help im infected with the "security tool " virus

View previous topic View next topic Go down

help im infected with the "security tool " virus

Post by beachbumtroy on 11th January 2011, 5:31 pm

heres the log file below,now tell me what i do? thnx bb

ComboFix 11-01-10.08 - Owner 01/11/2011 11:50:57.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.487 [GMT -5:00]
Running from: c:\documents and settings\Owner\desktop\commy.exe
Command switches used :: /stepdel
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\ODCTOOLS\Dtdh.dll
c:\windows\system32\ps2.bat
c:\documents and settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe
c:\documents and settings\Owner\Start Menu\Programs\Security Shield.lnk
c:\windows\system\oeminfo.ini
c:\windows\system32\arp.exe
c:\windows\system32\SCardSvr.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-11 to 2011-01-11 )))))))))))))))))))))))))))))))
.

2011-01-11 16:22 . 2011-01-11 16:22 -------- d-----w- c:\program files\Common Files\Java
2011-01-11 16:19 . 2011-01-11 16:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-11 16:18 . 2011-01-11 16:18 -------- d-----w- c:\program files\Java
2011-01-11 13:39 . 2011-01-11 13:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-01-11 13:30 . 2010-07-16 19:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-01-11 13:30 . 2010-07-16 19:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-01-11 13:30 . 2010-11-17 15:19 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-01-11 13:30 . 2010-11-25 15:53 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-01-11 13:30 . 2010-11-25 15:43 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-01-11 13:30 . 2010-11-25 15:42 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-01-11 13:30 . 2011-01-11 13:32 -------- d-----w- c:\program files\Common Files\PC Tools
2011-01-11 13:30 . 2011-01-11 15:48 -------- d-----w- c:\program files\PC Tools Security
2011-01-11 13:30 . 2011-01-11 13:30 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2011-01-11 13:30 . 2011-01-11 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-01-11 13:24 . 2011-01-11 16:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-01-11 12:46 . 2011-01-11 12:46 264192 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\flcabyruh.exe
2011-01-01 22:00 . 2011-01-01 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Photo Notifier and Animation Creator
2011-01-01 22:00 . 2011-01-01 22:00 -------- d-----w- c:\program files\Photo Notifier and Animation Creator
2010-12-19 21:43 . 2010-12-19 21:43 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-15 12:11 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-11 16:18 . 2010-05-12 21:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-18 18:12 . 2009-10-14 22:43 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2009-10-14 22:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2009-10-14 22:43 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2009-10-14 22:43 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2009-10-14 22:43 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2009-10-14 22:41 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2009-10-14 22:43 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"hp Silent Service"="c:\windows\system32\HpSrvUI.exe" [2001-11-30 32768]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-07 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-06-16 212992]
"S3apphk"="S3apphk.exe" [2001-12-05 28672]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-08 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-08 90112]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-04 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
2003-08-19 10:43 57344 -c--a-w- c:\program files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"helpsvc"=2 (0x2)
"LexBceS"=2 (0x2)
"SamSs"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\IncrediMail\\Bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\Bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\Bin\\ImpCnt.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\drivers\PCTCore.sys [1/11/2011 8:30 AM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\SYSTEM32\drivers\pctDS.sys [1/11/2011 8:30 AM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\SYSTEM32\drivers\pctEFA.sys [1/11/2011 8:30 AM 656320]
R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [10/19/2009 12:36 PM 109168]
R3 trid3d;trid3d;c:\windows\SYSTEM32\drivers\trid3dm.sys [12/27/2001 10:11 PM 149244]
S3 PID_0960_V;Logitech ClickSmart 420(PID_0960_V);c:\windows\SYSTEM32\drivers\LVVIMULB.SYS [9/30/2010 8:15 PM 163328]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [1/11/2011 8:30 AM 366840]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\expressripShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-06-22 19:36]

2010-11-01 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-01-16 22:08]

2010-07-02 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-06-22 19:36]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
LSP: c:\program files\IObit\Advanced SystemCare 3\SPICtrl.dll
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: yahoo.com
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-Works2002Setup - c:\program files\Microsoft Works and Money 2002\Setup\Launcher.exe \hp\tmp\src\



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-01-11 11:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1241443622-3753018816-2163411867-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c00c\6&1f3af29a&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(712)
c:\program files\IObit\Advanced SystemCare 3\SPICtrl.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2011-01-11 12:02:30
ComboFix-quarantined-files.txt 2011-01-11 17:02

Pre-Run: 197,215,490,048 bytes free
Post-Run: 197,225,492,480 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn

- - End Of File - - BB9AB2CA5DA9378E8453FF1BCF0A17D3

beachbumtroy
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2011-01-11
OS OS : windows 7
Points Points : 21633
# Likes # Likes : 0

View user profile

Back to top Go down

Re: help im infected with the "security tool " virus

Post by Belahzur on 11th January 2011, 11:06 pm

Hello.

You aren't running Anti Virus Software

Please install Avira antivirus otherwise you won't be protected.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

help with security tool virus

Post by beachbumtroy on 12th January 2011, 2:00 pm

i did both the above installed avira and run the scan seems the popup warnings are gone and nothing in my tool tray as far as icon, but does that mean it is off my system? or do i have to do something else? thnx bb


Last edited by beachbumtroy on 12th January 2011, 2:02 pm; edited 1 time in total (Reason for editing : spelling)

beachbumtroy
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2011-01-11
OS OS : windows 7
Points Points : 21633
# Likes # Likes : 0

View user profile

Back to top Go down

Re: help im infected with the "security tool " virus

Post by Belahzur on 12th January 2011, 6:42 pm

Did the ESET scan report any findings? if not, then everything should be good, the Combofix log looks fine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: help im infected with the "security tool " virus

Post by beachbumtroy on 12th January 2011, 7:36 pm

i believe it did but i put fix automatically on it and it did apparently.thnx so much i thought i was done for Smile

beachbumtroy
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2011-01-11
OS OS : windows 7
Points Points : 21633
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum