3 trojans on my laptop

View previous topic View next topic Go down

Solved Re: 3 trojans on my laptop

Post by Belahzur on Sat Feb 14, 2009 9:44 pm

The official link or my sendspace link?

If my sendspace link works, please download it from there.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: 3 trojans on my laptop

Post by askenette on Sat Feb 14, 2009 9:46 pm

still isnt working. its says can rename. must be alphanumeric.

askenette
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-14
OS OS : computer
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: 3 trojans on my laptop

Post by Belahzur on Sat Feb 14, 2009 10:02 pm

Hello.
I've edited my post here:
[You must be registered and logged in to see this link.]

New link, new instructions.
See if Combofix will run that way. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: 3 trojans on my laptop

Post by Belahzur on Sat Feb 14, 2009 10:02 pm

Hello.
I've edited my post here:
[You must be registered and logged in to see this link.]

New link, new instructions.
See if Combofix will run that way. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: 3 trojans on my laptop

Post by Belahzur on Sat Feb 14, 2009 10:02 pm

Hello.
I've edited my post here:
[You must be registered and logged in to see this link.]

New link, new instructions.
See if Combofix will run that way. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: 3 trojans on my laptop

Post by Belahzur on Sat Feb 14, 2009 10:02 pm

Hello.
I've edited my post here:
[You must be registered and logged in to see this link.]

New link, new instructions.
See if Combofix will run that way. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: 3 trojans on my laptop

Post by askenette on Sat Feb 14, 2009 10:56 pm

ok so it worked. do u want me 2 fallow the instructions from the first post u put for it

askenette
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-14
OS OS : computer
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: 3 trojans on my laptop

Post by askenette on Sat Feb 14, 2009 11:05 pm

ComboFix 09-02-12.03 - Somara 2009-02-14 21:15:50.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013.363 [GMT -6:00]
Running from: c:\users\Somara\Desktop\ComboFix.exe
AV: Spy Sweeper with AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\components\d36e7c3b-5a19-b26f-c766-e7c570f5b175.dll
c:\windows\system32\cont_dcads-remove.exe
c:\windows\system32\dcads-remove.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.

2009-02-14 20:21 . 2009-02-14 20:21 6,736 --a------ c:\windows\System32\drivers\PROCEXP90.SYS
2009-02-14 18:42 . 2009-02-14 18:42 61,440 --a------ c:\windows\System32\drivers\axqykrbx.sys
2009-02-14 18:29 . 2009-02-14 18:29 d----c--- c:\users\Somara\AppData\Roaming\Malwarebytes
2009-02-14 18:29 . 2009-02-14 18:29 d----c--- c:\users\All Users\Malwarebytes
2009-02-14 18:29 . 2009-02-14 18:29 d----c--- c:\programdata\Malwarebytes
2009-02-14 18:29 . 2009-02-14 18:29 d----c--- c:\program files\Malwarebytes' Anti-Malware
2009-02-14 18:29 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-14 18:29 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-14 17:26 . 2009-01-14 21:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-14 17:26 . 2009-01-15 00:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-14 17:25 . 2009-02-14 17:25 0 -----c--- c:\users\Somara\jre-6u11-windows-i586-p.exe
2009-02-14 17:23 . 2009-02-14 17:28 d----c--- c:\users\Somara\.SunDownloadManager
2009-01-31 16:24 . 2009-01-31 16:24 d----c--- c:\windows\System32\DRVSTORE
2009-01-31 16:24 . 2009-01-31 16:24 d----c--- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-31 16:24 . 2009-01-31 16:24 d----c--- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-31 16:24 . 2008-04-17 13:12 107,368 --a------ c:\windows\System32\GEARAspi.dll
2009-01-31 16:24 . 2008-04-17 13:12 15,464 --a------ c:\windows\System32\drivers\GEARAspiWDM.sys
2009-01-31 10:10 . 2009-01-31 16:54 d----c--- c:\program files\Norton 360
2009-01-31 10:04 . 2009-02-03 18:16 124,464 --a------ c:\windows\System32\drivers\SYMEVENT.SYS
2009-01-31 10:04 . 2009-02-03 18:16 10,635 --a------ c:\windows\System32\drivers\SYMEVENT.CAT
2009-01-31 10:04 . 2009-02-03 18:16 806 --a------ c:\windows\System32\drivers\SYMEVENT.INF
2009-01-31 10:02 . 2009-02-03 18:17 d----c--- c:\program files\Symantec
2009-01-31 09:54 . 2009-02-03 17:55 d----c--- c:\users\All Users\Symantec
2009-01-31 09:54 . 2009-02-03 17:55 d----c--- c:\programdata\Symantec
2009-01-31 09:54 . 2009-02-03 19:08 d----c--- c:\program files\Common Files\Symantec Shared
2009-01-31 09:43 . 2009-01-31 17:40 d----c--- c:\users\Somara\AppData\Roaming\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-15 01:50 --------- dc----w c:\programdata\McAfee
2009-02-15 01:39 --------- dc----w c:\program files\LimeWire
2009-02-14 23:40 --------- dc----w c:\program files\Windows Mail
2009-02-14 23:05 --------- dc----w c:\programdata\Google Updater
2009-02-01 00:17 --------- dc----w c:\program files\Toshiba
2009-02-01 00:12 --------- dc----w c:\programdata\Viewpoint
2009-02-01 00:12 --------- dc----w c:\program files\Viewpoint
2009-01-31 23:57 --------- dc----w c:\programdata\Yahoo
2009-01-31 23:57 --------- dc----w c:\program files\Yahoo!
2009-01-31 23:52 --------- dc----w c:\program files\Zune
2008-12-31 21:53 --------- dc----w c:\program files\Freeze.com
2008-12-20 17:15 --------- dc----w c:\program files\Google
2008-12-16 02:42 288,768 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-17 22:16 516,096 ----a-w c:\windows\iwexec.exe
2008-07-19 19:19 174 --sha-w c:\program files\desktop.ini
2008-05-26 09:41 576 -c--a-w c:\users\Somara\AppData\Roaming\wklnhst.dat
2007-01-05 23:16 262,144 ----a-w c:\programdata\ntuser.dat
2008-06-30 19:44 324,976 -c--a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-01-23 05:12 131,584 -c--a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-01-05 12:31 654,336 -c--a-w c:\program files\mozilla firefox\components\nsdcads.dll
2008-08-26 20:54 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-08-26 20:54 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-08-26 20:54 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-03-09 07:12 27,648 --sha-w c:\windows\System32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2008-10-08 173368]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-10-08 12:22 1172792 --a--c--- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-10-08 1172792]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-10-08 1172792]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a--c--- c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a--c--- c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a--c--- c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 68856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-28 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-28 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-28 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-18 421888]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 34352]
"PINGER"="c:\toshiba\IVP\ISM\pinger.exe" [2006-07-20 151552]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-22 29744]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\FreeAgentLauncher.exe" [2007-01-18 79416]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-13 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2008-11-17 111928]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 c:\windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]

askenette
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-14
OS OS : computer
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: 3 trojans on my laptop

Post by askenette on Sat Feb 14, 2009 11:06 pm

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"vidc.avrn"= AvidAVICodec.dll
"msacm.iac2"= c:\progra~1\REPLAY~1\iac25_32.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1238789669-3064948976-1473514422-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C071C503-85A9-42F0-89E4-54CCD6A59C42}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{89222904-DD06-4C3B-9791-BBED301FC9C0}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{DBAF5C7D-25E8-479E-83A9-AF8215ABEBF6}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{5F820C8A-A04E-4661-98AE-7844B4B690F2}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{19AFF3F7-C40A-4ECD-ADF5-43E29791B3AE}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D927705F-DFDE-4287-9314-26339755ECB1}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3588B088-A547-4C6C-A246-1FE590F95557}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{4C652EEF-870F-4B25-B8C2-DF1DCC28F30F}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{73C9854D-6617-40CC-9AC7-E4963F5EC7B9}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{89F70E6E-E266-4E7C-909B-774C346EAAE7}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{29BE69BA-8AD1-47B6-856A-4A03ED0FCE4B}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BE374328-E97E-4C88-B238-D1EC76CA2BBE}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{94209D4F-4CFB-4757-8ACD-FF642EFE3E47}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{65DB44CE-545A-4587-801F-6AABA0EA859F}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{779EF58D-254B-4C79-A8AD-1B02DF37095A}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{23F4904F-80DE-486B-A74F-3509CF9546ED}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{216560B0-3C9D-4463-BAA7-8D35DEA9A677}"= Disabled:UDP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{710568DF-2365-4933-86CD-2E525A90804B}"= TCP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"TCP Query User{6E4BB7DF-1D32-49C3-8A4E-D908C8627F48}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{E81F6996-842F-4BBF-A06D-FEE5DF530882}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{C541D8BF-6A51-42FC-8053-CE1BDB69C631}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{ED227FDC-1568-431F-BA41-915B83D1B785}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{AAAC4F28-92A3-425B-863D-22C2425637EC}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{4D52E311-9F78-4EC5-B99C-C80B397A4045}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{A3A095AB-A472-4BD4-A7F8-3AA4CA288A4F}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{DD8134F3-32EC-48DF-8A05-558BB75538B5}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{A64036F6-3219-44E6-80DE-730AD79DED3A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1E82A176-91E9-4D0E-9A07-75F0AC1FA6D0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{8829CBB1-20ED-4F09-AE9D-32816E7D9433}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{93C982C2-CC0F-463D-BC64-3979FD7F0595}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090129.001\IDSvix86.sys [2009-01-31 270384]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]
R3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [2008-01-12 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-31 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2008-06-13 41008]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-11-17 33752]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-01-05 29744]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{086740ac-aef6-11dc-aedd-0016d4f46d48}]
\shell\AutoRun\command - E:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08d56df5-e52e-11dd-91e0-0016d4f46d48}]
\shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{503cbcdb-a1d3-11dc-8101-0016d4f46d48}]
\shell\AutoRun\command - "F:\Install FreeAgent Tools.exe" /run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a23d61e-0eac-11dd-aa98-0016d4f46d48}]
\shell\AutoRun\command - G:\RavMon.exe
\shell\explore\Command - G:\RavMon.exe -e
\shell\open\Command - G:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88449814-7d7e-11dc-8c7e-806e6f6e6963}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c869288-eb4a-11dc-9a71-0016d4f46d48}]
\shell\AutoRun\command - E:\Autorun.exe /run
\shell\Shell00\Command - E:\Autorun.exe /run
\shell\Shell01\Command - E:\Autorun.exe /action
\shell\Shell02\Command - E:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b36cc46f-e10a-11dc-89c6-0016d4f46d48}]
\shell\Auto\command - boot.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5824efb-3454-11dc-be1e-0016d4f46d48}]
\shell\AutoRun\command - E:\RavMon.exe
\shell\explore\Command - E:\RavMon.exe -e
\shell\open\Command - E:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a6d8d8-2622-11dd-9c36-0016d4f46d48}]
\shell\AutoRun\command - E:\RavMon.exe
\shell\explore\Command - E:\RavMon.exe -e
\shell\open\Command - E:\RavMon.exe
.

askenette
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-14
OS OS : computer
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: 3 trojans on my laptop

Post by askenette on Sat Feb 14, 2009 11:06 pm

- - - - ORPHANS REMOVED - - - -

WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
HKCU-Run-Yahoo! Pager - ~c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {F904C4AC-3E2D-40DA-B409-C25DCEB9922A} = 172.16.24.1,66.178.2.16,66.178.2.25,58.147.128.7
FF - ProfilePath - c:\users\Somara\AppData\Roaming\Mozilla\Firefox\Profiles\9an8whrn.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
1 file(s) moved.
1 file(s) moved.
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\components\nsdcads.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-02-14 21:22:42
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
Completion time: 2009-02-14 21:27:59
ComboFix-quarantined-files.txt 2009-02-15 03:27:54

Pre-Run: 75,910,471,680 bytes free
Post-Run: 75,930,886,144 bytes free

299 --- E O F --- 2009-02-14 23:45:47

askenette
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-14
OS OS : computer
Points Points : 28540
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: 3 trojans on my laptop

Post by Belahzur on Sun Feb 15, 2009 9:53 am

Nearly there.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\System32\drivers\axqykrbx.sys
c:\users\Somara\AppData\Roaming\Mozilla\Firefox\Profiles\9an8whrn.default\user.js

Folder::
c:\program files\Freeze.com
c:\program files\LimeWire

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a23d61e-0eac-11dd-aa98-0016d4f46d48}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88449814-7d7e-11dc-8c7e-806e6f6e6963}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c869288-eb4a-11dc-9a71-0016d4f46d48}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b36cc46f-e10a-11dc-89c6-0016d4f46d48}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5824efb-3454-11dc-be1e-0016d4f46d48}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a6d8d8-2622-11dd-9c36-0016d4f46d48}]

Firefox::
FF - ProfilePath - c:\users\Somara\AppData\Roaming\Mozilla\Firefox\Profiles\9an8whrn.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:

This will start Combofix again, follow any prompts given.
Copy and paste the new report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: 3 trojans on my laptop

Post by Doctor Inferno on Sun Jul 05, 2009 11:30 pm

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum