Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 31

Thread: help with virtumonde removal

  1. #21
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi mxmstrs

    Run the combofix scan again

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.


    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  2. #22
    Junior Member
    Join Date
    Jul 2008
    Posts
    18

    Default

    ComboFix 08-08-14.01 - Owner 2008-08-14 18:16:52.5 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.674 [GMT -4:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    .
    /wow section - STAGE 40
    The syntax of the command is incorrect.


    ((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
    .

    2008-08-11 14:04 . 2008-08-12 18:37 <DIR> d-------- C:\WINDOWS\system32\kBin02
    2008-08-11 14:04 . 2008-08-11 14:04 <DIR> d-------- C:\Temp\epr1
    2008-08-11 14:04 . 2008-08-12 18:37 <DIR> d-------- C:\Temp
    2008-08-09 14:13 . 2008-08-09 14:13 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
    2008-08-09 14:13 . 2008-08-09 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2008-08-09 13:29 . 2008-08-09 13:32 <DIR> d-------- C:\Program Files\SpywareBlaster
    2008-08-09 13:29 . 2008-08-14 18:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Program Files\FireTrust
    2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Program Files\BillP Studios
    2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WinPatrol
    2008-08-09 13:19 . 2008-08-10 08:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SiteHound
    2008-08-08 20:36 . 2008-08-08 20:36 <DIR> d-------- C:\WINDOWS\Sun
    2008-08-08 20:29 . 2008-08-08 20:29 <DIR> d-------- C:\Program Files\Java
    2008-08-08 20:29 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-08-08 20:27 . 2008-08-08 20:27 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
    2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-07 20:40 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-07 20:40 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-06 20:27 . 2008-08-06 20:27 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
    2008-08-06 17:05 . 2008-08-06 17:05 <DIR> d-------- C:\Program Files\100% Free Hearts Toolbar
    2008-08-03 11:52 . 2008-08-09 14:16 <DIR> d-------- C:\Program Files\iTunes
    2008-08-03 11:52 . 2008-08-03 11:52 <DIR> d-------- C:\Program Files\iPod
    2008-08-03 11:52 . 2008-08-03 11:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
    2008-08-03 11:51 . 2008-08-09 14:14 <DIR> d-------- C:\Program Files\QuickTime
    2008-08-03 11:51 . 2008-08-09 14:15 <DIR> d-------- C:\Program Files\Bonjour
    2008-08-03 11:50 . 2008-08-03 11:50 <DIR> d-------- C:\Program Files\Common Files\Apple
    2008-08-03 11:50 . 2008-08-09 14:13 <DIR> d-------- C:\Program Files\Apple Software Update
    2008-08-03 11:50 . 2008-08-06 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-07-31 18:57 . 2008-07-31 18:57 <DIR> d-------- C:\Program Files\DreamQuest
    2008-07-26 22:51 . 2008-07-26 22:51 0 --a------ C:\WINDOWS\system32\SigUpdRequest_1217127097.tmp
    2008-07-26 21:38 . 2008-08-14 18:14 245,544 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
    2008-07-26 21:38 . 2008-08-14 18:20 1,204 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
    2008-07-26 21:36 . 2008-08-14 18:14 245,544 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
    2008-07-26 21:36 . 2007-07-11 11:39 191,672 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
    2008-07-26 21:36 . 2007-05-11 09:33 132,920 --a------ C:\WINDOWS\system32\drivers\NETFLTDI.SYS
    2008-07-26 21:36 . 2007-05-11 09:33 71,736 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
    2008-07-26 21:36 . 2007-05-11 09:33 51,256 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
    2008-07-26 21:36 . 2007-05-11 09:33 37,304 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
    2008-07-26 21:36 . 2007-05-11 09:33 30,648 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
    2008-07-26 21:36 . 2007-05-11 09:33 22,072 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
    2008-07-26 21:36 . 2008-08-14 18:20 1,204 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG
    2008-07-26 21:20 . 2008-07-26 21:20 261 --a------ C:\WINDOWS\system32\PavCPL.dat
    2008-07-26 21:19 . 2007-07-12 08:42 292,144 --a------ C:\WINDOWS\system32\PavSHook.dll
    2008-07-26 21:19 . 2007-03-13 18:01 161,328 --a------ C:\WINDOWS\system32\TpUtil.dll
    2008-07-26 21:19 . 2007-02-08 11:53 107,568 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
    2008-07-26 21:19 . 2007-02-28 18:04 63,024 --a------ C:\WINDOWS\system32\pavipc.dll
    2008-07-26 21:19 . 2007-03-15 19:38 54,832 --a------ C:\WINDOWS\system32\pavcpl.cpl
    2008-07-26 21:19 . 2007-06-08 08:44 24,760 --a------ C:\WINDOWS\system32\drivers\cpoint.sys
    2008-07-26 21:18 . 2008-07-26 21:18 <DIR> d-------- C:\WINDOWS\system32\PAV
    2008-07-26 21:16 . 2007-07-12 08:49 178,872 -ra------ C:\WINDOWS\system32\drivers\PavProc.sys
    2008-07-26 21:16 . 2007-05-23 10:40 38,968 -ra------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
    2008-07-26 20:24 . 2008-08-14 18:02 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC
    2008-07-26 20:14 . 2007-06-06 05:43 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
    2008-07-26 20:13 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.DLL
    2008-07-26 20:13 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
    2008-07-26 20:12 . 2003-10-22 18:23 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
    2008-07-26 20:12 . 2007-04-24 15:43 142,128 --a------ C:\WINDOWS\system32\drivers\netimflt.sys
    2008-07-26 20:12 . 2007-02-15 20:02 50,736 --a------ C:\WINDOWS\system32\avldr.dll
    2008-07-26 20:12 . 2001-07-30 17:40 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
    2008-07-26 20:12 . 2007-04-24 16:43 1,990 --a------ C:\WINDOWS\system32\drivers\net_m32.inf
    2008-07-26 19:55 . 2008-07-26 19:55 0 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat
    2008-07-26 19:40 . 2008-07-26 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
    2008-07-26 18:58 . 2008-07-26 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Backup
    2008-07-26 18:55 . 2008-07-26 18:55 <DIR> d-------- C:\Program Files\Panda Security
    2008-07-26 18:55 . 2008-07-26 18:55 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
    2008-07-26 17:59 . 2008-07-26 21:16 <DIR> d-------- C:\Program Files\Common Files\Panda Software
    2008-07-26 17:13 . 2008-08-13 00:19 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2008-07-26 17:04 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
    2008-07-26 17:03 . 2008-07-26 17:03 <DIR> d-------- C:\Program Files\MSBuild
    2008-07-26 17:00 . 2008-07-26 17:00 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
    2008-07-26 16:59 . 2008-07-26 16:59 <DIR> d-------- C:\Program Files\Reference Assemblies
    2008-07-26 16:59 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
    2008-07-21 19:08 . 2008-07-21 19:08 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-21 18:32 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
    2008-07-21 18:32 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
    2008-07-21 18:32 . 2008-04-13 14:45 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
    2008-07-21 18:32 . 2008-04-13 14:45 10,368 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
    2008-07-20 08:31 . 2008-07-20 08:31 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
    2008-07-20 08:28 . 2008-07-20 08:32 <DIR> d-------- C:\Program Files\AutoCAD 2006
    2008-07-20 08:28 . 2008-07-26 17:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Autodesk
    2008-07-20 08:28 . 2008-07-20 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
    2008-07-20 08:27 . 2008-07-26 23:44 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
    2008-07-20 08:26 . 2008-07-20 08:26 <DIR> d-------- C:\Program Files\Autodesk
    2008-07-20 07:48 . 2008-08-06 17:05 <DIR> d-------- C:\Documents and Settings\Administrator.ROBANDSHE
    2008-07-19 17:33 . 2008-07-20 07:47 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
    2008-07-18 12:06 . 2008-07-29 19:13 <DIR> d-------- C:\Program Files\Common Files\Adobe
    2008-07-18 09:46 . 2008-07-18 09:46 <DIR> d-------- C:\Program Files\Real
    2008-07-18 09:45 . 2008-07-19 16:58 <DIR> d-------- C:\Program Files\Common Files\Real
    2008-07-17 09:38 . 2008-07-20 08:25 <DIR> d-------- C:\WINDOWS\system32\URTTemp
    2008-07-16 22:26 . 2008-07-16 22:26 <DIR> d-------- C:\WINDOWS\system32\scripting
    2008-07-16 22:26 . 2008-07-16 22:26 <DIR> d-------- C:\WINDOWS\l2schemas
    2008-07-16 22:25 . 2008-07-16 22:25 <DIR> d-------- C:\WINDOWS\system32\en
    2008-07-16 22:25 . 2008-07-16 22:25 <DIR> d-------- C:\WINDOWS\system32\bits
    2008-07-16 22:23 . 2008-07-16 22:23 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2008-07-16 22:15 . 2008-07-16 22:15 <DIR> d-------- C:\WINDOWS\EHome
    2008-07-16 22:08 . 2008-04-13 20:12 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
    2008-07-16 21:50 . 2008-07-16 21:50 13,646 --a------ C:\WINDOWS\system32\wpa.bak
    2008-07-16 21:11 . 2008-04-13 20:09 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
    2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
    2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
    2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
    2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
    2008-07-16 21:09 . 2008-07-16 21:09 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
    2008-07-16 21:07 . 2004-08-12 09:57 1,361 --a------ C:\WINDOWS\system32\fxscount.h

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-27 03:47 --------- d-----w C:\Program Files\Verizon
    2008-07-27 03:45 --------- d-----w C:\Program Files\Common Files\Motive
    2008-07-27 00:10 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-07-20 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-07-20 20:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-07-19 20:57 --------- d-----w C:\Program Files\NOS
    2008-07-18 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
    2008-07-18 16:07 --------- d-----w C:\Program Files\Common Files\Adobe AIR
    2008-07-14 23:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\Motive
    2008-07-14 23:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Motive
    2008-07-10 23:36 --------- d-----w C:\Program Files\GVC Modem User Guide
    2008-07-09 22:40 --------- d-----w C:\Program Files\Intel
    2008-07-09 22:22 --------- d-----w C:\Program Files\Common Files\Scanner
    2008-07-09 22:21 --------- d-----w C:\Program Files\microsoft frontpage
    2008-07-06 15:55 --------- d-----w C:\Program Files\Motive
    2008-07-05 22:12 --------- d-----w C:\Program Files\Common Files\Authentium
    2008-07-04 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-07-04 23:02 --------- d-----w C:\Program Files\Lavasoft
    2008-07-04 23:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-07-04 21:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
    2008-07-04 15:10 --------- d-----w C:\Program Files\Microsoft ActiveSync
    2008-07-02 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
    2008-07-02 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
    2008-06-28 12:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSNInstaller
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 12:58 333120]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 16:18:22 10872]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
    2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 09:33]
    R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 09:33]
    R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 09:33]
    R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 11:39]
    R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 09:33]
    R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2007-05-23 10:40]
    R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 09:33]
    R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 09:33]
    R2 CPoint;Panda CPoint Driver.;C:\WINDOWS\system32\Drivers\cpoint.sys [2007-06-08 08:44]
    R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 08:49]
    R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 15:43]
    S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 14:56]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7871d40-65c2-11dd-8e27-001111437762}]
    \Shell\Auto\command - Start.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-11 C:\WINDOWS\Tasks\Basic clean-up.job
    - C:\Program Files\Panda Security\Panda Internet Security 2008\PlaTasks.exe [2007-07-17 15:13]

    2008-07-18 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wlxtuf1c.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://finance.yahoo.com/
    FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-14 18:20:02
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrlS.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\PAVFNSVR.EXE
    C:\Program Files\Common Files\Panda Software\PavShld\PavPrSrv.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\PAVSRV51.EXE
    C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
    C:\Program Files\Panda Security\Panda Internet Security 2008\FIREWALL\PSHost.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\apvxdwin.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\SrvLoad.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
    .
    **************************************************************************
    .
    Completion time: 2008-08-14 18:23:23 - machine was rebooted [Owner]
    ComboFix-quarantined-files.txt 2008-08-14 22:23:19
    ComboFix2.txt 2008-08-12 22:47:17

    Pre-Run: 71,761,117,184 bytes free
    Post-Run: 71,722,278,912 bytes free

    228 --- E O F --- 2008-08-14 22:00:15




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:26:22 PM, on 8/14/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
    C:\Program Files\Panda Security\Panda Internet Security 2008\Firewall\PSHOST.EXE
    C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\ApvxdWin.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
    C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\Finder.exe.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
    O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
    O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
    O23 - Service: Panda Host Service (PSHost) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\Firewall\PSHOST.EXE
    O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe

    --
    End of file - 5836 bytes

  3. #23
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi mxmstrs

    1 - Run CFScript

    Open Notepad and copy/paste the text in the box into the window:

    Code:
    Folder::
    C:\WINDOWS\system32\kBin02
    C:\Temp
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    2- Status Check
    Please reply with

    1. the ComboFix log
    2 a fresh HijackThis log

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  4. #24
    Junior Member
    Join Date
    Jul 2008
    Posts
    18

    Default

    ComboFix 08-08-14.01 - Owner 2008-08-15 16:51:56.6 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.678 [GMT -4:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
    * Created a new restore point
    .
    /wow section - STAGE 40
    The syntax of the command is incorrect.


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Temp
    C:\WINDOWS\system32\kBin02

    .
    ((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
    .

    2008-08-15 16:47 . 2008-08-15 16:47 <DIR> d-------- C:\WINDOWS\LastGood
    2008-08-09 14:13 . 2008-08-09 14:13 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
    2008-08-09 14:13 . 2008-08-09 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2008-08-09 13:29 . 2008-08-09 13:32 <DIR> d-------- C:\Program Files\SpywareBlaster
    2008-08-09 13:29 . 2008-08-14 18:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Program Files\FireTrust
    2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Program Files\BillP Studios
    2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WinPatrol
    2008-08-09 13:19 . 2008-08-10 08:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SiteHound
    2008-08-08 20:36 . 2008-08-08 20:36 <DIR> d-------- C:\WINDOWS\Sun
    2008-08-08 20:29 . 2008-08-08 20:29 <DIR> d-------- C:\Program Files\Java
    2008-08-08 20:29 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-08-08 20:27 . 2008-08-08 20:27 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
    2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-07 20:40 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-07 20:40 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-06 20:27 . 2008-08-06 20:27 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
    2008-08-06 17:05 . 2008-08-06 17:05 <DIR> d-------- C:\Program Files\100% Free Hearts Toolbar
    2008-08-03 11:52 . 2008-08-09 14:16 <DIR> d-------- C:\Program Files\iTunes
    2008-08-03 11:52 . 2008-08-03 11:52 <DIR> d-------- C:\Program Files\iPod
    2008-08-03 11:52 . 2008-08-03 11:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
    2008-08-03 11:51 . 2008-08-09 14:14 <DIR> d-------- C:\Program Files\QuickTime
    2008-08-03 11:51 . 2008-08-09 14:15 <DIR> d-------- C:\Program Files\Bonjour
    2008-08-03 11:50 . 2008-08-03 11:50 <DIR> d-------- C:\Program Files\Common Files\Apple
    2008-08-03 11:50 . 2008-08-09 14:13 <DIR> d-------- C:\Program Files\Apple Software Update
    2008-08-03 11:50 . 2008-08-06 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-07-31 18:57 . 2008-07-31 18:57 <DIR> d-------- C:\Program Files\DreamQuest
    2008-07-26 22:51 . 2008-07-26 22:51 0 --a------ C:\WINDOWS\system32\SigUpdRequest_1217127097.tmp
    2008-07-26 21:38 . 2008-08-15 16:50 245,544 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
    2008-07-26 21:38 . 2008-08-15 16:50 1,204 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
    2008-07-26 21:36 . 2008-08-15 16:50 245,544 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
    2008-07-26 21:36 . 2007-07-11 11:39 191,672 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
    2008-07-26 21:36 . 2007-05-11 09:33 132,920 --a------ C:\WINDOWS\system32\drivers\NETFLTDI.SYS
    2008-07-26 21:36 . 2007-05-11 09:33 71,736 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
    2008-07-26 21:36 . 2007-05-11 09:33 51,256 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
    2008-07-26 21:36 . 2007-05-11 09:33 37,304 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
    2008-07-26 21:36 . 2007-05-11 09:33 30,648 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
    2008-07-26 21:36 . 2007-05-11 09:33 22,072 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
    2008-07-26 21:36 . 2008-08-15 16:50 1,204 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG
    2008-07-26 21:20 . 2008-07-26 21:20 261 --a------ C:\WINDOWS\system32\PavCPL.dat
    2008-07-26 21:19 . 2007-07-12 08:42 292,144 --a------ C:\WINDOWS\system32\PavSHook.dll
    2008-07-26 21:19 . 2007-03-13 18:01 161,328 --a------ C:\WINDOWS\system32\TpUtil.dll
    2008-07-26 21:19 . 2007-02-08 11:53 107,568 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
    2008-07-26 21:19 . 2007-02-28 18:04 63,024 --a------ C:\WINDOWS\system32\pavipc.dll
    2008-07-26 21:19 . 2007-03-15 19:38 54,832 --a------ C:\WINDOWS\system32\pavcpl.cpl
    2008-07-26 21:19 . 2007-06-08 08:44 24,760 --a------ C:\WINDOWS\system32\drivers\cpoint.sys
    2008-07-26 21:18 . 2008-07-26 21:18 <DIR> d-------- C:\WINDOWS\system32\PAV
    2008-07-26 21:16 . 2007-07-12 08:49 178,872 -ra------ C:\WINDOWS\system32\drivers\PavProc.sys
    2008-07-26 21:16 . 2007-05-23 10:40 38,968 -ra------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
    2008-07-26 20:24 . 2008-08-14 18:02 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC
    2008-07-26 20:14 . 2007-06-06 05:43 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
    2008-07-26 20:13 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.DLL
    2008-07-26 20:13 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
    2008-07-26 20:12 . 2003-10-22 18:23 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
    2008-07-26 20:12 . 2007-04-24 15:43 142,128 --a------ C:\WINDOWS\system32\drivers\netimflt.sys
    2008-07-26 20:12 . 2007-02-15 20:02 50,736 --a------ C:\WINDOWS\system32\avldr.dll
    2008-07-26 20:12 . 2001-07-30 17:40 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
    2008-07-26 20:12 . 2007-04-24 16:43 1,990 --a------ C:\WINDOWS\system32\drivers\net_m32.inf
    2008-07-26 19:55 . 2008-07-26 19:55 0 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat
    2008-07-26 19:40 . 2008-07-26 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
    2008-07-26 18:58 . 2008-07-26 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Backup
    2008-07-26 18:55 . 2008-07-26 18:55 <DIR> d-------- C:\Program Files\Panda Security
    2008-07-26 18:55 . 2008-07-26 18:55 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
    2008-07-26 17:59 . 2008-07-26 21:16 <DIR> d-------- C:\Program Files\Common Files\Panda Software
    2008-07-26 17:13 . 2008-08-13 00:19 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2008-07-26 17:04 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
    2008-07-26 17:03 . 2008-07-26 17:03 <DIR> d-------- C:\Program Files\MSBuild
    2008-07-26 17:00 . 2008-07-26 17:00 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
    2008-07-26 16:59 . 2008-07-26 16:59 <DIR> d-------- C:\Program Files\Reference Assemblies
    2008-07-26 16:59 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
    2008-07-21 19:08 . 2008-07-21 19:08 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-21 18:32 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
    2008-07-21 18:32 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
    2008-07-21 18:32 . 2008-04-13 14:45 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
    2008-07-21 18:32 . 2008-04-13 14:45 10,368 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
    2008-07-20 08:31 . 2008-07-20 08:31 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
    2008-07-20 08:28 . 2008-07-20 08:32 <DIR> d-------- C:\Program Files\AutoCAD 2006
    2008-07-20 08:28 . 2008-07-26 17:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Autodesk
    2008-07-20 08:28 . 2008-07-20 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
    2008-07-20 08:27 . 2008-07-26 23:44 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
    2008-07-20 08:26 . 2008-07-20 08:26 <DIR> d-------- C:\Program Files\Autodesk
    2008-07-20 07:48 . 2008-08-06 17:05 <DIR> d-------- C:\Documents and Settings\Administrator.ROBANDSHE
    2008-07-19 17:33 . 2008-07-20 07:47 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
    2008-07-18 12:06 . 2008-07-29 19:13 <DIR> d-------- C:\Program Files\Common Files\Adobe
    2008-07-18 09:46 . 2008-07-18 09:46 <DIR> d-------- C:\Program Files\Real
    2008-07-18 09:45 . 2008-07-19 16:58 <DIR> d-------- C:\Program Files\Common Files\Real
    2008-07-17 09:38 . 2008-07-20 08:25 <DIR> d-------- C:\WINDOWS\system32\URTTemp
    2008-07-16 22:26 . 2008-07-16 22:26 <DIR> d-------- C:\WINDOWS\system32\scripting
    2008-07-16 22:26 . 2008-07-16 22:26 <DIR> d-------- C:\WINDOWS\l2schemas
    2008-07-16 22:25 . 2008-07-16 22:25 <DIR> d-------- C:\WINDOWS\system32\en
    2008-07-16 22:25 . 2008-07-16 22:25 <DIR> d-------- C:\WINDOWS\system32\bits
    2008-07-16 22:23 . 2008-07-16 22:23 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2008-07-16 22:15 . 2008-07-16 22:15 <DIR> d-------- C:\WINDOWS\EHome
    2008-07-16 22:08 . 2008-04-13 20:12 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
    2008-07-16 21:50 . 2008-07-16 21:50 13,646 --a------ C:\WINDOWS\system32\wpa.bak
    2008-07-16 21:11 . 2008-04-13 20:09 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
    2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
    2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
    2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
    2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
    2008-07-16 21:09 . 2008-07-16 21:09 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
    2008-07-16 21:07 . 2004-08-12 09:57 1,361 --a------ C:\WINDOWS\system32\fxscount.h

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-27 03:47 --------- d-----w C:\Program Files\Verizon
    2008-07-27 03:45 --------- d-----w C:\Program Files\Common Files\Motive
    2008-07-27 00:10 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-07-20 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-07-20 20:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-07-19 20:57 --------- d-----w C:\Program Files\NOS
    2008-07-18 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
    2008-07-18 16:07 --------- d-----w C:\Program Files\Common Files\Adobe AIR
    2008-07-14 23:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\Motive
    2008-07-14 23:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Motive
    2008-07-10 23:36 --------- d-----w C:\Program Files\GVC Modem User Guide
    2008-07-09 22:40 --------- d-----w C:\Program Files\Intel
    2008-07-09 22:22 --------- d-----w C:\Program Files\Common Files\Scanner
    2008-07-09 22:21 --------- d-----w C:\Program Files\microsoft frontpage
    2008-07-06 23:55 1,695,502 --sha-w C:\WINDOWS\system32\ystlesgv.tmp
    2008-07-06 15:55 --------- d-----w C:\Program Files\Motive
    2008-07-05 22:12 --------- d-----w C:\Program Files\Common Files\Authentium
    2008-07-04 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-07-04 23:02 --------- d-----w C:\Program Files\Lavasoft
    2008-07-04 23:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-07-04 21:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
    2008-07-04 15:10 --------- d-----w C:\Program Files\Microsoft ActiveSync
    2008-07-02 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
    2008-07-02 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
    2008-06-28 14:17 155,995 ----a-w C:\WINDOWS\java\Packages\9RHJBLVB.ZIP
    2008-06-28 12:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSNInstaller
    2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 12:58 333120]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 16:18:22 10872]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
    2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 09:33]
    R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 09:33]
    R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 09:33]
    R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 11:39]
    R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 09:33]
    R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2007-05-23 10:40]
    R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 09:33]
    R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 09:33]
    R2 CPoint;Panda CPoint Driver.;C:\WINDOWS\system32\Drivers\cpoint.sys [2007-06-08 08:44]
    R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 08:49]
    R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 15:43]
    S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 14:56]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7871d40-65c2-11dd-8e27-001111437762}]
    \Shell\Auto\command - Start.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-11 C:\WINDOWS\Tasks\Basic clean-up.job
    - C:\Program Files\Panda Security\Panda Internet Security 2008\PlaTasks.exe [2007-07-17 15:13]

    2008-07-18 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-15 16:53:34
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-08-15 16:54:24
    ComboFix-quarantined-files.txt 2008-08-15 20:54:14
    ComboFix2.txt 2008-08-14 22:23:24
    ComboFix3.txt 2008-08-12 22:47:17

    Pre-Run: 71,685,259,264 bytes free
    Post-Run: 71,674,015,744 bytes free

    214 --- E O F --- 2008-08-15 00:48:03


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:57:52 PM, on 8/15/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
    C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\Firewall\PSHOST.EXE
    C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\apvxdwin.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
    C:\Program Files\Trend Micro\HijackThis\Finder.exe.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
    O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
    O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
    O23 - Service: Panda Host Service (PSHost) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\Firewall\PSHOST.EXE
    O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe

    --
    End of file - 5836 bytes

  5. #25
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi mxmstrs
    Things are looking good. Do you still notice any problems with your computer?

    peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  6. #26
    Junior Member
    Join Date
    Jul 2008
    Posts
    18

    Default

    I get no occurance of virtumonde when scanning with Spybot.

    But I do get a recurring WinPatrol File Type Change Alert that states as follows.

    "Scotty the windows watchdog is on patrol and has detected a change to one of your file type associations. .SCR

    The program currently associated with this file type is
    Name
    Company Name
    %1 %*

    A change was made to use the following program for this file type
    Name
    Company name
    %1 /S

    Is this change ok?"

    I don't know what this all means so I always answer NO.

  7. #27
    Junior Member
    Join Date
    Jul 2008
    Posts
    18

    Default

    By the way, I will be away from my computer all of this coming week and won't be able to reply during that time. I will reply when I return. Thanks for your help.

  8. #28
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    mxmstrs, still with us?
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  9. #29
    Junior Member
    Join Date
    Jul 2008
    Posts
    18

    Default

    I am absolutely with you. lately nothing malicious has been popping up. my recent spybot scans are clean except for an occasional minor tracking cookie. Peku006 has been invaluable in getting rid of virtumonde. My computer has never worked better.

  10. #30
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi mxmstrs


    "My computer has never worked better."

    The SCR file extension represents a Windows screensaver, have you tried change your ScreenSaver ?

    regards
    peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •