win32/tifaut.c

View previous topic View next topic Go down

Re: win32/tifaut.c

Post by giovannipacanza on Fri Feb 18, 2011 6:59 pm

i notice after the reboot, i've seen a new file in my desktop, named THUMBS.DB, what kind of file is this? after a while its gone....

giovannipacanza
Novice
Novice

Posts Posts : 41
Joined Joined : 2010-11-25
Gender Gender : Male
OS OS : Windows 7 Ultimate
Protection Protection : Malwarebytes , Microsoft Security Essentials
Points Points : 22577
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/tifaut.c

Post by Belahzur on Sat Feb 19, 2011 1:46 am

Hello.
Yeah, don't worry about those, just delete them.

  • Download combofix from here
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/tifaut.c

Post by giovannipacanza on Sat Feb 19, 2011 4:49 am

ComboFix 11-02-17.02 - user 02/19/2011 12:36:11.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.57 [GMT 7:00]
Running from: c:\documents and settings\user\Desktop\Combo-Fix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Fearghus
c:\documents and settings\All Users\Application Data\Microsoft\USB2.0
c:\documents and settings\user\Application Data\PriceGong
c:\documents and settings\user\Application Data\PriceGong\Data\1.xml
c:\documents and settings\user\Application Data\PriceGong\Data\a.xml
c:\documents and settings\user\Application Data\PriceGong\Data\b.xml
c:\documents and settings\user\Application Data\PriceGong\Data\c.xml
c:\documents and settings\user\Application Data\PriceGong\Data\d.xml
c:\documents and settings\user\Application Data\PriceGong\Data\e.xml
c:\documents and settings\user\Application Data\PriceGong\Data\f.xml
c:\documents and settings\user\Application Data\PriceGong\Data\g.xml
c:\documents and settings\user\Application Data\PriceGong\Data\h.xml
c:\documents and settings\user\Application Data\PriceGong\Data\i.xml
c:\documents and settings\user\Application Data\PriceGong\Data\J.xml
c:\documents and settings\user\Application Data\PriceGong\Data\k.xml
c:\documents and settings\user\Application Data\PriceGong\Data\l.xml
c:\documents and settings\user\Application Data\PriceGong\Data\m.xml
c:\documents and settings\user\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\user\Application Data\PriceGong\Data\n.xml
c:\documents and settings\user\Application Data\PriceGong\Data\o.xml
c:\documents and settings\user\Application Data\PriceGong\Data\p.xml
c:\documents and settings\user\Application Data\PriceGong\Data\q.xml
c:\documents and settings\user\Application Data\PriceGong\Data\r.xml
c:\documents and settings\user\Application Data\PriceGong\Data\s.xml
c:\documents and settings\user\Application Data\PriceGong\Data\t.xml
c:\documents and settings\user\Application Data\PriceGong\Data\u.xml
c:\documents and settings\user\Application Data\PriceGong\Data\v.xml
c:\documents and settings\user\Application Data\PriceGong\Data\w.xml
c:\documents and settings\user\Application Data\PriceGong\Data\x.xml
c:\documents and settings\user\Application Data\PriceGong\Data\y.xml
c:\documents and settings\user\Application Data\PriceGong\Data\z.xml
c:\windows\system32\autorun.in
c:\windows\system32\keyboard

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2011-01-19 to 2011-02-19 )))))))))))))))))))))))))))))))
.

2011-02-18 11:48 . 2011-02-18 11:48 -------- d-----w- c:\program files\Common Files\Java
2011-02-17 09:17 . 2011-02-17 09:17 -------- dc----w- C:\_OTL
2011-02-13 10:53 . 2011-02-13 10:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-02-12 10:07 . 2011-02-12 10:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2011-02-09 10:07 . 2011-02-09 10:07 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\ESET
2011-02-09 09:09 . 2011-02-13 11:02 -------- d-----w- c:\program files\ESET
2011-02-09 09:09 . 2011-02-09 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2011-02-09 08:27 . 2011-02-09 08:27 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Opera
2011-02-09 08:26 . 2011-02-09 08:27 -------- d-----w- c:\program files\Opera
2011-02-09 07:07 . 2011-02-09 07:07 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-02-09 07:07 . 2010-12-20 11:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-09 07:07 . 2011-02-09 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-09 07:07 . 2011-02-09 07:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-09 07:07 . 2010-12-20 11:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-08 08:17 . 2011-02-08 08:17 -------- d-----w- c:\program files\IObit
2011-02-07 08:40 . 2011-02-07 08:40 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-02-07 08:37 . 2011-02-13 10:57 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2011-02-06 09:43 . 2011-02-06 09:43 -------- d-----w- c:\program files\GiftAuto
2011-01-29 21:35 . 2011-01-29 21:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-01-28 05:06 . 2011-02-16 09:52 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-01-28 03:38 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-01-28 03:38 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-01-28 03:38 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-01-28 03:38 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-28 03:38 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-01-28 03:38 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-01-28 03:37 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-01-28 03:31 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-01-28 03:31 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-01-28 03:28 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-01-28 03:26 . 2010-02-16 13:17 2137088 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-01-28 03:26 . 2010-02-16 13:19 2181376 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-01-28 03:26 . 2010-02-16 12:39 2016768 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-01-28 03:26 . 2010-02-16 12:39 2058368 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-01-27 16:34 . 2011-01-27 16:34 -------- d-----w- c:\windows\ServicePackFiles
2011-01-27 16:34 . 2011-01-28 21:17 -------- d-----w- c:\windows\ie8updates
2011-01-27 16:33 . 2011-01-27 16:33 -------- d-----w- c:\program files\MSXML 4.0
2011-01-25 09:00 . 2011-01-25 09:00 -------- d-----w- c:\documents and settings\user\Application Data\HDRsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 14:40 . 2010-06-30 22:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 12:19 . 2010-06-30 22:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-03 135664]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2010-07-21 198864]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-12-16 2402512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2002-10-15 11:00 1818624 ----a-w- c:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 03:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"d:\\Program Files\\CityVilleBot\\CVBot.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1041:TCP"= 1041:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 12:31 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 12:28 PM 95896]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]
S0 rdhfae;rdhfae;c:\windows\system32\drivers\nbmkxm.sys --> c:\windows\system32\drivers\nbmkxm.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/9/2011 2:07 PM 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva312;XDva312; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2011-02-19 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2011-02-08 07:11]

2011-02-17 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2011-02-08 08:24]

2011-01-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-682003330-2081526759-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-03 01:00]

2011-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-682003330-2081526759-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-03 01:00]

2011-02-19 c:\windows\Tasks\User_Feed_Synchronization-{1B678AF0-529E-452D-9BC6-4A0E6FA61477}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 21:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: Download Link Using Mega Manager...
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: avsda.dll
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\z2eodb1p.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - ToggleEN Customized Web Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: DVDVideoSoftTB Community Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
FF - Ext: DVDVideoSoft Toolbar: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - %profile%\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Conduit Engine : [You must be registered and logged in to see this link.] - %profile%\extensions\engine@conduit.com
FF - Ext: HP Smart Web Printing: [You must be registered and logged in to see this link.] - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: Java Quick Starter: [You must be registered and logged in to see this link.] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-02-19 12:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2540)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2011-02-19 12:55:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-19 05:55

Pre-Run: 8,508,731,392 bytes free
Post-Run: 8,443,871,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 819416D16A7C700324CA206F62584628

giovannipacanza
Novice
Novice

Posts Posts : 41
Joined Joined : 2010-11-25
Gender Gender : Male
OS OS : Windows 7 Ultimate
Protection Protection : Malwarebytes , Microsoft Security Essentials
Points Points : 22577
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/tifaut.c

Post by Belahzur on Sun Feb 20, 2011 2:18 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    Driver::
    rdhfae
    npggsvc
    XDva312
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/tifaut.c

Post by giovannipacanza on Sun Feb 20, 2011 7:29 am

ComboFix 11-02-19.02 - user 02/20/2011 15:15:25.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.96 [GMT 7:00]
Running from: c:\documents and settings\user\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XDVA312
-------\Service_npggsvc
-------\Service_rdhfae
-------\Service_XDva312


((((((((((((((((((((((((( Files Created from 2011-01-20 to 2011-02-20 )))))))))))))))))))))))))))))))
.

2011-02-20 05:17 . 2009-08-06 12:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-02-18 11:48 . 2011-02-18 11:48 -------- d-----w- c:\program files\Common Files\Java
2011-02-17 09:17 . 2011-02-17 09:17 -------- dc----w- C:\_OTL
2011-02-13 10:53 . 2011-02-13 10:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-02-12 10:07 . 2011-02-12 10:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2011-02-09 10:07 . 2011-02-09 10:07 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\ESET
2011-02-09 09:09 . 2011-02-13 11:02 -------- d-----w- c:\program files\ESET
2011-02-09 09:09 . 2011-02-09 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2011-02-09 08:27 . 2011-02-09 08:27 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Opera
2011-02-09 08:26 . 2011-02-09 08:27 -------- d-----w- c:\program files\Opera
2011-02-09 07:07 . 2011-02-09 07:07 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-02-09 07:07 . 2010-12-20 11:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-09 07:07 . 2011-02-09 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-09 07:07 . 2011-02-09 07:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-09 07:07 . 2010-12-20 11:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-08 08:17 . 2011-02-08 08:17 -------- d-----w- c:\program files\IObit
2011-02-07 08:40 . 2011-02-07 08:40 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-02-07 08:37 . 2011-02-13 10:57 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2011-02-06 09:43 . 2011-02-06 09:43 -------- d-----w- c:\program files\GiftAuto
2011-01-29 21:35 . 2011-01-29 21:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-01-28 05:06 . 2011-02-16 09:52 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-01-28 03:38 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-01-28 03:38 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-01-28 03:38 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-01-28 03:38 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-28 03:38 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-01-28 03:38 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-01-28 03:37 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-01-28 03:31 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-01-28 03:31 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-01-28 03:28 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-01-28 03:26 . 2010-02-16 13:17 2137088 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-01-28 03:26 . 2010-02-16 13:19 2181376 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-01-28 03:26 . 2010-02-16 12:39 2016768 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-01-28 03:26 . 2010-02-16 12:39 2058368 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-01-27 16:34 . 2011-01-27 16:34 -------- d-----w- c:\windows\ServicePackFiles
2011-01-27 16:34 . 2011-01-28 21:17 -------- d-----w- c:\windows\ie8updates
2011-01-27 16:33 . 2011-01-27 16:33 -------- d-----w- c:\program files\MSXML 4.0
2011-01-25 09:00 . 2011-01-25 09:00 -------- d-----w- c:\documents and settings\user\Application Data\HDRsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 14:40 . 2010-06-30 22:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 12:19 . 2010-06-30 22:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-03 135664]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2010-07-21 198864]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-12-16 2402512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2002-10-15 11:00 1818624 ----a-w- c:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 03:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"d:\\Program Files\\CityVilleBot\\CVBot.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1041:TCP"= 1041:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 12:31 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 12:28 PM 95896]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2011-02-20 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2011-02-08 07:11]

2011-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-682003330-2081526759-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-03 01:00]

2011-02-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-682003330-2081526759-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-03 01:00]

2011-02-20 c:\windows\Tasks\User_Feed_Synchronization-{1B678AF0-529E-452D-9BC6-4A0E6FA61477}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 21:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: Download Link Using Mega Manager...
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: avsda.dll
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\z2eodb1p.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - ToggleEN Customized Web Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: DVDVideoSoftTB Community Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
FF - Ext: DVDVideoSoft Toolbar: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - %profile%\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Conduit Engine : [You must be registered and logged in to see this link.] - %profile%\extensions\engine@conduit.com
FF - Ext: HP Smart Web Printing: [You must be registered and logged in to see this link.] - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: Java Quick Starter: [You must be registered and logged in to see this link.] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-02-20 15:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(224)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2011-02-20 15:36:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-20 08:36
ComboFix2.txt 2011-02-19 05:55

Pre-Run: 8,237,969,408 bytes free
Post-Run: 8,242,835,456 bytes free

- - End Of File - - 82B576700FF72CB4F0310B61E1E9E547

giovannipacanza
Novice
Novice

Posts Posts : 41
Joined Joined : 2010-11-25
Gender Gender : Male
OS OS : Windows 7 Ultimate
Protection Protection : Malwarebytes , Microsoft Security Essentials
Points Points : 22577
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/tifaut.c

Post by Belahzur on Sun Feb 20, 2011 11:46 pm

Hello.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/tifaut.c

Post by giovannipacanza on Tue Feb 22, 2011 7:59 am

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=b986c830f8d3904ab94bd49b3d69c0f6
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-22 09:03:14
# local_time=2011-02-22 04:03:14 (+0700, SE Asia Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1792 16777215 100 0 0 0 0 0
# compatibility_mode=8199 39157077 100 100 37641 16713583 0 0
# scanned=50468
# found=2
# cleaned=2
# scan_time=3371
# nod_component=V3 Build:0x30000000
C:\System Volume Information\_restore{F6EDA588-ADCE-4A56-9F9C-224EE603B2FA}\RP97\A0540162.exe Win32/SpeedUpMyPC application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{F6EDA588-ADCE-4A56-9F9C-224EE603B2FA}\RP97\A0540196.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C





why is it that there are folders appearing on my C:/ D:/ drive? i dont know where they came from? and the image of folders and files that appears are like transparent... can i delete them?

giovannipacanza
Novice
Novice

Posts Posts : 41
Joined Joined : 2010-11-25
Gender Gender : Male
OS OS : Windows 7 Ultimate
Protection Protection : Malwarebytes , Microsoft Security Essentials
Points Points : 22577
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/tifaut.c

Post by Belahzur on Wed Feb 23, 2011 1:24 am

can i delete them?

Not just yet, can you take a screenshot? I'd like to see these files.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/tifaut.c

Post by giovannipacanza on Wed Feb 23, 2011 7:36 am

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

these are the files and folders appears after running the OTL. i don't know where that files and folders came from. especially the thumbs.db i saw it in every folders, and some of my word document was duplicated but in different name. see the picture in recycle bin.

giovannipacanza
Novice
Novice

Posts Posts : 41
Joined Joined : 2010-11-25
Gender Gender : Male
OS OS : Windows 7 Ultimate
Protection Protection : Malwarebytes , Microsoft Security Essentials
Points Points : 22577
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/tifaut.c

Post by Belahzur on Thu Feb 24, 2011 1:49 am

Ah okay, them 2 folders that are faded are both legit, leave them and we'll re-hide them.

As for the random numbers/letters folder, just leave them there for now.

To hide files:

  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Don't Show hidden files and folders.
  6. Tick Hide protected operating system files (Recommended).
  7. Click Yes when prompted.
  8. Click OK.
  9. Close My Computer.


Anymore problems?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/tifaut.c

Post by giovannipacanza on Thu Feb 24, 2011 8:31 am

thank you...

giovannipacanza
Novice
Novice

Posts Posts : 41
Joined Joined : 2010-11-25
Gender Gender : Male
OS OS : Windows 7 Ultimate
Protection Protection : Malwarebytes , Microsoft Security Essentials
Points Points : 22577
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum