yahoo email virus

View previous topic View next topic Go down

yahoo email virus

Post by nandixtr on 1st March 2011, 10:02 am

Hello,
There are emails send from my address to all of my contacts.
The subject of the mail is my id.
And the mail contains a link. A different one , each time.

I scaned my laptop, even in safe mod whit the Malwarebytes' Anti-Malware, but nothing was found.

Pls help.

nandixtr
Intermediate
Intermediate

Posts Posts : 108
Joined Joined : 2011-02-28
Gender Gender : Male
OS OS : Vista
Protection Protection : Avira
Points Points : 21522
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by Gabethebabe on 1st March 2011, 11:54 am

Hello nandixtr and welcome to GeekPolice!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:
  • Whilst Iīm helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  • Feel free to ask questions! Especially if my instructions are not clear. Iīm here to help, not confuse you.
  • I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  • Stick with me till the end! If your computer starts running better, doesnīt mean it is clean yet!


====================

Three possibilities:
  1. The spam e-mails were sent from your computer.
  2. The spam e-mails were sent from your e-mail address. To avoid this, simply change the password of your e-mail address (from a clean computer!)
  3. The spam e-mails were sent from a random e-mail address and your e-mail address was "spoofed" (i.e. the e-mails APPEAR to come from you, but in reality do not). There is nothing you can do about this, just make sure your personal data is not for grabs on the [You must be registered and logged in to see this link.]

Together we will verify whether option 1 applies. In the next step we will check your computer for malware.

====================

We are going to use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit [You must be registered and logged in to see this link.] and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38248
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by nandixtr on 1st March 2011, 2:44 pm

ok, tnx for halping.
I scaned my laptop, and here is the log:



ComboFix 11-02-28.07 - Nandi 01/03/2011 16:08:23.1.2 - x86
MicrosoftŪ Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3004.1570 [GMT 2:00]
Running from: c:\users\Nandi\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2011-02-01 to 2011-03-01 )))))))))))))))))))))))))))))))
.

2011-03-01 14:18 . 2011-03-01 14:18 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-03-01 14:18 . 2011-03-01 14:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-01 09:12 . 2011-03-01 09:12 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2011-03-01 07:47 . 2011-03-01 07:47 -------- d-----w- c:\users\Nandi\AppData\Roaming\Malwarebytes
2011-03-01 07:46 . 2010-12-20 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-01 07:46 . 2011-03-01 07:46 -------- d-----w- c:\programdata\Malwarebytes
2011-03-01 07:46 . 2011-03-01 07:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-01 07:46 . 2010-12-20 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-01 06:57 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{77EB99E8-B35B-4E81-8ABB-B79847B518C5}\mpengine.dll
2011-02-24 10:25 . 2011-02-24 10:25 -------- d-----w- c:\users\Nandi\AppData\Roaming\Avira
2011-02-24 10:23 . 2010-12-13 06:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-24 10:23 . 2010-12-13 06:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-24 10:23 . 2011-02-24 10:23 -------- d-----w- c:\programdata\Avira
2011-02-24 10:23 . 2011-02-24 10:23 -------- d-----w- c:\program files\Avira
2011-02-24 08:53 . 2011-02-24 08:53 -------- d-----w- c:\program files\Common Files\Skype
2011-02-23 13:02 . 2009-12-14 10:44 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys
2011-02-23 13:02 . 2009-12-14 10:44 39352 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys
2011-02-23 13:00 . 2011-02-24 10:09 -------- d-----w- c:\programdata\Kaspersky Lab
2011-02-10 09:13 . 2011-02-10 09:14 -------- d-----w- c:\users\Nandi\AppData\Roaming\DiskAid
2011-02-09 20:37 . 2011-01-20 16:08 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-30 15:45 . 2011-01-30 15:45 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-01-30 15:45 . 2011-01-30 15:45 135568 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 15:11 . 2009-11-08 17:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-28 15:55 . 2011-01-12 09:01 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 15:33 . 2010-12-18 15:33 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2010-12-18 15:33 . 2010-12-18 15:33 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2010-12-14 14:49 . 2011-01-12 09:01 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-28 23:21 . 2009-10-28 23:21 10277728 ----a-w- c:\program files\winamp556_full_emusic-7plus_en-us.exe
2009-10-28 23:06 . 2009-10-28 23:06 2025768 ----a-w- c:\program files\SkypeSetup.exe
2009-10-28 22:58 . 2009-10-28 22:58 445128 ----a-w- c:\program files\msgr9us.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-09-02 12:56 1175944 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]
2009-07-02 08:18 2215960 ----a-w- c:\program files\BS_Player\tbBS_P.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}"= "c:\program files\BS_Player\tbBS_P.dll" [2009-07-02 2215960]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{FED66DC5-1B74-4A04-8F5C-15C5ACE2B9A5}"= "c:\program files\BS_Player\tbBS_P.dll" [2009-07-02 2215960]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-11-04 6174008]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-26 163840]
"UpdateP2GShortCut"="c:\program files\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2009-04-23 4097864]
"Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2009-05-04 5064520]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2007-04-11 26704]
"lxdomon.exe"="c:\program files\Lexmark 9500 Series\lxdomon.exe" [2007-09-06 450560]
"lxdoamon"="c:\program files\Lexmark 9500 Series\lxdoamon.exe" [2007-08-10 20480]
"Lexmark 9500 Series Fax Server"="c:\program files\Lexmark 9500 Series\fm3032.exe" [2007-09-18 307200]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-28 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-28 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-28 170520]
"UIExec"="c:\program files\ZTE Join Air\UIExec.exe" [2010-11-01 139088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2008-8-26 752168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Total Commander Pro.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Total Commander Pro.lnk
backup=c:\windows\pss\Total Commander Pro.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 08:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Serviciul Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-11-09 135664]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2008-03-13 24576]
R3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\Lenovo\ReadyComm\AppSvc.exe [2009-05-06 379968]
R3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\Lenovo\ReadyComm\ConnSvc.exe [2009-05-06 412736]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-09-27 9216]
R3 PS_MDP;ReadyComm Presentation Space Helper Service;c:\windows\System32\IgrsSvcs.exe [2008-01-21 21504]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2008-01-10 81192]
S0 Wdkbdmou;Lenovo RMCT KbdMou Service;c:\windows\system32\DRIVERS\Wdkbdmou.sys [2009-03-02 8832]
S1 funfrm;funfrm; [x]
S1 LenovoVCD;LenovoVCD;c:\windows\system32\drivers\LenovoVCD.sys [2009-02-14 16200]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-13 135336]
S2 IGRS;IGRS;c:\program files\Lenovo\ReadyComm\common\IGRS.exe [2008-02-14 32768]
S2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe [2007-09-20 589824]
S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdoserv.exe [2007-07-17 94208]
S2 ReadyComm.DirectRouter;ReadyComm.DirectRouter;c:\windows\System32\IgrsSvcs.exe [2008-01-21 21504]
S2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [2008-09-27 430080]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-01-14 2250616]
S2 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-08-29 48192]
S2 UI Assistant Service;UI Assistant Service;c:\program files\ZTE Join Air\AssistantServices.exe [2010-11-01 253264]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 21520]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-10-23 223232]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-07-31 29736]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-09-21 112128]
S3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [2009-03-02 8832]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
IgrsSvcs REG_MULTI_SZ ReadyComm.DirectRouter PS_MDP
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2011-03-01 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 08:54]

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-09 17:52]

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-09 17:52]

2011-03-01 c:\windows\Tasks\User_Feed_Synchronization-{3DDA18F2-F17B-4F69-9C6D-D447F12E29B9}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Nandi\AppData\Roaming\Mozilla\Firefox\Profiles\dl97g879.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: LoudMo Contextual Ad Assistant: {a5c6f5d7-6464-f4f1-d8dd-75874493fc7e} - c:\program files\Mozilla Firefox\extensions\{a5c6f5d7-6464-f4f1-d8dd-75874493fc7e}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: British English Dictionary: [You must be registered and logged in to see this link.] - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MobileConnect - %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0012\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0013\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1340)
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_rum.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\spool\DRIVERS\W32X86\3\lxdoserv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\TUProgSt.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Yahoo!\Messenger\YahooMessenger.exe
c:\windows\System32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\Lenovo\Bluetooth Software\BtStackServer.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Windows Defender\MSASCui.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-03-01 16:30:00 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-01 14:29

Pre-Run: 58,323,124,224 bytes free
Post-Run: 58,155,278,336 bytes free

- - End Of File - - 56F9FE464B6EE65F03AC9D98F6CFCC01



nandixtr
Intermediate
Intermediate

Posts Posts : 108
Joined Joined : 2011-02-28
Gender Gender : Male
OS OS : Vista
Protection Protection : Avira
Points Points : 21522
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by Gabethebabe on 1st March 2011, 7:55 pm

OK, Combofix found an infected system file. Lets see if we can find a clean backup copy.

Please download SystemLook by jpshortstuff from one of the locations below and save it to your desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
  • Double-click SystemLook.exe to run it.
  • Copy the following text into the main textfield:

:filefind
userinit.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop (SystemLook.txt)

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38248
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by nandixtr on 2nd March 2011, 9:14 am

this is the result:

SystemLook 04.09.10 by jpshortstuff
Log created at 11:12 on 02/03/2011 by Nandi
Administrator - Elevation successful

========== filefind ==========

Searching for "userinit.exe"
C:\Windows\ERDNT\cache\userinit.exe --a---- 25088 bytes [14:28 01/03/2011] [02:24 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9
C:\Windows\System32\userinit.exe --a---- 25088 bytes [02:24 21/01/2008] [02:24 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9
C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe --a---- 25088 bytes [02:24 21/01/2008] [02:24 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9

-= EOF =-



nandixtr
Intermediate
Intermediate

Posts Posts : 108
Joined Joined : 2011-02-28
Gender Gender : Male
OS OS : Vista
Protection Protection : Avira
Points Points : 21522
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by Gabethebabe on 3rd March 2011, 11:50 am

Hey nandixtr, sorry for the wait. I had to discuss this issue with my teachers. Combofix identified that a file was infected, but the Systemlook results say the file is authentic. I never saw that before Whoa!

Letīs try another test.
Analysis of a suspicious file.
  • Please go to the Virustotal website by clicking [You must be registered and logged in to see this link.]
  • Click the Browse button and in the Name field paste:
    C:\Windows\System32\userinit.exe
  • Click Open and click Send File
  • If Virustotal informs you that "File has already been analysed", click Reanalyse file now
  • An analysis report will appear. Copy and paste the url (something like [You must be registered and logged in to see this link.] into your next reply.



Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38248
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by nandixtr on 3rd March 2011, 3:53 pm

hello, the url :

[You must be registered and logged in to see this link.]



nandixtr
Intermediate
Intermediate

Posts Posts : 108
Joined Joined : 2011-02-28
Gender Gender : Male
OS OS : Vista
Protection Protection : Avira
Points Points : 21522
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by Gabethebabe on 4th March 2011, 11:39 am

It is starting to appear that your computer was actually clean, which is all the better. If you want, we can run one final scan with a pretty good scanner (Dr. Web CureIt).

Please download Dr. Web CureIt from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double click drweb-cureit.exe to run the scanner
  • Click OK when Dr. Web asks if you want to enter "Enhanced Protection Mode" (EPM)
  • Click OK when prompted about legal terms
  • Click Start to start the Express Scan, which is a relatively short scan. During the scan you will not be able to use your computer.
  • If a popup menu appears, asking you to buy the full version, just close that window.
  • Allow Dr. Web to cure/move whatever infection has been found
  • Once the short scan has finished, chose the Complete Scan
  • Select all drives. A red dot shows which drives have been chosen
  • Click the green arrow to start the complete scan
  • This scan can take very looooooong. Just allow it ro run
  • Allow Dr. Web to cure/move whatever infection has been found
  • When the scan has finished, look and see if you can click the following icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

  • Incurable files will be moved to a safe folder (%userprofile%\DoctorWeb\quarantaine-folder)
  • After selecting, in the Dr.Web CureIt menu on top, click File and choose Save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr. Web CureIt
  • Reboot your computer so that Dr. Web can finish the cleanup process
  • Please post the contents of DrWeb.csv in your next reply.


Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38248
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by nandixtr on 5th March 2011, 5:34 pm

Hello,

I scanned the laptop with the Dr Web scanner, on the Express scan, he didn`t found anything, but on the Complete scan there was 1 deleted infection and 2 or 3 moved files infected.
I try to save the log, but when I click the save report list an error has occurred. A blue screen appeared, and the laptop rebut him self.
After rebutting, a notification appear that the windows has recovered from an unexpected shut down:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 2057

Additional information about the problem:
BCCode: 19
BCP1: 00000021
BCP2: CE338000
BCP3: 0004BAC8
BCP4: 00740078
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini030511-02.dmp
C:\Users\Nandi\AppData\Local\Temp\WER-68983-0.sysdata.xml
C:\Users\Nandi\AppData\Local\Temp\WERA929.tmp.version.txt

Read our privacy statement:
[You must be registered and logged in to see this link.]

I scanned the laptop again and the same problem occurred.

What should I do ?



nandixtr
Intermediate
Intermediate

Posts Posts : 108
Joined Joined : 2011-02-28
Gender Gender : Male
OS OS : Vista
Protection Protection : Avira
Points Points : 21522
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by Gabethebabe on 6th March 2011, 8:33 pm

Lets see if Dr.Web left us a log.
Go to Start >> Run and type or copy/paste:
%userprofile%\DoctorWeb

Execute that. It should open a folder. What do you see in that folder? Is it postable? (donīt post a 32 MB log please Big Grin)

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38248
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by nandixtr on 7th March 2011, 6:46 am

Hello,

A file named CureIt.log .
this file is not really postable 116 MB log Smile



nandixtr
Intermediate
Intermediate

Posts Posts : 108
Joined Joined : 2011-02-28
Gender Gender : Male
OS OS : Vista
Protection Protection : Avira
Points Points : 21522
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by Gabethebabe on 7th March 2011, 9:20 am

116 MB LOL
I do not want to die of boredom yet, so feel free to delete this log.

We will try another online scanner. Hopefully this one does not crash your computer.

Please make sure you are logged in as a user with administrator rights and proceed with the following steps:
  • Use Internet Explorer to browse to the [You must be registered and logged in to see this link.]
  • Click the green ESET Online Scanner button
  • A popup window will open
  • Accept the terms of use and click Start
  • Internet Explorer probably informs you that ESET tries to install an add-on. Allow that.
  • UNSELECT the Remove all threats option.
  • Click Start
  • When the scan has finished and threats were found, click List of found threats
  • Click Export to text file and save it as e.g. eset.txt on your desktop
  • Click Back
  • Select Uninstall application on close
  • Click Finish. ESET Online Scanner will now uninstall itself
  • Please post the contents of the eset.txt in your next reply.


Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38248
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by nandixtr on 7th March 2011, 1:47 pm

Hello,

This is the log:

C:\Users\Nandi\Desktop\memori back up\my doc\Downloads\Sony Sound Forge 9.0.441e-DiGiNSAN.rar a variant of Win32/Keygen.AR application
C:\Users\Nandi\Desktop\memori back up\my doc\Downloads\Sony Sound Forge 9.0.441e-DiGiNSAN\DiGiNSAN.rar a variant of Win32/Keygen.AR application
C:\Users\Nandi\Desktop\memori back up\my doc\Downloads\Sony Sound Forge 9.0.441e-DiGiNSAN\Keygen.exe a variant of Win32/Keygen.AR application



nandixtr
Intermediate
Intermediate

Posts Posts : 108
Joined Joined : 2011-02-28
Gender Gender : Male
OS OS : Vista
Protection Protection : Avira
Points Points : 21522
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by Gabethebabe on 7th March 2011, 2:59 pm

Keygen/crack warning!
There are keygens and/or cracks on your computer. Please be aware that these programs are generally used for illegal purposes. Software piracy is a crime that we at GeekPolice do not recommend or approve (but rest assured that we do not report it either).
Keygens and cracks form a very important distribution network of malware. It might be the reason of your present infection. Even if you use reknown security software, you can never be safe, as you might run into a fresh new variant (a so-called 0-day threat).

Example: Two VirusTotal reports of a keygen, that in reality was a [You must be registered and logged in to see this link.] carrying a nasty infection called [You must be registered and logged in to see this link.].
[You must be registered and logged in to see this link.] is the report of the trojan just after release - 0/40 virusscanners detected the deadly load.
[You must be registered and logged in to see this link.] is a report of the same file just five days later - 24/40 have updated their signature database to detect it.
If you would repeat the analysis today, it would probably be detected by even more scanners. Tough luck for the users that picked it up early. Make sure you are not among them.

Stay out of trouble: get free software instead! I provide some safe websites where you can pick up free software, often just as good as commercial software.


OK, your computer appears to be clean.
That means that the spam e-mails were not sent from your computer. Either someone hacked your e-mail account (I assume you have changed your password?) or your e-mail address was spoofed.

Any more questions?

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38248
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by nandixtr on 7th March 2011, 3:13 pm

I understand the issue with the keygens and/or cracks and I thank you for the links.

Yes, I changed my password.

Thank you for helping. No more questions. ( for now Smile )



nandixtr
Intermediate
Intermediate

Posts Posts : 108
Joined Joined : 2011-02-28
Gender Gender : Male
OS OS : Vista
Protection Protection : Avira
Points Points : 21522
# Likes # Likes : 0

View user profile

Back to top Go down

Re: yahoo email virus

Post by Gabethebabe on 7th March 2011, 4:36 pm

Cool.

You will no longer need Combofix.
Go to Start > Run and type or copy/paste
combofix /uninstall

====================

To close this case, let me provide you with some recommendations:

1) Keep your Windows up-to-date. Windows Autoupdate should be ON (see Start >> Control Panel >> Security Center). An alternative way (but more time-consuming) is to periodically visit [You must be registered and logged in to see this link.]. Hackers are looking every day for new security holes. Microsoft keeps patching them. You cannot fall behind in this race, it will make your system vulnerable.

2) For your average daily computer activities, use a limited/standard user account. If you use Vista/WIN7 do not disable User Account Control (UAC). You would be amazed to know how much malware canīt touch you if you deny it admin rights. Create a separate password-protected administrator account that you use for admin activities, like (un)installing software.

3) Use a good antivirus. There are various free ones, you cannot go wrong with either of the following three:
  • [You must be registered and logged in to see this link.]. If you want your antivirus to be light on resources, I recommend Panda. Install without the toolbar.
  • [You must be registered and logged in to see this link.]. 100 million users canīt be wrong. If you want high detection rates, this is your best free bet.
  • [You must be registered and logged in to see this link.] is a very complete antivirus, with modules like mailscanner and webshield.

4) If your computer has 1GB system memory or more, you should install a third party firewall, to replace the weak Windows Firewall. I recommend:
  • [You must be registered and logged in to see this link.]. Install the internet security suite, but without the antivirus and without the Hopsurf toolbar.
  • [You must be registered and logged in to see this link.]. A very smart and user friendly firewall.
  • [You must be registered and logged in to see this link.] is another rocksolid choice.

Note: you should run only ONE antivirus and ONE firewall. Running multiples of either is bad, it will cause slowdowns and/or conflicts.

5) Miscellaneous advice:
  • Stay away from cracks and keygens (look [You must be registered and logged in to see this link.] for the why). Get free software instead. [You must be registered and logged in to see this link.] is an excellent source of freeware reviews.
  • Navigate safely. [You must be registered and logged in to see this link.] is the safest browser available. However, Mozilla Firefox can be made extremely safe with the [You must be registered and logged in to see this link.] addon. Internet Explorer (always use [You must be registered and logged in to see this link.]) can be made a lot safer with [You must be registered and logged in to see this link.] (manual [You must be registered and logged in to see this link.]).
  • The [You must be registered and logged in to see this link.] addon will help you to stay on reliable webpages.
  • [You must be registered and logged in to see this link.] alerts you when changes are made in vital system areas. Especially good on light systems not running a third party firewall.
  • Make sure you have ways to recuperate your operating system and vital other data if its gets frustrated by malware and/or other problems. A Windows setup CD and recent backups/disk images will be priceless, if you find yourself in an unexpected tight spot.

Finally: did we help you? [You must be registered and logged in to see this link.]!

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38248
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum