pls help...something is really wrong...
hi
i am new to this forum and i really hope you could help me.
as i was searching the net, i came across this forum and saw a post about a problem that is similar to mine: problem with a recycler and system volume information.. and a malware detected by kaspersky as virus.win32.autorun.k (netmanage.dll etc)
i kept on scanning using kaspersky antivirus and it says that all threats are already treated or sometimes no threats were detected etc...but i still have the hidden folders: recycler and system volume information in my drive C. they were not there before...i also now have a ntdetect.com in my drive C. My computer is not slowing down or anything but i am just so worried.. my mom bought herself a new laptop and i am terrified at the thought of infecting her new laptop with the same bug through my emails and attachments..
i followed an advise in a previous post regarding Combofix.exe and here is the log report... i also had another text file about files being quarantined... and a qoobox folder in my drive C after the scan
Combofix.txt:
ComboFix 07-10-04.5 - Anne Therese C. Lim 2007-10-04 10:15:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.153 [GMT 8:00]
Running from: C:\Documents and Settings\Anne Therese C. Lim\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\TEMP.\_istmpi.dir
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DNSCON
-------\LEGACY_NETMANAGER
-------\dnscon
-------\NetManager
((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 )))))))))))))))))))))))))))))))
.
2007-10-04 09:42 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-04 07:11 <DIR> d-------- C:\temporary
2007-10-03 21:26 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-02 01:24 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-01 12:25 <DIR> d-------- C:\Heart_Sounds
2007-09-30 10:30 <DIR> d-------- C:\Program Files\Rapidshare Unlimited
2007-09-30 10:12 <DIR> d-------- C:\Program Files\Heart_Sounds
2007-09-30 00:20 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-29 22:00 <DIR> d-------- C:\Documents and Settings\Anne Therese C. Lim\.housecall6.6
2007-09-29 19:13 <DIR> d-------- C:\Program Files\Uniblue
2007-09-29 19:13 <DIR> d-------- C:\Documents and Settings\Anne Therese C. Lim\Application Data\Uniblue
2007-09-08 05:59 <DIR> d-------- C:\Program Files\Alarm Clock
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-04 10:22 --------- d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-04 10:21 587296 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-04 10:21 10201888 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-04 10:20 56108 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-04 10:20 137660 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-02 04:49 --------- d-------- C:\Program Files\XTerm Medical Dictionary
2007-09-22 13:47 --------- d-------- C:\Program Files\TextAloud
2007-09-21 19:54 --------- d-------- C:\Program Files\Common Files\Skyscape
2007-09-06 15:42 --------- d-------- C:\Program Files\ReadPlease 2003
2007-09-04 02:12 82061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-09-04 02:12 81549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-18 21:47 --------- d-------- C:\Documents and Settings\Anne Therese C. Lim\Application Data\Help
2007-08-07 01:05 --------- d-------- C:\Documents and Settings\Anne Therese C. Lim\Application Data\InterVideo
2007-08-06 21:29 --------- d-------- C:\Documents and Settings\Anne Therese C. Lim\Application Data\dvdcss
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-23 21:26 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-07-06 19:42 466944 --a------ C:\WINDOWS\The Lords Prayer.scr
2007-07-06 19:42 28672 --a------ C:\WINDOWS\system32\ssconfig.exe
2007-07-06 19:42 180224 --a------ C:\WINDOWS\UninstallWSST.exe
2007-07-06 19:31 466944 --a------ C:\WINDOWS\The 23rd Psalm.scr
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-01 13:10]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 09:03]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 08:59]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 16:46]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-30 13:06]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-01-22 13:48]
"NDSTray.exe"="NDSTray.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-01-14 17:05]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-08 06:03]
"ZoomingHook"="ZoomingHook.exe" [2004-07-15 08:07 C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-16 07:03]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-12-24 10:07]
"TOSHIBA Accessibility"="C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" [2004-12-08 13:24]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2004-11-13 09:57]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-26 07:59]
"TPSMain"="TPSMain.exe" [2004-12-29 08:02 C:\WINDOWS\system32\TPSMain.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-02-17 06:43 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" []
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe" [2004-12-06 22:53]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-06 22:53 C:\WINDOWS\agrsmmsg.exe]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-01-14 11:00]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-05-17 12:02]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-03-29 06:10]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-01-29 23:02]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 16:32]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-03-29 06:10]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 03:23]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Post-itr Software Notes.lnk - C:\Program Files\3M\PSNotes\psn.exe [2003-10-10 14:53:20]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-03-13 11:38:33]
C:\Documents and Settings\Anne Therese C. Lim\Start Menu\Programs\Startup\
Skyscape smARTupdate.lnk - C:\Program Files\Common Files\Skyscape\smARTupdate.exe [2005-03-03 04:33:15]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-06-11 09:05:36]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Post-itr Software Notes.lnk - C:\Program Files\3M\PSNotes\psn.exe [2003-10-10 14:53:20]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-03-13 11:38:33]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
R1 SerTVOutCtlr;TOSHIBA Controls Driver -EPIOMngr;C:\WINDOWS\system32\drivers\EPIOMngr.sys
R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys
R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys
R1 TPwSav;Common Driver;C:\WINDOWS\system32\Drivers\TPwSav.sys
S1 StickyMesger;StickyMesger;\??\C:\Program Files\TOSHIBA\Accessibility\StickyMesger.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0aa3a755-1c02-11dc-ab40-000fb086abc4}]
Auto\command- E:\RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
Browser\command- E:\RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
.
Contents of the 'Scheduled Tasks' folder
"2007-08-15 06:49:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-01 12:32:16 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-10-01 12:32:11 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-10-01 18:31:05 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-10-01 18:21:16 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-10-04 02:21:26 C:\WINDOWS\Tasks\XoftSpySE 2.job"
"2007-10-01 19:40:55 C:\WINDOWS\Tasks\XoftSpySE.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-04 10:22:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-04 10:24:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-04 10:24
.
--- E O F ---
ComboFix-quarantined-files.txt
the qoobox folder contains a quarrantine folder --> registry backup --> LEGACY_DNSCON.reg.datCode:2007-10-04 10:18 2888 --a------ C:\Qoobox\Quarantine\Registry_backups\services_NetManager.reg.dat 2007-10-04 10:18 2948 --a------ C:\Qoobox\Quarantine\Registry_backups\services_dnscon.reg.dat 2007-10-04 10:18 806 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_DNSCON.reg.dat 2007-10-04 10:18 848 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETMANAGER.reg.dat Folder PATH listing for volume S3A2272D001 Volume serial number is 7E61-43ED C:\QOOBOX\QUARANTINE \---Registry_backups LEGACY_DNSCON.reg.dat LEGACY_NETMANAGER.reg.dat services_dnscon.reg.dat services_NetManager.reg.dat
LEGACY_NETMANAGER.reg.dat
services_dnscon.reg.dat
services_NetManager.reg.dat
pls help... i really dont know what to do....
is my computer safe? can i start emailing my mom? was combofix successful in treating my laptop. would my laptop be virus free if i deleted the qoobox folder?
was kaspersky right in saying that the threats were treated?
thanks in advance!
here is the hijackthis log
impt question
