc.exe
+ 2005-08-17 03:06 . 2009-03-23 15:50 26488 c:\windows\system32\spupdsvc.exe
+ 2009-08-01 16:49 . 2009-03-23 15:50 17272 c:\windows\system32\spmsg.dll
- 2009-08-01 16:49 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2005-08-16 10:18 . 2009-11-02 02:08 84444 c:\windows\system32\perfc009.dat
- 2005-08-16 10:18 . 2009-10-21 15:32 84444 c:\windows\system32\perfc009.dat
+ 2005-12-24 04:38 . 2009-11-02 02:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-12-24 04:38 . 2009-10-31 13:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-12-24 04:38 . 2009-10-31 13:02 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-31 17:20 . 2009-11-02 02:09 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-01 03:42 . 2009-11-01 03:42 8192 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2009-11-01 03:42 . 2009-11-01 03:42 8192 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2005-08-16 10:18 . 2009-10-21 15:32 475006 c:\windows\system32\perfh009.dat
+ 2005-08-16 10:18 . 2009-11-02 02:08 475006 c:\windows\system32\perfh009.dat
+ 2009-11-01 03:42 . 2009-11-01 03:42 598016 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2009-11-01 03:42 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-11-01 03:42 . 2009-11-01 03:42 598016 c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2009-11-01 03:42 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-11-30 1945600]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-03 342848]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-28 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-13 180269]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-09 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2009-06-17 55824]

c:\documents and settings\Tiffany\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\Adam\Start Menu\Programs\Startup\
Memeo AutoBackup Launcher.lnk - c:\documents and settings\Adam\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe [2009-10-21 73728]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-12-22 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-12-16 156784]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-6-24 217088]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-16 24576]
Event Reminder.lnk - c:\program files\PrintMaster 16\pmremind.exe [2004-1-20 339968]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-5 813584]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-02-18 18:01 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/21/2009 1:41 PM 28552]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/22/2009 10:35 AM 203280]
R3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\system32\drivers\hcw72ADFilter.sys [7/8/2008 6:35 PM 27904]
R3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\system32\drivers\hcw72ATV.sys [7/8/2008 6:37 PM 1198720]
R3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\system32\drivers\hcw72DTV.sys [7/8/2008 6:41 PM 1191552]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Medcin;Medcin;c:\program files\Medicomp Systems, Inc\Server\medcinserv --> c:\program files\Medicomp Systems, Inc\Server\medcinserv [?]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 krdpdre;krdpdre;\??\c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-05 03:39]

2009-11-01 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = 127.0.0.1;
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-01 21:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys sfsync02.sys hal.dll iastor.sys
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

iastor.sys @ 0xB9E36000 0xD4E80 bytes

\Driver\iastor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0xB9E48B10 != 0xBA0C98B4 sfsync02.sys
\Driver\iastor IRP hooks detected !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Medcin]
"ImagePath"="c:\program files\Medicomp Systems, Inc\Server\medcinserv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(876)
c:\windows\system32\WININET.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-02 21:36
ComboFix-quarantined-files.txt 2009-11-02 03:36
ComboFix2.txt 2009-11-01 02:16
ComboFix3.txt 2009-10-31 16:27

Pre-Run: 80,104,730,624 bytes free
Post-Run: 80,085,897,216 bytes free

- - End Of File - - 5BD81022B8B4D9ECBDD6994CB61A301A

adamjac
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-10-22
Gender Gender : Male
OS OS : xp pro
Points Points : 26055
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan and virus overload

Post by Dr Jay on 2nd November 2009, 4:14 am

Jotti File Submission:
  • Please go to [You must be registered and logged in to see this link.]

  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • c:\windows\system32\dllcache\oleacc.dll


  • Click on the submit button

  • Please post the results (URL) in your next reply.


==

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\SETD2.tmp
    c:\windows\system32\SETD0.tmp
    c:\windows\system32\SETD1.tmp
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

Also, please tell me how your computer is running.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13812
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302439
# Likes # Likes : 10

View user profile

Back to top Go down

Re: trojan and virus overload

Post by adamjac on 2nd November 2009, 4:57 am

My computer seems to be running faster and without all the redirecting. Even the activity light on my modem seems to have stabalized and i have been able to update some of my windows. I dont know how i stumbled onto this site but i sure am glad there are people in this world who still have kindness, thanks to all the people who make this site possible.

The Jotti report

Filename: oleacc.dll
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Mon 2 Nov 2009 05:19:46 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 220160 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: dfc132d3ec7900bcb21e9375a10130c8
SHA1: bd575cfd062fbb03d5c25268835be84a0d7d03e4



And the combofix report



ComboFix 09-10-30.01 - Adam 11/01/2009 22:29.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2886 [GMT -6:00]
Running from: c:\documents and settings\Adam\Desktop\commy.exe
Command switches used :: c:\documents and settings\Adam\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\SETD0.tmp"
"c:\windows\system32\SETD1.tmp"
"c:\windows\system32\SETD2.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\SETD0.tmp
c:\windows\system32\SETD1.tmp
c:\windows\system32\SETD2.tmp

.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-11-02 04:27 . 2009-11-02 04:27 -------- d-----w- C:\32788R22FWJFW
2009-11-01 22:41 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 22:41 . 2009-11-01 22:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 22:41 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 03:44 . 2009-11-01 03:44 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-11-01 03:41 . 2009-11-01 03:42 -------- d-----w- c:\windows\ERUNT
2009-11-01 03:25 . 2009-11-01 03:58 -------- d-----w- C:\SDFix
2009-11-01 01:53 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-01 01:53 . 2008-04-14 00:11 56320 ------w- c:\windows\system32\eventlog.dll
2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-10-29 15:23 . 2009-10-29 15:23 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-25 06:11 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-22 16:33 . 2009-09-16 15:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-22 16:33 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-22 16:32 . 2009-10-22 16:33 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-22 16:32 . 2009-10-22 16:32 -------- d-----w- c:\program files\McAfee.com
2009-10-22 16:30 . 2009-09-16 15:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-22 13:19 . 2009-11-02 04:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\Adam\Application Data\SUPERAntiSpyware.com
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\Adam\Application Data\Malwarebytes
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 01:11 . 2009-10-22 01:11 -------- d-----w- c:\program files\Common Files\eSellerate
2009-10-21 19:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-21 19:41 . 2009-10-21 19:41 -------- d-----w- c:\program files\Panda Security
2009-10-21 15:14 . 2009-10-21 15:14 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-21 13:48 . 2009-10-21 13:49 -------- d-----w- c:\program files\ATT-SST
2009-10-21 13:23 . 2009-10-21 13:29 -------- d-----w- c:\program files\ATT-PRT22-WISE
2009-10-21 12:59 . 2009-07-20 17:25 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-10-21 06:16 . 2009-10-25 19:26 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-21 04:30 . 2009-10-21 04:30 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\pelf.vbs
2009-10-21 04:27 . 2009-10-21 04:27 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\hlgp.vbs
2009-10-16 15:00 . 2009-10-20 18:49 -------- d-----w- c:\windows\system32\Adobe
2009-10-08 19:57 . 2009-10-08 19:57 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
2009-10-04 16:46 . 2009-10-21 18:20 -------- d-----w- c:\documents and settings\Adam\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 04:34 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\DNA
2009-11-02 03:10 . 2007-11-08 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-02 02:04 . 2006-03-13 00:04 -------- d-----w- c:\program files\DNA
2009-11-02 02:01 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\BitTorrent
2009-11-02 02:00 . 2008-12-08 03:48 -------- d-----w- c:\program files\WinTV
2009-10-30 19:55 . 2005-12-24 05:00 -------- d-----w- c:\program files\Dl_cats
2009-10-30 00:19 . 2005-12-16 08:29 -------- d-----w- c:\program files\McAfee
2009-10-22 16:35 . 2005-12-16 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-22 16:19 . 2005-12-16 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-10-22 14:56 . 2005-12-16 08:25 -------- d-----w- c:\program files\WildTangent
2009-10-22 14:54 . 2008-11-23 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-10-22 14:51 . 2005-12-27 04:53 -------- d-----w- c:\program files\EarthLink
2009-10-22 14:48 . 2008-01-29 00:52 -------- d-----w- c:\program files\Cap'n Crunch
2009-10-22 14:48 . 2005-12-16 08:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-22 14:04 . 2005-12-16 08:22 -------- d-----w- c:\program files\Viewpoint
2009-10-22 11:10 . 2005-12-16 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-21 15:30 . 2008-01-03 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 14:58 . 2009-01-12 14:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-21 14:39 . 2007-06-24 22:11 -------- d-----w- c:\program files\Common Files\Motive
2009-10-21 14:37 . 2007-06-24 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-10-21 14:32 . 2007-07-01 04:53 -------- d-----w- c:\documents and settings\Adam\Application Data\Motive
2009-10-21 13:00 . 2009-03-06 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-10-21 12:59 . 2009-01-02 21:34 -------- d-----w- c:\program files\Common Files\Logitech
2009-10-21 06:52 . 2006-03-29 23:29 120816 -c--a-w- c:\documents and settings\Tiffany\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 15:25 . 2009-08-27 18:12 -------- d-----w- c:\documents and settings\Adam\Application Data\dvdcss
2009-10-14 19:06 . 2008-10-12 06:16 101188 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 12:25 . 2005-12-27 03:01 120816 -c--a-w- c:\documents and settings\Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 08:05 . 2008-01-03 02:18 -------- d-----w- c:\program files\Microsoft Works
2009-09-17 19:43 . 2009-09-17 19:43 -------- d-----w- c:\documents and settings\Adam\Application Data\McAfee
2009-09-17 19:22 . 2007-12-12 03:32 -------- d-----w- c:\program files\The Weather Channel FW
2009-09-16 15:40 . 2009-01-02 21:40 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-09-16 15:40 . 2009-09-16 15:40 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-09-16 15:22 . 2009-09-16 15:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 15:57 . 2005-12-16 08:12 -------- d-----w- c:\program files\Java
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-07 00:24 . 2005-08-16 10:40 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2005-08-16 10:40 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-08-16 10:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2005-08-16 10:40 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2005-08-16 10:18 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2005-08-16 10:40 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-01-03 03:25 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2008-01-03 03:25 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2005-08-16 10:40 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2005-08-16 10:18 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 04:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-02-16 19:18 . 2009-02-16 19:18 4823040 -c----w- c:\program files\ehthumbs.db
2006-11-05 22:36 . 2006-11-05 22:36 774144 -c--a-w- c:\program files\RngInterstitial.dll
2008-05-03 21:01 . 2005-12-27 03:00 104 -csh--r- c:\windows\system32\7D6C9378DC.sys
2008-05-03 21:01 . 2005-12-27 03:00 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2005-08-17 03:06 . 2008-05-06 21:16 26488 c:\windows\system32\spupdsvc.exe
+ 2005-08-17 03:06 . 2009-03-23 15:50 26488 c:\windows\system32\spupdsvc.exe
+ 2009-08-01 16:49 . 2009-03-23 15:50 17272 c:\windows\system32\spmsg.dll
- 2009-08-01 16:49 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2005-08-16 10:18 . 2009-11-02 02:08 84444 c:\windows\system32\perfc009.dat
- 2005-08-16 10:18 . 2009-10-21 15:32 84444 c:\windows\system32\perfc009.dat
+ 2005-12-24 04:38 . 2009-11-02 02:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-12-24 04:38 . 2009-10-31 13:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-01 03:42 . 2009-11-01 03:42 8192 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2009-11-01 03:42 . 2009-11-01 03:42 8192 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2005-08-16 10:18 . 2009-10-21 15:32 475006 c:\windows\system32\perfh009.dat
+ 2005-08-16 10:18 . 2009-11-02 02:08 475006 c:\windows\system32\perfh009.dat
+ 2009-11-01 03:42 . 2009-11-01 03:42 598016 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2009-11-01 03:42 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-11-01 03:42 . 2009-11-01 03:42 598016 c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2009-11-01 03:42 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-11-30 1945600]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-03 342848]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-28 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-13 180269]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-09 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2009-06-17 55824]

c:\documents and settings\Tiffany\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\Adam\Start Menu\Programs\Startup\
Memeo AutoBackup Launcher.lnk - c:\documents and settings\Adam\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe [2009-10-21 73728]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-12-22 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-12-16 156784]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-6-24 217088]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-16 24576]
Event Reminder.lnk - c:\program files\PrintMaster 16\pmremind.exe [2004-1-20 339968]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-5 813584]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-02-18 18:01 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/21/2009 1:41 PM 28552]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/22/2009 10:35 AM 203280]
R3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\system32\drivers\hcw72ADFilter.sys [7/8/2008 6:35 PM 27904]
R3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\system32\drivers\hcw72ATV.sys [7/8/2008 6:37 PM 1198720]
R3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\system32\drivers\hcw72DTV.sys [7/8/2008 6:41 PM 1191552]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Medcin;Medcin;c:\program files\Medicomp Systems, Inc\Server\medcinserv --> c:\program files\Medicomp Systems, Inc\Server\medcinserv [?]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 krdpdre;krdpdre;\??\c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-05 03:39]

2009-11-01 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = 127.0.0.1;
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-01 22:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys sfsync02.sys hal.dll iastor.sys
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

iastor.sys @ 0xB9E36000 0xD4E80 bytes

\Driver\iastor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0xB9E48B10 != 0xBA0C98B4 sfsync02.sys
\Driver\iastor IRP hooks detected !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Medcin]
"ImagePath"="c:\program files\Medicomp Systems, Inc\Server\medcinserv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll
.
Completion time: 2009-11-02 22:40
ComboFix-quarantined-files.txt 2009-11-02 04:40
ComboFix2.txt 2009-11-02 03:36
ComboFix3.txt 2009-11-01 02:16
ComboFix4.txt 2009-10-31 16:27

Pre-Run: 80,052,609,024 bytes free
Post-Run: 80,031,080,448 bytes free

- - End Of File - - 2EF78595FC65B0CA62F47854298802AF

After the combofix finished running it had me upload some file.

adamjac
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-10-22
Gender Gender : Male
OS OS : xp pro
Points Points : 26055
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan and virus overload

Post by Dr Jay on 2nd November 2009, 10:01 am

Please download the [You must be registered and logged in to see this link.].

  • Save it to your Desktop.
  • Please double-click OTM.exe to run it.
  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    c:\windows\system32\dllcache\oleacc.dll


  • Return to OTM.exe, right click in the "Paste Instructions for Items to be Moved" window (under the light yellow bar) and choose Paste.

  • Click the red Moveit! button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13812
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302439
# Likes # Likes : 10

View user profile

Back to top Go down

Re: trojan and virus overload

Post by adamjac on 3rd November 2009, 3:29 pm

Sorry it took so long to reply but here are the results


Error: Unable to interpret in the current context!

OTM by OldTimer - Version 3.0.0.6 log created on 11032009_092744

adamjac
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-10-22
Gender Gender : Male
OS OS : xp pro
Points Points : 26055
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan and virus overload

Post by Dr Jay on 4th November 2009, 3:28 am

Please delete this file manually: c:\windows\system32\dllcache\oleacc.dll


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13812
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302439
# Likes # Likes : 10

View user profile

Back to top Go down

Re: trojan and virus overload

Post by adamjac on 4th November 2009, 5:30 am

It seems to have succesfully deleted. i search all my files and it showed no results. not sure if it made a difference but i deleted it using mcafee shredder with 10 passes. it just sounded better but maybe im easy to fool. Please let me know if there is anything else i should do. Again, thanks to all that make this site what it is.

adamjac
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-10-22
Gender Gender : Male
OS OS : xp pro
Points Points : 26055
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan and virus overload

Post by Dr Jay on 4th November 2009, 6:27 am

Oh good. I was expecting it to give a little trouble deleting. Luckily you had that, otherwise Malwarebytes has a built-in FileAssassin tool that works similarly. Just need a good virus scan to make sure the malware is gone:

Please do a scan with [You must be registered and logged in to see this link.]

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13812
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302439
# Likes # Likes : 10

View user profile

Back to top Go down

Re: trojan and virus overload

Post by adamjac on 5th November 2009, 1:12 am

Hello again,

I tried to use the Kaspersky scanner but i keep receiving an error message that says"Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program."

I went to the Java website and installed the program from them so it should be working fine. Other than that i am at a loss about how i have an interrupted internet connection. ? Have any suggestions? Hope im just missing something. thank you

adamjac
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-10-22
Gender Gender : Male
OS OS : xp pro
Points Points : 26055
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan and virus overload

Post by Dr Jay on 5th November 2009, 2:56 am

Try this:

Please run a free online scan with the [You must be registered and logged in to see this link.]
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13812
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302439
# Likes # Likes : 10

View user profile

Back to top Go down

Re: trojan and virus overload

Post by adamjac on 5th November 2009, 1:35 pm

OK that scanner worked and here are the results

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=a8da0b40c7578c4f8eebe2b325b60893
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-11-05 06:18:04
# local_time=2009-11-05 12:18:04 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16776613 100 96 0 9397925 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=129010
# found=5
# cleaned=5
# scan_time=9085
C:\Documents and Settings\Adam\Desktop\SDFix.exe Win32/PrcView application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iaStor.sys.vir Win32/Olmarik.OF virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\SDFix\apps\Process.exe Win32/PrcView application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP13\A0000872.exe Win32/PrcView application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP13\A0000873.exe Win32/PrcView application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

adamjac
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-10-22
Gender Gender : Male
OS OS : xp pro
Points Points : 26055
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan and virus overload

Post by Dr Jay on 5th November 2009, 4:09 pm

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13812
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302439
# Likes # Likes : 10

View user profile

Back to top Go down

Re: trojan and virus overload

Post by adamjac on 5th November 2009, 5:56 pm

I ran the check, it said it can't find server name for adress192.168.0.1: Non-existent domain. Default servers are not available. other than that here is the log info


Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
ESET Online Scanner v3
McAfee SecurityCenter
McAfee Virtual Technician
Pathophysiology
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:

Java(TM) 6 Update 17
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player 10
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 9.1.3
``````````````````````````````
Process Check:
objlist.exe by Laurent

McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````


Hope everything is looking better couldn't of done it without you THANK YOU

adamjac
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-10-22
Gender Gender : Male
OS OS : xp pro
Points Points : 26055
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan and virus overload

Post by Dr Jay on 6th November 2009, 12:19 am

To remove all of the tools we used and the files and folders they created do the following:
Double click OTM.exe.

  • Click the CleanUp button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.


==

Please download the newest version of Java from [You must be registered and logged in to see this link.].

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • [You must be registered and logged in to see this link.]
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
  • [You must be registered and logged in to see this link.].
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13812
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302439
# Likes # Likes : 10

View user profile

Back to top Go down

Re: trojan and virus overload

Post by adamjac on 6th November 2009, 2:36 am

THANK YOU VERY MUCH for all your time and help. Your advice has been priceless, and a big learning experience for me. If i can only retain half of what you probably forgot then i will be ok. Im a man of my word, so when its possible i will donate what i can, because you guys are awesome. I plan on keeping up my registration and hopefully someday i can lend a hand to help someone. Best of all my three girls are happy that dad will let them on the computer again, thanks a million. ADAM

adamjac
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-10-22
Gender Gender : Male
OS OS : xp pro
Points Points : 26055
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum