Virus and or malware??

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Re: Virus and or malware??

Post by Belahzur on Mon Apr 13, 2009 12:50 pm

Hello.
Same, we've both had busy days. Sad tearing

Lets use Combofix again, but with a custom script for your machine.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\drivers\logiflt.iad

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint

FileLook::
c:\program files\Global.sw

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus and or malware??

Post by marino2111 on Tue Apr 14, 2009 12:26 pm

ComboFix 09-04-14.08 - marino limauro 04/14/2009 8:12.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.685 [GMT -4:00]
Running from: c:\documents and settings\marino limauro\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\marino limauro\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\drivers\lvuvc.hs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\drivers\lvuvc.hs

.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-10 13:55 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-10 13:55 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-10 13:30 . 2008-10-16 18:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-04-10 13:30 . 2008-10-16 18:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-03 16:31 . 2008-10-16 18:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui
2009-04-02 23:20 . 2009-04-10 13:23 -------- dc----w c:\windows\ie8
2009-04-02 22:14 . 2009-04-02 22:14 -------- d-----w c:\documents and settings\marino limauro\IECompatCache
2009-04-02 22:12 . 2009-04-02 22:12 -------- d-----w c:\documents and settings\LocalService\IETldCache
2009-04-02 22:09 . 2009-04-02 22:09 -------- d-----w c:\documents and settings\marino limauro\PrivacIE
2009-04-02 22:06 . 2009-04-02 22:06 -------- d-----w c:\documents and settings\marino limauro\IETldCache
2009-04-02 22:00 . 2009-04-10 13:24 -------- d-----w c:\windows\ie8updates
2009-04-02 20:41 . 2009-04-02 20:57 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-24 22:18 . 2009-03-24 22:18 -------- d-----w c:\documents and settings\marino limauro\Application Data\Malwarebytes
2009-03-24 22:18 . 2009-03-24 22:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-23 16:11 . 2003-04-18 00:26 79 ----a-w c:\windows\delay2.reg
2009-03-23 15:46 . 2009-03-23 15:46 35262 ----a-w c:\windows\marino limauro000.acl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 23:15 . 2009-04-10 23:41 -------- d-----w c:\documents and settings\marino limauro\Application Data\U3
2009-04-11 18:01 . 2009-04-11 18:01 -------- d-----w c:\program files\Avira
2009-04-11 18:01 . 2009-04-11 18:01 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-11 17:32 . 2008-04-05 20:58 -------- d-----w c:\documents and settings\marino limauro\Application Data\Skype
2009-04-11 17:09 . 2004-07-22 11:26 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-11 17:07 . 2005-08-08 17:26 -------- d-----w c:\program files\Norton AntiVirus
2009-04-11 17:07 . 2004-07-22 11:26 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-11 14:39 . 2009-04-11 14:38 888 ----a-w C:\avenger.txt
2009-04-11 01:08 . 2004-07-22 11:17 -------- d-----w c:\program files\Java
2009-04-10 22:35 . 2007-09-15 17:11 971301 ----a-w C:\VETlog.txt
2009-04-10 22:35 . 2007-09-15 17:11 53562 ----a-w C:\VETlog.dmp
2009-04-10 21:14 . 2009-04-10 21:14 -------- d-----w c:\program files\Trend Micro
2009-04-10 13:55 . 2009-03-24 22:18 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-10 13:26 . 2008-06-16 02:52 -------- d-----w c:\program files\AOL 9.1a
2009-04-10 13:25 . 2007-12-22 18:20 -------- d-----w c:\program files\Yahoo!
2009-04-10 13:23 . 2009-04-02 23:36 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-10 02:58 . 2009-04-10 02:56 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-10 02:58 . 2008-09-29 21:26 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-10 00:45 . 2007-12-22 18:32 -------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-04-09 23:34 . 2008-04-05 21:04 -------- d-----w c:\documents and settings\marino limauro\Application Data\skypePM
2009-03-14 00:27 . 2009-03-14 00:28 410984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2009-02-13 15:31 . 2009-04-11 18:01 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-02-09 11:13 . 2008-10-15 05:44 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2003-07-15 21:01 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-07 01:07 . 2008-07-09 21:36 3698584 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dat
2009-01-17 02:35 . 2006-05-19 15:08 3594752 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-05 21:04 . 2008-04-05 21:04 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-06-08 15:35 . 2005-08-08 15:51 29536 -c--a-w c:\documents and settings\marie limauro\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-06-07 22:20 . 2005-08-08 19:17 29536 -c--a-w c:\documents and settings\marino limauro\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-11-05 18:36 . 2006-11-05 18:36 560 -c--a-w c:\program files\Global.sw
2005-08-22 16:51 . 2005-08-22 16:51 137 -c--a-w c:\documents and settings\marino limauro\Local Settings\Application Data\fusioncache.dat
2005-08-22 16:28 . 2005-08-22 16:28 136 -c--a-w c:\documents and settings\marie limauro\Local Settings\Application Data\fusioncache.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Global.sw -- Not a PE file.
File Size: 560
Created Time: 2006-11-05 18:36
Modified Time: 2006-11-05 18:36
Accessed Time: 2009-04-14 12:12
MD5: 6A226594ADB7CD283439380588A0CB20
SHA: 11A311E90A3AAB096F4E18B9FA48AC3F40006761


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AOL Fast Start"="c:\program files\AOL 9.1a\AOL.EXE" [2008-06-03 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1182108996\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\AOL 9.1a\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289]
S2 ppsio2;PPDevice; [x]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8741b3c9-2614-11de-b551-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4ebbd0d-5bd0-11dc-9a58-00038a000015}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-14 08:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5412)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\acs\AOLacsd.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\AOL 9.1a\waol.exe
c:\program files\AOL 9.1a\shellmon.exe
c:\program files\Common Files\AOL\1182108996\ee\aolsoftware.exe
c:\windows\SYSTEM32\wscript.exe
.
**************************************************************************
.
Completion time: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-14 12:23
ComboFix2.txt 2009-04-11 23:21

Pre-Run: 55,468,511,232 bytes free
Post-Run: 55,469,252,608 bytes free

165 --- E O F --- 2009-04-11 02:41

marino2111
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-04-09
Gender Gender : Male
OS OS : vista
Points Points : 28006
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus and or malware??

Post by marino2111 on Tue Apr 14, 2009 12:32 pm

FYI... I looked for c:\windows\system32 and it's not there???? or it's not where it should be??

marino2111
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-04-09
Gender Gender : Male
OS OS : vista
Points Points : 28006
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus and or malware??

Post by Belahzur on Tue Apr 14, 2009 3:59 pm

Hello.
I want to use Combofix one more time.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
ppsio2

File::
c:\program files\Global.sw

DDS::
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus and or malware??

Post by marino2111 on Tue Apr 14, 2009 4:20 pm

ComboFix 09-04-14.09 - marino limauro 04/14/2009 12:08.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.678 [GMT -4:00]
Running from: c:\documents and settings\marino limauro\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\marino limauro\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\program files\Global.sw
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Global.sw

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PPSIO2
-------\Service_ppsio2


((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-10 13:55 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-10 13:55 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-10 13:30 . 2008-10-16 18:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-04-10 13:30 . 2008-10-16 18:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-03 16:31 . 2008-10-16 18:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui
2009-04-02 23:20 . 2009-04-10 13:23 -------- dc----w c:\windows\ie8
2009-04-02 22:14 . 2009-04-02 22:14 -------- d-----w c:\documents and settings\marino limauro\IECompatCache
2009-04-02 22:12 . 2009-04-02 22:12 -------- d-----w c:\documents and settings\LocalService\IETldCache
2009-04-02 22:09 . 2009-04-02 22:09 -------- d-----w c:\documents and settings\marino limauro\PrivacIE
2009-04-02 22:06 . 2009-04-02 22:06 -------- d-----w c:\documents and settings\marino limauro\IETldCache
2009-04-02 22:00 . 2009-04-10 13:24 -------- d-----w c:\windows\ie8updates
2009-04-02 20:41 . 2009-04-02 20:57 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-24 22:18 . 2009-03-24 22:18 -------- d-----w c:\documents and settings\marino limauro\Application Data\Malwarebytes
2009-03-24 22:18 . 2009-03-24 22:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-23 16:11 . 2003-04-18 00:26 79 ----a-w c:\windows\delay2.reg
2009-03-23 15:46 . 2009-03-23 15:46 35262 ----a-w c:\windows\marino limauro000.acl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 23:15 . 2009-04-10 23:41 -------- d-----w c:\documents and settings\marino limauro\Application Data\U3
2009-04-11 18:01 . 2009-04-11 18:01 -------- d-----w c:\program files\Avira
2009-04-11 18:01 . 2009-04-11 18:01 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-11 17:32 . 2008-04-05 20:58 -------- d-----w c:\documents and settings\marino limauro\Application Data\Skype
2009-04-11 17:09 . 2004-07-22 11:26 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-11 17:07 . 2005-08-08 17:26 -------- d-----w c:\program files\Norton AntiVirus
2009-04-11 17:07 . 2004-07-22 11:26 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-11 14:39 . 2009-04-11 14:38 888 ----a-w C:\avenger.txt
2009-04-11 01:08 . 2004-07-22 11:17 -------- d-----w c:\program files\Java
2009-04-10 22:35 . 2007-09-15 17:11 971301 ----a-w C:\VETlog.txt
2009-04-10 22:35 . 2007-09-15 17:11 53562 ----a-w C:\VETlog.dmp
2009-04-10 21:14 . 2009-04-10 21:14 -------- d-----w c:\program files\Trend Micro
2009-04-10 13:55 . 2009-03-24 22:18 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-10 13:26 . 2008-06-16 02:52 -------- d-----w c:\program files\AOL 9.1a
2009-04-10 13:25 . 2007-12-22 18:20 -------- d-----w c:\program files\Yahoo!
2009-04-10 13:23 . 2009-04-02 23:36 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-10 02:58 . 2009-04-10 02:56 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-10 02:58 . 2008-09-29 21:26 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-10 00:45 . 2007-12-22 18:32 -------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-04-09 23:34 . 2008-04-05 21:04 -------- d-----w c:\documents and settings\marino limauro\Application Data\skypePM
2009-03-14 00:27 . 2009-03-14 00:28 410984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2009-02-09 11:13 . 2008-10-15 05:44 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2003-07-15 21:01 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-07 01:07 . 2008-07-09 21:36 3698584 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dat
2009-01-17 02:35 . 2006-05-19 15:08 3594752 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-05 21:04 . 2008-04-05 21:04 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-06-08 15:35 . 2005-08-08 15:51 29536 -c--a-w c:\documents and settings\marie limauro\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-06-07 22:20 . 2005-08-08 19:17 29536 -c--a-w c:\documents and settings\marino limauro\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-08-22 16:51 . 2005-08-22 16:51 137 -c--a-w c:\documents and settings\marino limauro\Local Settings\Application Data\fusioncache.dat
2005-08-22 16:28 . 2005-08-22 16:28 136 -c--a-w c:\documents and settings\marie limauro\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-14 16:12 . 2008-12-17 02:59 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
- 2009-04-14 12:17 . 2008-12-17 02:59 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
+ 2009-04-14 16:10 . 2005-10-21 00:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AOL Fast Start"="c:\program files\AOL 9.1a\AOL.EXE" [2008-06-03 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1182108996\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\AOL 9.1a\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8741b3c9-2614-11de-b551-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4ebbd0d-5bd0-11dc-9a58-00038a000015}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-14 12:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5540)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\acs\AOLacsd.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\AOL 9.1a\waol.exe
c:\program files\AOL 9.1a\shellmon.exe
c:\program files\Common Files\AOL\1182108996\ee\aolsoftware.exe
.
**************************************************************************
.
Completion time: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-14 16:18
ComboFix2.txt 2009-04-14 12:23
ComboFix3.txt 2009-04-11 23:21

Pre-Run: 55,445,807,104 bytes free
Post-Run: 55,361,519,616 bytes free

159 --- E O F --- 2009-04-11 02:41

marino2111
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-04-09
Gender Gender : Male
OS OS : vista
Points Points : 28006
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus and or malware??

Post by Belahzur on Tue Apr 14, 2009 4:24 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

Can you try IE now please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus and or malware??

Post by marino2111 on Tue Apr 14, 2009 4:40 pm

Sorry, It started up and shut right back down!!

marino2111
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-04-09
Gender Gender : Male
OS OS : vista
Points Points : 28006
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus and or malware??

Post by Belahzur on Tue Apr 14, 2009 4:48 pm

Do you have your XP disc, we can try a repair install in case there is damage done by malware.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus and or malware??

Post by marino2111 on Tue Apr 14, 2009 4:59 pm

Yes I have an XP disc. Let give it a shot.
This disc is a DELL Operating System Disc. Reinstallation Disc
It contains Windows XP Home Edition including Service Pack 1A.

If that'll work I'm ready when you are.

marino2111
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-04-09
Gender Gender : Male
OS OS : vista
Points Points : 28006
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus and or malware??

Post by Belahzur on Tue Apr 14, 2009 5:02 pm

SP1a is kinda old, but it might work.
Details on how to do a repair install [in detail] here:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus and or malware??

Post by marino2111 on Tue Apr 14, 2009 8:10 pm

I found an SP2 disc. I started the repair process. The repair program deleted a bunch of files, then reinstalled a bunch of files. Then, I got the "Blue Screen of Death" with the error BAD_POOL_CALLER. I've restarted twice, only to get the same outcome. Any ideas???

marino2111
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-04-09
Gender Gender : Male
OS OS : vista
Points Points : 28006
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus and or malware??

Post by Belahzur on Tue Apr 14, 2009 8:15 pm

It probably didn't like the SP1 disc, did you try with SP2?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus and or malware??

Post by marino2111 on Tue Apr 14, 2009 8:22 pm

That was the SP2 disc???

marino2111
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-04-09
Gender Gender : Male
OS OS : vista
Points Points : 28006
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus and or malware??

Post by marino2111 on Tue Apr 14, 2009 8:24 pm

Maybe I should just buy a new HD and start all over!!!

marino2111
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-04-09
Gender Gender : Male
OS OS : vista
Points Points : 28006
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus and or malware??

Post by Belahzur on Tue Apr 14, 2009 8:37 pm

I doubt you need a new HD, maybe just need to format, the backdoor bot at the start of this thread has done some deeper damage.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus and or malware??

Post by marino2111 on Tue Apr 14, 2009 9:10 pm

How do I do the reformat on the HD?

marino2111
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-04-09
Gender Gender : Male
OS OS : vista
Points Points : 28006
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus and or malware??

Post by Belahzur on Tue Apr 14, 2009 9:25 pm

Read the information in some of my links provided in this post:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus and or malware??

Post by marino2111 on Tue Apr 14, 2009 10:56 pm

The computer seems to be stuck in setup mode for installing Windows XP.
It won't start in safe mode. When I let it start normally it tries to run the setup for fixing Windows XP, and then crashes with the BAD_POOL_CALLER error.

marino2111
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-04-09
Gender Gender : Male
OS OS : vista
Points Points : 28006
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus and or malware??

Post by Belahzur on Tue Apr 14, 2009 11:13 pm

Hmm.
You sure it's stuck? because I know the setup puts the press F2 key to continue right at the bottom of the script instead of in the middle.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum