AV Security Suite and other issues

View previous topic View next topic Go down

Re: AV Security Suite and other issues

Post by Crush on 2nd July 2010, 2:08 am

Ok. Let's remove it as myself and a colleague of mine are quite certain it's malicious.

Re-running ComboFix to remove infections:



  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the Code box below into it:

Code:

File::
c:\windows\Qkutubetoguma.bin

  • Save this as CFScript.txt, in the same location as ComboFix.exe





  • Referring to the picture above, drag CFScript into ComboFix.exe
    When finished, it shall produce a log for you at C:\ComboFix.txt
    Please post the contents of the log in your next reply.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42118
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AV Security Suite and other issues

Post by smleahy88 on 2nd July 2010, 2:42 am

ComboFix 10-06-30.03 - Sean Leahy 07/01/2010 22:29:43.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1544 [GMT -4:00]
Running from: c:\documents and settings\Sean Leahy\Desktop\commy.exe
Command switches used :: c:\documents and settings\Sean Leahy\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-06-02 to 2010-07-02 )))))))))))))))))))))))))))))))
.

2010-07-01 05:12 . 2010-07-02 02:04 -------- d-----w- c:\program files\World of Warcraft
2010-07-01 05:06 . 2010-07-01 05:06 -------- d-----w- C:\_OTL
2010-07-01 05:02 . 2010-07-01 05:02 -------- d-----w- c:\program files\World of Warcraft.temp
2010-07-01 00:48 . 2010-07-01 00:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-01 00:26 . 2010-07-01 00:26 -------- d-----w- c:\program files\Defraggler
2010-06-30 22:46 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-30 22:46 . 2010-06-30 22:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 22:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 22:34 . 2010-06-30 22:34 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 22:34 . 2010-06-30 22:34 -------- d-----w- c:\windows\.file_store_32
2010-06-30 22:33 . 2010-06-30 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-30 22:33 . 2010-06-30 22:33 -------- d-----w- c:\program files\Google Video
2010-06-26 02:23 . 2010-06-30 22:31 188584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-17 04:28 . 2010-06-26 02:10 120 ----a-w- c:\windows\Ulelace.dat
2010-06-17 04:28 . 2010-06-26 02:10 0 ----a-w- c:\windows\Qkutubetoguma.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 01:44 . 2006-09-05 15:14 16896 ----a-w- c:\windows\system32\Rpcnetp.exe
2010-07-02 01:44 . 2006-09-03 04:21 57752 ----a-w- c:\windows\system32\Rpcnet.dll
2010-07-02 01:43 . 2009-02-16 00:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-01 05:09 . 2006-08-30 19:52 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-01 05:04 . 2006-08-26 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-07-01 02:49 . 2010-02-01 04:33 -------- d-----w- c:\program files\Heroes of Newerth
2010-07-01 00:38 . 2006-08-26 12:19 -------- d-----w- c:\program files\Google
2010-07-01 00:25 . 2009-08-03 20:09 -------- d-----w- c:\program files\CCleaner
2010-06-30 05:41 . 2006-10-27 20:37 -------- d-----w- c:\program files\Warcraft III
2010-06-23 03:03 . 2009-08-20 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-06-22 01:18 . 2008-09-14 09:16 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\Skype
2010-06-22 00:46 . 2008-09-14 09:20 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\skypePM
2010-06-19 23:27 . 2006-10-26 01:05 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-19 23:27 . 2006-10-26 01:05 88 -csh--r- c:\windows\system32\195609FFE0.sys
2010-06-19 03:54 . 2006-10-27 20:42 91488 -c--a-w- c:\windows\War3Unin.dat
2010-06-18 04:38 . 2006-11-04 06:56 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\uTorrent
2010-06-11 22:04 . 2010-02-22 01:23 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-21 18:14 . 2010-01-23 06:35 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 22:17 . 2006-12-05 20:22 23954 ----a-w- c:\documents and settings\Sean Leahy\Application Data\wklnhst.dat
2010-05-04 17:20 . 2005-08-16 09:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-08-16 09:18 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2005-08-16 09:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-08-16 09:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 00:40 . 2005-08-16 09:18 57752 ------w- c:\windows\system32\rpcnet.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-02 01:43 . 2010-07-02 01:43 16384 c:\windows\Temp\Perflib_Perfdata_4d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-2-2 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-26 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccipStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2006-09-21 21:36 43520 ----a-w- c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
2004-04-01 13:51 1589248 -c--a-w- c:\dell\DellHelp\DellHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 03:23 160752 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 16:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-03-06 20:19 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-08-12 21:13 21741864 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-02-24 02:43 1217872 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-04 17:32 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 14:20 1118208 -c----w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\firehousehoss23@yahoo.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Sean Leahy\\Local Settings\\Apps\\2.0\\HKN2TL5K.KMN\\HX6HWK9N.6KA\\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizz
"6112:TCP"= 6112:TCP:blizz
"6881:TCP"= 6881:TCP:blizz
"6999:TCP"= 6999:TCP:blizz
"11804:TCP"= 11804:TCP:torrent
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/31/2009 3:47 AM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/23/2010 3:22 AM 112592]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/15/2009 8:58 PM 359624]
S3 skfilt;skfilt;c:\windows\system32\drivers\skfilt.sys --> c:\windows\system32\drivers\skfilt.sys [?]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2005-08-16 00:12]

2010-07-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-15 03:23]

2010-07-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &AIM Search
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Sean Leahy\Application Data\Mozilla\Firefox\Profiles\jiyiout7.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Sean Leahy\Application Data\Mozilla\Firefox\Profiles\jiyiout7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(740)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\mslbui.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-01 22:37:12
ComboFix-quarantined-files.txt 2010-07-02 02:37
ComboFix2.txt 2010-07-01 06:04
ComboFix3.txt 2010-07-01 05:39

Pre-Run: 4,184,166,400 bytes free
Post-Run: 4,168,400,896 bytes free

- - End Of File - - 1A4CC87C37CABF98578842D9C48C4F55

smleahy88
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-07-01
OS OS : XP Home
Points Points : 23823
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AV Security Suite and other issues

Post by Crush on 2nd July 2010, 2:46 am

hi again,

How are things running now? An update would be appreciated Smile

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42118
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AV Security Suite and other issues

Post by smleahy88 on 2nd July 2010, 2:49 am

Things seem to be running great I have not had an issue since last night. I have not run any virus scans today to look for anything but I can if you want. No hijacking no JIT debugger popups nothing.

smleahy88
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-07-01
OS OS : XP Home
Points Points : 23823
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AV Security Suite and other issues

Post by Crush on 2nd July 2010, 2:51 am

Ok. Let's just make sure everything is gone:

Please run a free online scan with the [You must be registered and logged in to see this link.]
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


EDIT: 1,000 posts LOL Banner

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42118
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AV Security Suite and other issues

Post by smleahy88 on 2nd July 2010, 3:12 am

i cant open internet explorer it says error and wants me to send an error report

smleahy88
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-07-01
OS OS : XP Home
Points Points : 23823
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AV Security Suite and other issues

Post by Crush on 2nd July 2010, 3:13 am

Ok try this one:

Please go to [You must be registered and logged in to see this link.] and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

  • Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42118
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: AV Security Suite and other issues

    Post by smleahy88 on 2nd July 2010, 4:36 am

    running the kaspersky scan. going to bed ill leave it on and post before wrok in the morning cause it seems to be taking a while. comp is running great ill post in the morning.

    smleahy88
    Novice
    Novice

    Posts Posts : 21
    Joined Joined : 2010-07-01
    OS OS : XP Home
    Points Points : 23823
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: AV Security Suite and other issues

    Post by Crush on 2nd July 2010, 4:38 am

    Ok. Kaspersky usually takes quite a while so it might not be done when you get up in the morning. I look forward to seeing the log Smile

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42118
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: AV Security Suite and other issues

    Post by smleahy88 on 2nd July 2010, 12:41 pm

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Friday, July 2, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Friday, July 02, 2010 00:04:19
    Records in database: 4259650
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Objects scanned: 95255
    Threats found: 4
    Infected objects found: 5
    Suspicious objects found: 0
    Scan duration: 02:51:34


    File name / Threat / Threats count
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\i8042prt.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP879\A0327717.exe Infected: Trojan.Win32.FraudPack.aygx 1
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP887\A0331154.DLL Infected: Trojan-Spy.Win32.Brospa.aa 1
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP889\A0331467.sys Infected: Rootkit.Win32.TDSS.ap 1

    Selected area has been scanned.


    headed to work

    smleahy88
    Novice
    Novice

    Posts Posts : 21
    Joined Joined : 2010-07-01
    OS OS : XP Home
    Points Points : 23823
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: AV Security Suite and other issues

    Post by Crush on 2nd July 2010, 12:57 pm

    All that looks fine. The infections will be removed when we do cleanup. How are things running now?

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42118
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: AV Security Suite and other issues

    Post by smleahy88 on 2nd July 2010, 11:25 pm

    things are running great still. Just got home from work. whats next

    smleahy88
    Novice
    Novice

    Posts Posts : 21
    Joined Joined : 2010-07-01
    OS OS : XP Home
    Points Points : 23823
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: AV Security Suite and other issues

    Post by Crush on 3rd July 2010, 2:27 am

    If there are no more issues:

    Congratulations!! Your PC is all clean! Big Grin

    To uninstall ComboFix

    • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
    • In the field, type in ComboFix /u



    (Note: Make sure there's a space between the word ComboFix and the forward-slash.)

    • Then, press Enter, or click OK.
    • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.


    There are many things you can do to keep this from happening again. You can think of a computer like a car. It requires basic maintenance to keep in tip top shape and ready to go. Would you drive your car 100,000 miles without changing the oil? The same principle applies here.

    Cleaning

    Now that your PC is free of malware, it is important to clean up your PC. There are several good free cleaners available. You should make sure to clean up your temp files regularly, at least once a week.

    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    Defragmenting Your Hard Disk

    Over time your PC can become fragmented, Windows comes with a defragmenting utility, however, it is very slow, and there are other options available.

    To use the defragmenter included with Windows either go to Start/Run and type dfrg.msc, hit enter; or
    right-click My Computer, choose Manage, Storage, Disk Defragmenter.

    In the Defragmenter utility, select your main partition/HD, generally C:\ and select analyze . The analysis report will tell you whether or not your disk needs to be defragmented, if it does, click defragment. Be patient, this can take a long time.

    Repeat for multiple partitions/hard disks.

    System Restore Cleanup Instructions

    If you are using Windows ME or XP then it is good to disable and re-enable system restore to make sure there are no infected files left in a restore point. (All restore points will be deleted that way)
    You can find instructions on how to disable and re-enable system restore here:

    [You must be registered and logged in to see this link.]

    [You must be registered and logged in to see this link.]

    Reading Tip:
    [You must be registered and logged in to see this link.]
    Keep Your System Updated

    Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

    Install the updates immediately, if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

    To update Windows and office

    Go to Start > All Programs > Microsoft Update

    Alternatively, you can visit the link below to update Windows and Office products.

    [You must be registered and logged in to see this link.]

    If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

    1. Go to Start > Control Panel > Automatic Updates
    2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
    3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

    Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

    Be careful when opening attachments and downloading files.

    1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
    2. Never open emails from unknown senders.
    3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These are called hoaxes. The email addresses used in the hoaxes can be easily spoofed. Check the antivirus vendor websites to be sure.
    4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

    Surf safely

    Many security exploits on websites are directed to users of Internet Explorer and Firefox.

    If you use Firefox, try the [You must be registered and logged in to see this link.] - which, by default, disables all scripts on all websites. If you trust the website, you can manually allow scripts to work.

    Backup regularly

    You never know when your PC will become unstable or become so infected that you can't recover it. Follow this [You must be registered and logged in to see this link.] to learn how to backup. Follow [You must be registered and logged in to see this link.] by Microsoft to restore your backups.

    Alternatively, you can use 3rd-party programs to back up your data. Examples of these can be found at
    [You must be registered and logged in to see this link.]

    Avoid P2P

    I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

    I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

    Prevent A Re-infection

    1. Winpatrol

    Winpatrol is a heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features [You must be registered and logged in to see this link.]

    You can get a [You must be registered and logged in to see this link.] of Winpatrol or use the [You must be registered and logged in to see this link.] for more features.

    You can read [You must be registered and logged in to see this link.] if you run into problems.

    2. Hosts File

    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    3. Spybot Search and Destroy

    Spybot Search & Destroy is another program for scanning spyware and adware. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from [You must be registered and logged in to see this link.].

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy [You must be registered and logged in to see this link.] at Bleeping Computer.

    4. SiteHound Toolbar

    [You must be registered and logged in to see this link.] is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spyware or other questionable content. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

    ====

    Stand Up and Be Counted ---> [You must be registered and logged in to see this link.]<--- where you can make difference!

    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
    ============================================================
    See [You must be registered and logged in to see this link.] for more info about malware and prevention.
    Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site.
    Before the thread is archived, do you have any more questions?

    Happy surfing and stay clean!

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42118
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    View previous topic View next topic Back to top

    - Similar topics

     
    Permissions in this forum:
    You cannot reply to topics in this forum