View Full Version : Need help with Virtumonde.
greenh25
2008-06-13, 21:17
Am following "BEFORE you POST directions:
Booted in safe mode and rab Spybot S&D. It found two entries for Virtumonde
and removed both of them, but when I boot in normal mode, I get pop ups, my Windows update doesn't seem to work, Spybot keeps saying that some program is trying to change the registry.
Here is theHiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:01 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\15963.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\15963.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\15963.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\15963.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\15963.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\15963.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\15963.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\15963.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\15963.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\15963.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BM979a6f2d] Rundll32.exe "C:\WINDOWS\system32\jxxvlquo.dll",s
O4 - HKLM\..\Run: [94a95cb1] rundll32.exe "C:\WINDOWS\system32\oogqihmk.dll",b
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\15963.exe
O4 - Startup: Shortcut to explorer.lnk = C:\WINDOWS\explorer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136780979187
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.0.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
--
End of file - 8759 bytes
shelf life
2008-06-15, 04:20
hi,
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\15963.exe
O4 - Startup: Shortcut to explorer.lnk = C:\WINDOWS\explorer.exe
-----------------------------------
next:
Download combofix from one of these links and save it to your Desktop:
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
greenh25
2008-06-15, 08:39
Hi,
Thank you for looking at my situation.
Did as you instructed. When ComboFix rebooted the PC, Spybot (must be the TeaTimer part) cut in with some registry changes. I denied all the changes.
Otherwise, here is the ComboFix log:
ComboFix 08-06-12.2 - vidas 2008-06-15 0:52:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.534 [GMT -4:00]
Running from: C:\Documents and Settings\vidas\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\15963.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\id
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\s
C:\Temp\vtmp2
C:\WINDOWS\BM979a6f2d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aquarantine\ddJlRXyb.ini
C:\WINDOWS\system32\aquarantine\ddJlRXyb.ini2
C:\WINDOWS\system32\aquarantine\DefgMUtv.ini
C:\WINDOWS\system32\aquarantine\DefgMUtv.ini2
C:\WINDOWS\system32\aquarantine\DLoXFfhk.ini
C:\WINDOWS\system32\aquarantine\DLoXFfhk.ini2
C:\WINDOWS\system32\aquarantine\fhkQYGgh.ini
C:\WINDOWS\system32\aquarantine\fhkQYGgh.ini2
C:\WINDOWS\system32\aquarantine\fNXGOXbc.ini
C:\WINDOWS\system32\aquarantine\fNXGOXbc.ini2
C:\WINDOWS\system32\aquarantine\gfPAdMoq.ini
C:\WINDOWS\system32\aquarantine\gfPAdMoq.ini2
C:\WINDOWS\system32\aquarantine\IiRrsBeg.ini
C:\WINDOWS\system32\aquarantine\IiRrsBeg.ini2
C:\WINDOWS\system32\aquarantine\JjPAbccf.ini
C:\WINDOWS\system32\aquarantine\JjPAbccf.ini2
C:\WINDOWS\system32\aquarantine\kmmVwyay.ini
C:\WINDOWS\system32\aquarantine\kmmVwyay.ini2
C:\WINDOWS\system32\aquarantine\nTCdNXbc.ini
C:\WINDOWS\system32\aquarantine\nTCdNXbc.ini2
C:\WINDOWS\system32\aquarantine\QpYbLRqr.ini
C:\WINDOWS\system32\aquarantine\QpYbLRqr.ini2
C:\WINDOWS\system32\aquarantine\TDfNTtwa.ini
C:\WINDOWS\system32\aquarantine\TDfNTtwa.ini2
C:\WINDOWS\system32\aquarantine\UEOYaJjl.ini
C:\WINDOWS\system32\aquarantine\UEOYaJjl.ini2
C:\WINDOWS\system32\aquarantine\uuttBcfe.ini
C:\WINDOWS\system32\aquarantine\uuttBcfe.ini2
C:\WINDOWS\system32\aquarantine\vGgNmUtv.ini
C:\WINDOWS\system32\aquarantine\vGgNmUtv.ini2
C:\WINDOWS\system32\aquarantine\wFLUvFhk.ini
C:\WINDOWS\system32\aquarantine\wFLUvFhk.ini2
C:\WINDOWS\system32\aquarantine\wGQsYJjl.ini
C:\WINDOWS\system32\aquarantine\wGQsYJjl.ini2
C:\WINDOWS\system32\aquarantine\XaIlRXyb.ini
C:\WINDOWS\system32\aquarantine\XaIlRXyb.ini2
C:\WINDOWS\system32\aquarantine\XbeLmnmp.ini
C:\WINDOWS\system32\aquarantine\XbeLmnmp.ini2
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\efcaaWol.dll
C:\WINDOWS\system32\mlxotpsl.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\XaIlRXyb.ini
C:\WINDOWS\system32\XaIlRXyb.ini2
C:\xcrashdump.dat
----- BITS: Possible infected sites -----
hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.
2008-06-15 01:07 . 2008-06-15 01:08 20,640 --a------ C:\WINDOWS\system32\Status.MPF
2008-06-14 14:10 . 1980-08-16 20:00 24,576 --a------ C:\WINDOWS\system32\__c00D3CE1.dat
2008-06-13 14:09 . 1980-08-16 20:00 24,576 --a------ C:\WINDOWS\system32\__c00FF7F9.dat
2008-06-13 14:06 . 2008-06-13 14:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-13 13:09 . 2008-06-13 13:09 2,126 --a------ C:\WINDOWS\system32\wpa.dbl
2008-06-13 08:23 . 1980-08-16 20:00 24,576 --a------ C:\WINDOWS\system32\__c006AD89.dat
2008-06-12 08:20 . 1980-08-16 20:00 24,576 --a------ C:\WINDOWS\system32\__c00B7EA4.dat
2008-06-02 20:46 . 2008-06-14 21:57 24,576 --a------ C:\WINDOWS\system32\__c00BCEF6.dat
2008-06-02 08:29 . 2008-06-15 01:01 <DIR> d-------- C:\WINDOWS\system32\aquarantine
2008-05-24 22:22 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-22 09:21 . 2008-05-22 09:21 <DIR> d-------- C:\Program Files\CCleaner
2008-05-18 21:35 . 2008-05-19 10:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\Documents and Settings\Administrator.DELL5150
2008-05-18 13:51 . 2008-05-18 13:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-18 13:51 . 2008-05-18 14:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 21:49 . 2008-05-17 21:50 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-17 19:36 . 2008-05-19 20:14 <DIR> d-------- C:\Program Files\Big Hammer
2008-05-17 07:15 . 2008-06-08 10:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-17 07:15 . 2008-05-17 07:15 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 11:34 --------- d-----w C:\Documents and Settings\vidas\Application Data\uTorrent
2008-06-09 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2008-06-02 07:42 --------- d-----w C:\Documents and Settings\vidas\Application Data\dvdcss
2008-05-29 01:55 --------- d-----w C:\Documents and Settings\vidas\Application Data\RipIt4Me
2008-05-29 01:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-05-28 12:55 --------- d-----w C:\Documents and Settings\vidas\Application Data\SuperNZB
2008-05-27 20:04 --------- d-----w C:\Documents and Settings\vidas\Application Data\Vso
2008-05-25 02:22 --------- d-----w C:\Program Files\Java
2008-05-22 13:26 --------- d-----w C:\Program Files\GetRight
2008-05-20 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-20 01:06 --------- d-----w C:\Documents and Settings\vidas\Application Data\AdobeUM
2008-05-20 00:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-06 00:19 87,608 ----a-w C:\Documents and Settings\vidas\Application Data\inst.exe
2007-06-06 00:19 47,360 ----a-w C:\Documents and Settings\vidas\Application Data\pcouffin.sys
2006-01-08 16:19 104 --sha-r C:\WINDOWS\system32\C7C146FA42.sys
2006-01-08 16:19 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06FE8FBC-F50A-4A54-BEED-FECD189B4689}]
C:\WINDOWS\system32\rqRLbYpQ.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09F97D15-88E7-4F1F-87CB-7AACA6417BF3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C197A84-B51E-4BE6-8A71-840310BAC5E4}]
C:\WINDOWS\system32\byXRlIaX.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C1B193D-B22F-4817-A6A5-9B414C9577F6}]
C:\WINDOWS\system32\awtTNfDT.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3027637e-bb89-4ff9-af6e-01590aac60a8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36b5cccb-f6cb-467d-aadc-7911721fbdb7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B5E359F-B6DA-4F0F-8A14-DACBAB9C378C}]
C:\WINDOWS\system32\cbXNdCTn.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5770D467-5848-4131-BF7B-41C1ECC816A7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59B64005-1F8C-44A0-BAA2-54D74FAC1630}]
C:\WINDOWS\system32\ljJaYOEU.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60FDB0CC-B47F-48AB-A56F-6F4C758E17EA}]
C:\WINDOWS\system32\yaywVmmk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6373352c-55df-4136-a155-47df5bb41785}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{679D26F9-20E1-4D43-9003-C002870654D8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72F143B1-2A04-4255-9358-74EB3BBF3919}]
C:\WINDOWS\system32\ljJYsQGw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90f48ae7-54f9-4d85-b5bc-67ee327f6120}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B0F10AA-E955-444A-A1F4-584FBE11A171}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B71CE0E-697A-42AF-99D7-1FD92C516B6F}]
C:\WINDOWS\system32\qoMdAPfg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A24CF77C-D296-45C8-BC3C-98527DD3A4D9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABFE3C96-238C-4356-A473-CC7D08607A08}]
C:\WINDOWS\system32\fccbAPjJ.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b64ead00-c3fb-48fe-a4e9-03c5f0470946}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C53C08B0-4185-412B-B17A-E97CE56834DB}]
C:\WINDOWS\system32\khFvULFw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8CB4B3B-1E2C-4D1E-8ECD-4100AE26D4E3}]
C:\WINDOWS\system32\vtUmNgGv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA1B18F6-6E8B-45B9-8163-ECA3643C486A}]
C:\WINDOWS\system32\efcBttuu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBCA1831-6724-4FC8-85DD-0B40E945B947}]
C:\WINDOWS\system32\khfFXoLD.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E83DDB3D-D483-409B-9721-73251D27B206}]
C:\WINDOWS\system32\hgGYQkhf.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9a2ee09-1a6c-4911-8bf2-49acd166c344}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eaeb55b0-b8e7-4c29-ab70-0053d2c3e924}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ed8e1a4c-f0d1-4d3a-8e04-734b25b8002b}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8F1B10E-FF76-47CA-84E7-7C25274234C8}]
C:\WINDOWS\system32\byXRlJdd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F96A88C1-CB49-4E36-A2C8-C852E4C775F0}]
C:\WINDOWS\system32\geBsrRiI.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fece42d5-c2c6-410b-aafd-bf96bb0d07ad}]
C:\WINDOWS\system32\dlojslho.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 17:46 135168]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 01:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 01:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 01:10 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 02:20 339968 C:\WINDOWS\stsystra.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-19 13:28 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-19 13:28 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05 127035]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 21:20 8192]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 19:18 151552]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 00:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05 212992]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 14:49 163840]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 18:00 1005096]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 23:57 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 12:29 49152]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 15:49 1121280]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"94a95cb1"="C:\WINDOWS\system32\oogqihmk.dll" [ ]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"BM979a6f2d"="C:\WINDOWS\system32\jxxvlquo.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 13:59:36 806912]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-01-06 14:30:54 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcaaWol]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BCEF6]
C:\WINDOWS\system32\__c00BCEF6.dat 2008-06-14 21:57 24576 C:\WINDOWS\system32\__c00BCEF6.dat
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 05:07:59 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DELL5150-vidas).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-06-15 05:10:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 01:08:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\DOCUME~1\vidas\LOCALS~1\Temp\PCONFIG.__1 0 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\__c00BCEF6.dat
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
.
**************************************************************************
.
Completion time: 2008-06-15 1:15:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 05:15:38
Pre-Run: 40,653,688,832 bytes free
Post-Run: 40,623,357,952 bytes free
260 --- E O F --- 2008-06-15 05:15:00
and here is the new HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:37 AM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: (no name) - {06FE8FBC-F50A-4A54-BEED-FECD189B4689} - C:\WINDOWS\system32\rqRLbYpQ.dll (file missing)
O2 - BHO: (no name) - {1C197A84-B51E-4BE6-8A71-840310BAC5E4} - C:\WINDOWS\system32\byXRlIaX.dll (file missing)
O2 - BHO: (no name) - {2C1B193D-B22F-4817-A6A5-9B414C9577F6} - C:\WINDOWS\system32\awtTNfDT.dll (file missing)
O2 - BHO: (no name) - {4B5E359F-B6DA-4F0F-8A14-DACBAB9C378C} - C:\WINDOWS\system32\cbXNdCTn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59B64005-1F8C-44A0-BAA2-54D74FAC1630} - C:\WINDOWS\system32\ljJaYOEU.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {60FDB0CC-B47F-48AB-A56F-6F4C758E17EA} - C:\WINDOWS\system32\yaywVmmk.dll (file missing)
O2 - BHO: (no name) - {72F143B1-2A04-4255-9358-74EB3BBF3919} - C:\WINDOWS\system32\ljJYsQGw.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {9B71CE0E-697A-42AF-99D7-1FD92C516B6F} - C:\WINDOWS\system32\qoMdAPfg.dll (file missing)
O2 - BHO: (no name) - {ABFE3C96-238C-4356-A473-CC7D08607A08} - C:\WINDOWS\system32\fccbAPjJ.dll (file missing)
O2 - BHO: (no name) - {C53C08B0-4185-412B-B17A-E97CE56834DB} - C:\WINDOWS\system32\khFvULFw.dll (file missing)
O2 - BHO: (no name) - {C8CB4B3B-1E2C-4D1E-8ECD-4100AE26D4E3} - C:\WINDOWS\system32\vtUmNgGv.dll (file missing)
O2 - BHO: (no name) - {CA1B18F6-6E8B-45B9-8163-ECA3643C486A} - C:\WINDOWS\system32\efcBttuu.dll (file missing)
O2 - BHO: (no name) - {CBCA1831-6724-4FC8-85DD-0B40E945B947} - C:\WINDOWS\system32\khfFXoLD.dll (file missing)
O2 - BHO: (no name) - {E83DDB3D-D483-409B-9721-73251D27B206} - C:\WINDOWS\system32\hgGYQkhf.dll (file missing)
O2 - BHO: (no name) - {F8F1B10E-FF76-47CA-84E7-7C25274234C8} - C:\WINDOWS\system32\byXRlJdd.dll (file missing)
O2 - BHO: (no name) - {F96A88C1-CB49-4E36-A2C8-C852E4C775F0} - C:\WINDOWS\system32\geBsrRiI.dll (file missing)
O2 - BHO: {da70d0bb-69fb-dfaa-b014-6c2c5d24ecef} - {fece42d5-c2c6-410b-aafd-bf96bb0d07ad} - C:\WINDOWS\system32\dlojslho.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [94a95cb1] rundll32.exe "C:\WINDOWS\system32\oogqihmk.dll",b
O4 - HKLM\..\Run: [BM979a6f2d] Rundll32.exe "C:\WINDOWS\system32\jxxvlquo.dll",s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136780979187
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O20 - Winlogon Notify: __c00BCEF6 - C:\WINDOWS\system32\__c00BCEF6.dat
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
--
End of file - 10134 bytes
Thanks again.
shelf life
2008-06-15, 16:37
hi,
ok thanks for the info. if tea timer is running disable it before using hjt:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
hjt:
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
select all those that end in "file missing"
and these also:
O4 - HKLM\..\Run: [BM979a6f2d] Rundll32.exe "C:\WINDOWS\system32\jxxvlquo.dll",s
O4 - HKLM\..\Run: [94a95cb1] rundll32.exe
"C:\WINDOWS\system32\oogqihmk.dll",b
we will get one more download to run also. it runs in safe mode:
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
greenh25
2008-06-15, 18:28
Hi,
I ran HijackThis and removed the file missing lines and the other two items. I d/l SDFix to the desktop.
Before I proceed I need to ask you 2 questions:
1. when I boot in normal mode, a screen comes up that says it wants to install Sonic update manager. The PC has done this ever since I bought it new from Dell. I have been getting rid of the screen by using the Task Manager, since using cancel doesn't work. I have used Sonic to burn data DVD's. However, now when I try to use the Task Manager I get a screen that says that the Task Manager has been disabled by the administrator. How do I turn Task Manager back on?
2. in safe mode (and logged in as a user) when I navigate to the SDFix folder and double click RunThis.bat it doesn't run. Upon opening RunThis.bat in notepad there is a comment about needing administrator privileges. Should I log in as administrator first and the execute RunThis.bat?
Thanks for your help. Please reply and I will submit the SDFix and HijackThis reports.
shelf life
2008-06-15, 23:54
hi,
thanks for the info
question 1: malware can disable taskmanager
question 2; could be malware also. yes you can attempt to run it in safe mode logged in as admin.
greenh25
2008-06-16, 00:47
Hi,
I am unable to run RunThis.bat from the C:\SDFix directory. The DOS blue screen appears and then immediately disappears.
I forgot to tell you that since I need Taskmanager to end the Sonic update program, I can not shut down the PC normally. I need to turn off the surge strip.
Otherwise, here is an updated HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:01 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\3142.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\3142.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\3142.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\3142.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136780979187
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O20 - Winlogon Notify: efcaaWol - C:\WINDOWS\
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
--
End of file - 10476 bytes
shelf life
2008-06-16, 05:36
hi greenh25,
ok thanks for the info. we will use combofix;
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
File::
C:\WINDOWS\system32\__c00D3CE1.dat
C:\WINDOWS\system32\__c00FF7F9.dat
C:\WINDOWS\system32\__c006AD89.dat
C:\WINDOWS\system32\__c00B7EA4.dat
C:\WINDOWS\system32\__c00BCEF6.dat
C:\WINDOWS\system32\Status.MPF
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcaaWol]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BCEF6]
Folder::
C:\WINDOWS\system32\aquarantine
Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.
we will also get another download:
Please download Malwarebytes' Anti-Malware to your desktop:
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
please post the malwarebytes log.
greenh25
2008-06-16, 10:31
Hello shelf life,
Here is the combofix file:
ComboFix 08-06-12.2 - vidas 2008-06-15 0:52:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.534 [GMT -4:00]
Running from: C:\Documents and Settings\vidas\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\15963.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\id
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\s
C:\Temp\vtmp2
C:\WINDOWS\BM979a6f2d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aquarantine\ddJlRXyb.ini
C:\WINDOWS\system32\aquarantine\ddJlRXyb.ini2
C:\WINDOWS\system32\aquarantine\DefgMUtv.ini
C:\WINDOWS\system32\aquarantine\DefgMUtv.ini2
C:\WINDOWS\system32\aquarantine\DLoXFfhk.ini
C:\WINDOWS\system32\aquarantine\DLoXFfhk.ini2
C:\WINDOWS\system32\aquarantine\fhkQYGgh.ini
C:\WINDOWS\system32\aquarantine\fhkQYGgh.ini2
C:\WINDOWS\system32\aquarantine\fNXGOXbc.ini
C:\WINDOWS\system32\aquarantine\fNXGOXbc.ini2
C:\WINDOWS\system32\aquarantine\gfPAdMoq.ini
C:\WINDOWS\system32\aquarantine\gfPAdMoq.ini2
C:\WINDOWS\system32\aquarantine\IiRrsBeg.ini
C:\WINDOWS\system32\aquarantine\IiRrsBeg.ini2
C:\WINDOWS\system32\aquarantine\JjPAbccf.ini
C:\WINDOWS\system32\aquarantine\JjPAbccf.ini2
C:\WINDOWS\system32\aquarantine\kmmVwyay.ini
C:\WINDOWS\system32\aquarantine\kmmVwyay.ini2
C:\WINDOWS\system32\aquarantine\nTCdNXbc.ini
C:\WINDOWS\system32\aquarantine\nTCdNXbc.ini2
C:\WINDOWS\system32\aquarantine\QpYbLRqr.ini
C:\WINDOWS\system32\aquarantine\QpYbLRqr.ini2
C:\WINDOWS\system32\aquarantine\TDfNTtwa.ini
C:\WINDOWS\system32\aquarantine\TDfNTtwa.ini2
C:\WINDOWS\system32\aquarantine\UEOYaJjl.ini
C:\WINDOWS\system32\aquarantine\UEOYaJjl.ini2
C:\WINDOWS\system32\aquarantine\uuttBcfe.ini
C:\WINDOWS\system32\aquarantine\uuttBcfe.ini2
C:\WINDOWS\system32\aquarantine\vGgNmUtv.ini
C:\WINDOWS\system32\aquarantine\vGgNmUtv.ini2
C:\WINDOWS\system32\aquarantine\wFLUvFhk.ini
C:\WINDOWS\system32\aquarantine\wFLUvFhk.ini2
C:\WINDOWS\system32\aquarantine\wGQsYJjl.ini
C:\WINDOWS\system32\aquarantine\wGQsYJjl.ini2
C:\WINDOWS\system32\aquarantine\XaIlRXyb.ini
C:\WINDOWS\system32\aquarantine\XaIlRXyb.ini2
C:\WINDOWS\system32\aquarantine\XbeLmnmp.ini
C:\WINDOWS\system32\aquarantine\XbeLmnmp.ini2
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\efcaaWol.dll
C:\WINDOWS\system32\mlxotpsl.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\XaIlRXyb.ini
C:\WINDOWS\system32\XaIlRXyb.ini2
C:\xcrashdump.dat
----- BITS: Possible infected sites -----
hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.
2008-06-15 01:07 . 2008-06-15 01:08 20,640 --a------ C:\WINDOWS\system32\Status.MPF
2008-06-14 14:10 . 1980-08-16 20:00 24,576 --a------ C:\WINDOWS\system32\__c00D3CE1.dat
2008-06-13 14:09 . 1980-08-16 20:00 24,576 --a------ C:\WINDOWS\system32\__c00FF7F9.dat
2008-06-13 14:06 . 2008-06-13 14:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-13 13:09 . 2008-06-13 13:09 2,126 --a------ C:\WINDOWS\system32\wpa.dbl
2008-06-13 08:23 . 1980-08-16 20:00 24,576 --a------ C:\WINDOWS\system32\__c006AD89.dat
2008-06-12 08:20 . 1980-08-16 20:00 24,576 --a------ C:\WINDOWS\system32\__c00B7EA4.dat
2008-06-02 20:46 . 2008-06-14 21:57 24,576 --a------ C:\WINDOWS\system32\__c00BCEF6.dat
2008-06-02 08:29 . 2008-06-15 01:01 <DIR> d-------- C:\WINDOWS\system32\aquarantine
2008-05-24 22:22 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-22 09:21 . 2008-05-22 09:21 <DIR> d-------- C:\Program Files\CCleaner
2008-05-18 21:35 . 2008-05-19 10:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\Documents and Settings\Administrator.DELL5150
2008-05-18 13:51 . 2008-05-18 13:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-18 13:51 . 2008-05-18 14:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 21:49 . 2008-05-17 21:50 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-17 19:36 . 2008-05-19 20:14 <DIR> d-------- C:\Program Files\Big Hammer
2008-05-17 07:15 . 2008-06-08 10:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-17 07:15 . 2008-05-17 07:15 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 11:34 --------- d-----w C:\Documents and Settings\vidas\Application Data\uTorrent
2008-06-09 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2008-06-02 07:42 --------- d-----w C:\Documents and Settings\vidas\Application Data\dvdcss
2008-05-29 01:55 --------- d-----w C:\Documents and Settings\vidas\Application Data\RipIt4Me
2008-05-29 01:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-05-28 12:55 --------- d-----w C:\Documents and Settings\vidas\Application Data\SuperNZB
2008-05-27 20:04 --------- d-----w C:\Documents and Settings\vidas\Application Data\Vso
2008-05-25 02:22 --------- d-----w C:\Program Files\Java
2008-05-22 13:26 --------- d-----w C:\Program Files\GetRight
2008-05-20 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-20 01:06 --------- d-----w C:\Documents and Settings\vidas\Application Data\AdobeUM
2008-05-20 00:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-06 00:19 87,608 ----a-w C:\Documents and Settings\vidas\Application Data\inst.exe
2007-06-06 00:19 47,360 ----a-w C:\Documents and Settings\vidas\Application Data\pcouffin.sys
2006-01-08 16:19 104 --sha-r C:\WINDOWS\system32\C7C146FA42.sys
2006-01-08 16:19 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06FE8FBC-F50A-4A54-BEED-FECD189B4689}]
C:\WINDOWS\system32\rqRLbYpQ.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09F97D15-88E7-4F1F-87CB-7AACA6417BF3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C197A84-B51E-4BE6-8A71-840310BAC5E4}]
C:\WINDOWS\system32\byXRlIaX.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C1B193D-B22F-4817-A6A5-9B414C9577F6}]
C:\WINDOWS\system32\awtTNfDT.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3027637e-bb89-4ff9-af6e-01590aac60a8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36b5cccb-f6cb-467d-aadc-7911721fbdb7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B5E359F-B6DA-4F0F-8A14-DACBAB9C378C}]
C:\WINDOWS\system32\cbXNdCTn.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5770D467-5848-4131-BF7B-41C1ECC816A7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59B64005-1F8C-44A0-BAA2-54D74FAC1630}]
C:\WINDOWS\system32\ljJaYOEU.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60FDB0CC-B47F-48AB-A56F-6F4C758E17EA}]
C:\WINDOWS\system32\yaywVmmk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6373352c-55df-4136-a155-47df5bb41785}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{679D26F9-20E1-4D43-9003-C002870654D8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72F143B1-2A04-4255-9358-74EB3BBF3919}]
C:\WINDOWS\system32\ljJYsQGw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90f48ae7-54f9-4d85-b5bc-67ee327f6120}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B0F10AA-E955-444A-A1F4-584FBE11A171}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B71CE0E-697A-42AF-99D7-1FD92C516B6F}]
C:\WINDOWS\system32\qoMdAPfg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A24CF77C-D296-45C8-BC3C-98527DD3A4D9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABFE3C96-238C-4356-A473-CC7D08607A08}]
C:\WINDOWS\system32\fccbAPjJ.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b64ead00-c3fb-48fe-a4e9-03c5f0470946}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C53C08B0-4185-412B-B17A-E97CE56834DB}]
C:\WINDOWS\system32\khFvULFw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8CB4B3B-1E2C-4D1E-8ECD-4100AE26D4E3}]
C:\WINDOWS\system32\vtUmNgGv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA1B18F6-6E8B-45B9-8163-ECA3643C486A}]
C:\WINDOWS\system32\efcBttuu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBCA1831-6724-4FC8-85DD-0B40E945B947}]
C:\WINDOWS\system32\khfFXoLD.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E83DDB3D-D483-409B-9721-73251D27B206}]
C:\WINDOWS\system32\hgGYQkhf.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9a2ee09-1a6c-4911-8bf2-49acd166c344}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eaeb55b0-b8e7-4c29-ab70-0053d2c3e924}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ed8e1a4c-f0d1-4d3a-8e04-734b25b8002b}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8F1B10E-FF76-47CA-84E7-7C25274234C8}]
C:\WINDOWS\system32\byXRlJdd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F96A88C1-CB49-4E36-A2C8-C852E4C775F0}]
C:\WINDOWS\system32\geBsrRiI.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fece42d5-c2c6-410b-aafd-bf96bb0d07ad}]
C:\WINDOWS\system32\dlojslho.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 17:46 135168]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 01:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 01:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 01:10 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 02:20 339968 C:\WINDOWS\stsystra.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-19 13:28 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-19 13:28 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05 127035]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 21:20 8192]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 19:18 151552]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 00:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05 212992]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 14:49 163840]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 18:00 1005096]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 23:57 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 12:29 49152]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 15:49 1121280]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"94a95cb1"="C:\WINDOWS\system32\oogqihmk.dll" [ ]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"BM979a6f2d"="C:\WINDOWS\system32\jxxvlquo.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 13:59:36 806912]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-01-06 14:30:54 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcaaWol]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BCEF6]
C:\WINDOWS\system32\__c00BCEF6.dat 2008-06-14 21:57 24576 C:\WINDOWS\system32\__c00BCEF6.dat
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 05:07:59 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DELL5150-vidas).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-06-15 05:10:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 01:08:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\DOCUME~1\vidas\LOCALS~1\Temp\PCONFIG.__1 0 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\__c00BCEF6.dat
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
.
**************************************************************************
.
Completion time: 2008-06-15 1:15:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 05:15:38
Pre-Run: 40,653,688,832 bytes free
Post-Run: 40,623,357,952 bytes free
260 --- E O F --- 2008-06-15 05:15:00
And the malwarebytes log:
Malwarebytes' Anti-Malware 1.17
Database version: 859
3:10:08 AM 6/16/2008
mbam-log-6-16-2008 (03-10-08).txt
Scan type: Full Scan (C:\|)
Objects scanned: 169185
Time elapsed: 31 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 31
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 118
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Installer (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\Control Panel\Desktop\OriginalWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\vidas\Local Settings\Temp\msiexec.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\vidas\Local Settings\Temp\syswcc32.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\vidas\My Documents\CDload\malwarebytesantimalware\Keygen\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\GetModule18.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\iCheck.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP552\A0096898.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP554\A0097950.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP575\A0102325.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0103623.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0103626.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0103629.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0103643.exe (Trojan.FakeAler) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104725.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104730.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104733.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104737.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104740.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104742.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104743.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104747.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104750.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104755.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104759.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104762.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104772.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104775.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104780.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104781.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104859.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104866.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0104871.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0105071.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0105076.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0105149.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0105151.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0105162.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP581\A0105175.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP581\A0105183.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP581\A0105232.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP581\A0105234.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP581\A0105304.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP581\A0106458.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP581\A0106459.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP585\A0106718.exe (Proxy.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP585\A0106719.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP585\A0106722.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP586\A0106778.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP587\A0106850.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP587\A0106851.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP587\A0106852.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP587\A0106859.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\explore.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iexplorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\x.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\y.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\xxxvideo.hta (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\svchost32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\loader.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\internet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\3142.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\accesss.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\astctl32.ocx (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avpcc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\clrssn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cpan.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ctfmon32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ctrlpan.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\directx32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\dnsrelay.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\editpad.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\explorer32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\funniest.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\funny.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\gfmnaaa.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\helpcvs.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\iedll.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\inetinf.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msconfd.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msspi.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssys.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msupdate.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mswsc10.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mswsc20.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mtwirl32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\notepad32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\olehelp.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\qttasks.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\quicken.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll16.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c006AD89.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00B7EA4.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00D3CE1.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00FF7F9.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000070.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000090.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll32.vbe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\searchword.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\sistem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\svcinit.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\systeem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\systemcritical.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\time.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\users32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\waol.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\win32e.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\win64.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winajbm.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\window.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winmgnt.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\xplugin.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
shelf life
2008-06-17, 00:54
hi,
that second combofix log looks exactly like the first one you posted- you did this part??:
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
File::
C:\WINDOWS\system32\__c00D3CE1.dat
C:\WINDOWS\system32\__c00FF7F9.dat
C:\WINDOWS\system32\__c006AD89.dat
C:\WINDOWS\system32\__c00B7EA4.dat
C:\WINDOWS\system32\__c00BCEF6.dat
C:\WINDOWS\system32\Status.MPF
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcaaWol]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BCEF6]
Folder::
C:\WINDOWS\system32\aquarantine
Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.
whats this:
vidas\My Documents\CDload\malwarebytesantimalware\Keygen\keygen.exe
you downloaded a keygen? malwarebytes is free to update and scan with
keygens carry payloads, like trojan downloaders virus/worms etc.
greenh25
2008-06-17, 04:17
I don't know. I must have screwed it up. However, I have a CFScript.txt on the desktop identical to the one that you want me to create and I think that I remember dragging it to ComboFix, but obviously I didn't.
Here is the log:
ComboFix 08-06-12.2 - vidas 2008-06-16 20:34:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.618 [GMT -4:00]
Running from: C:\Documents and Settings\vidas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\vidas\Desktop\cfscript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\__c006AD89.dat
C:\WINDOWS\system32\__c00B7EA4.dat
C:\WINDOWS\system32\__c00BCEF6.dat
C:\WINDOWS\system32\__c00D3CE1.dat
C:\WINDOWS\system32\__c00FF7F9.dat
C:\WINDOWS\system32\Status.MPF
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\vidas\Application Data\inst.exe
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc
C:\Documents and Settings\vidas\Application Data\Microsoft\dtsc\s
C:\WINDOWS\system32\aquarantine
C:\WINDOWS\system32\aquarantine\__c001FB90.dat
C:\WINDOWS\system32\aquarantine\_A00F1710D7A.exe
C:\WINDOWS\system32\aquarantine\_A00F5317464.exe
C:\WINDOWS\system32\aquarantine\_A00F8217B.exe
C:\WINDOWS\system32\aquarantine\_A00F83159vpk.exe
C:\WINDOWS\system32\aquarantine\_A00F8BCFF.exe
C:\WINDOWS\system32\aquarantine\~DF45BC.tmp
C:\WINDOWS\system32\aquarantine\~DF87E1.tmp
C:\WINDOWS\system32\aquarantine\~DFBFF7.tmp
C:\WINDOWS\system32\aquarantine\~DFDE6E.tmp
C:\WINDOWS\system32\aquarantine\agpknhuj.ini
C:\WINDOWS\system32\aquarantine\ajyfafuf.ini
C:\WINDOWS\system32\aquarantine\akxvwnuh.ini
C:\WINDOWS\system32\aquarantine\aopnpgtvvpk.dll
C:\WINDOWS\system32\aquarantine\bfixmxis.ini
C:\WINDOWS\system32\aquarantine\bjqwooik.ini
C:\WINDOWS\system32\aquarantine\bqbdaffv.ini
C:\WINDOWS\system32\aquarantine\bxkkrksj.ini
C:\WINDOWS\system32\aquarantine\chuqyddg.ini
C:\WINDOWS\system32\aquarantine\clkcnt.txt
C:\WINDOWS\system32\aquarantine\coqpjkjk.ini
C:\WINDOWS\system32\aquarantine\dlojslho.dll
C:\WINDOWS\system32\aquarantine\fpmxhkco.ini
C:\WINDOWS\system32\aquarantine\frnfshaw.ini
C:\WINDOWS\system32\aquarantine\gdlotfdf.ini
C:\WINDOWS\system32\aquarantine\gvcnnviu.dll
C:\WINDOWS\system32\aquarantine\hlwytplr.ini
C:\WINDOWS\system32\aquarantine\iaavsibh.ini
C:\WINDOWS\system32\aquarantine\jhljbowc.ini
C:\WINDOWS\system32\aquarantine\juhnkpga.dll
C:\WINDOWS\system32\aquarantine\juksxgfr.ini
C:\WINDOWS\system32\aquarantine\kmhiqgoo.ini
C:\WINDOWS\system32\aquarantine\konclpfa.ini
C:\WINDOWS\system32\aquarantine\kutqyska.dll
C:\WINDOWS\system32\aquarantine\liqestmr.dll
C:\WINDOWS\system32\aquarantine\lnckklbj.ini
C:\WINDOWS\system32\aquarantine\lsptoxlm.dll
C:\WINDOWS\system32\aquarantine\mfwwblre.ini
C:\WINDOWS\system32\aquarantine\mlxotpsl.ini
C:\WINDOWS\system32\aquarantine\mrhsdtyw.ini
C:\WINDOWS\system32\aquarantine\nnbvtdeb.ini
C:\WINDOWS\system32\aquarantine\ocdflfoc.exe
C:\WINDOWS\system32\aquarantine\qvcxcxjd.dll
C:\WINDOWS\system32\aquarantine\rsujhlrn.ini
C:\WINDOWS\system32\aquarantine\rxittxsb.ini
C:\WINDOWS\system32\aquarantine\rxituopb.ini
C:\WINDOWS\system32\aquarantine\scpeulsu.ini
C:\WINDOWS\system32\aquarantine\smgotoxt.ini
C:\WINDOWS\system32\aquarantine\Status.MPF
C:\WINDOWS\system32\aquarantine\tdxpwvmx.exe
C:\WINDOWS\system32\aquarantine\twvbtimg.ini
C:\WINDOWS\system32\aquarantine\txfiifbi.dll
C:\WINDOWS\system32\aquarantine\txotogms.dll
C:\WINDOWS\system32\aquarantine\uivnncvg.ini
C:\WINDOWS\system32\aquarantine\vkhbvsxm.exe
C:\WINDOWS\system32\aquarantine\vpubaxww.ini
C:\WINDOWS\system32\aquarantine\wejqkvvw.ini
C:\WINDOWS\system32\aquarantine\wpa.dbl
C:\WINDOWS\system32\aquarantine\yaywVmmk.dll
C:\WINDOWS\system32\aquarantine\ylkhigri.ini
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\Status.MPF
----- BITS: Possible infected sites -----
hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CLBDRIVER
-------\Service_clbdriver
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.
2008-06-16 02:26 . 2008-06-16 02:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 02:26 . 2008-06-16 02:26 <DIR> d-------- C:\Documents and Settings\vidas\Application Data\Malwarebytes
2008-06-16 02:26 . 2008-06-16 02:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-16 02:26 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-16 02:26 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 17:30 . 2008-06-14 01:37 <DIR> d-------- C:\SDFix
2008-06-15 03:17 . 2008-06-15 21:27 206 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-15 03:16 . 2008-06-15 03:16 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-15 01:51 . 2008-06-15 01:51 <DIR> d-------- C:\WINDOWS\system32\netrax06
2008-06-15 01:51 . 2008-06-15 01:51 <DIR> d-------- C:\Temp\itmp4
2008-06-15 01:51 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-15 01:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-15 01:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 14:06 . 2008-06-13 14:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-13 13:09 . 2008-06-13 13:09 2,126 --a------ C:\WINDOWS\system32\wpa.dbl
2008-06-07 22:16 . 2008-06-07 22:16 32,768 --a------ C:\WINDOWS\system32\netrax06\netrax061083.exe
2008-05-24 22:22 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-22 09:21 . 2008-05-22 09:21 <DIR> d-------- C:\Program Files\CCleaner
2008-05-18 21:35 . 2008-05-19 10:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\Documents and Settings\Administrator.DELL5150
2008-05-18 13:51 . 2008-05-18 13:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-18 13:51 . 2008-05-18 14:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 21:49 . 2008-05-17 21:50 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-17 07:15 . 2008-06-15 01:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-17 07:15 . 2008-05-17 07:15 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 11:25 --------- d-----w C:\Program Files\Sonic
2008-06-16 07:59 --------- d-----w C:\Documents and Settings\vidas\Application Data\dvdcss
2008-06-16 07:55 --------- d-----w C:\Documents and Settings\vidas\Application Data\RipIt4Me
2008-06-16 07:53 --------- d-----w C:\Documents and Settings\vidas\Application Data\uTorrent
2008-06-09 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2008-05-29 01:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-05-28 12:55 --------- d-----w C:\Documents and Settings\vidas\Application Data\SuperNZB
2008-05-27 20:04 --------- d-----w C:\Documents and Settings\vidas\Application Data\Vso
2008-05-25 02:22 --------- d-----w C:\Program Files\Java
2008-05-22 13:26 --------- d-----w C:\Program Files\GetRight
2008-05-20 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-20 01:06 --------- d-----w C:\Documents and Settings\vidas\Application Data\AdobeUM
2008-05-20 00:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2007-06-06 00:19 47,360 ----a-w C:\Documents and Settings\vidas\Application Data\pcouffin.sys
2006-01-08 16:19 104 --sha-r C:\WINDOWS\system32\C7C146FA42.sys
2006-01-08 16:19 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-15_ 1.15.23.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-15 05:07:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-17 00:39:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
- 2008-02-16 08:59:34 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2008-02-16 08:59:35 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-04-21 07:03:56 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2007-04-15 13:44:23 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-15 21:38:50 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-04-15 13:44:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-15 21:38:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-04-15 13:44:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-15 21:38:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-09 02:07:09 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-06-15 12:05:54 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2004-08-04 11:00:00 4,224 ----a-w C:\WINDOWS\system32\dllcache\beep.sys
- 2008-02-16 08:59:34 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
- 2008-02-16 08:59:35 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-04-21 07:03:56 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2008-06-09 02:07:09 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-06-15 12:05:54 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2008-02-16 08:59:35 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-21 07:03:57 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-02-16 08:59:35 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-21 07:03:57 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-02-16 08:59:35 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-21 07:03:57 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-02-15 09:23:37 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-04-17 10:52:54 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
- 2008-02-16 08:59:35 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-06-15 12:06:23 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2008-02-16 08:59:35 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-04-21 07:03:58 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
- 2008-02-16 08:59:35 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-21 07:03:58 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-02-16 22:29:38 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-02-16 08:59:37 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-21 07:03:59 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-02-16 08:59:37 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-06-15 12:06:41 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-02-16 08:59:37 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-21 07:03:59 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-02-16 08:59:37 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-21 07:03:59 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-10-29 22:43:03 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
- 2006-07-13 08:48:58 202,240 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2008-02-16 08:59:38 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2008-02-16 08:59:38 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2008-02-16 08:59:38 615,936 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-21 07:04:00 615,936 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-02-16 08:59:39 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-21 07:04:00 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-02-16 08:59:35 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-21 07:03:57 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-02-16 08:59:35 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-21 07:03:57 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-02-16 08:59:35 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-21 07:03:57 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-02-16 08:59:35 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-06-15 12:06:23 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2008-02-16 08:59:35 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-04-21 07:03:58 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2008-02-16 08:59:35 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-21 07:03:58 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-05-09 18:35:06 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-02-16 22:29:38 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-02-16 08:59:37 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-21 07:03:59 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-02-16 08:59:37 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-06-15 12:06:41 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-02-16 08:59:37 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-21 07:03:59 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-02-16 08:59:37 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-21 07:03:59 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-10-29 22:43:03 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
- 2008-02-16 08:59:38 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2008-02-16 08:59:38 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-02-16 08:59:38 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-21 07:04:00 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-02-16 08:59:39 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-04-21 07:04:00 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
- 2008-02-15 09:06:21 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-06-15 12:06:15 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 17:46 135168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 01:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 01:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 01:10 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 02:20 339968 C:\WINDOWS\stsystra.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-19 13:28 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-19 13:28 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 21:20 8192]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 19:18 151552]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 00:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05 212992]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 14:49 163840]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 18:00 1005096]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 23:57 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 12:29 49152]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 15:49 1121280]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 13:59:36 806912]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-01-06 14:30:54 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
.
Contents of the 'Scheduled Tasks' folder
"2008-06-17 00:39:32 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DELL5150-vidas).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-06-17 00:42:09 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 20:39:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\Status.MPF 22016 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
.
**************************************************************************
.
Completion time: 2008-06-16 20:44:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-17 00:44:23
ComboFix2.txt 2008-06-15 05:15:42
Pre-Run: 39,309,455,360 bytes free
Post-Run: 39,356,968,960 bytes free
327 --- E O F --- 2008-06-15 07:17:38
Regarding
vidas\My Documents\CDload\malwarebytesantimalware\Keygen\keygen.exe
I tried to clean my PC myself before I contacted you. I d/l free software from Home Depot in early May this year on how to design a backyard fence. My recollection is that after I installed it I had these pop ups, Internet Speed Monitor was installed On the PC, etc
My unsuccessful efforts include creating
C:\windows\system32\aquaranteen
where I would move things that I suspected as being bad. Of course it didn't work. In desperation, short of reformatting the hard drive and reloading everything, somewhere I read of programs like ComboFix, Malwarebytes,etc.
I don't know how to use them, but usenet had malwarebytes posted and I d/l it thinking that I didn't have anything to lose since I couldn't solve my problem by myself. I didn't install it since I found out that Spybot exists, the forum exists and that you exist and that you actually help get rid of malware. So I am here asking for help.
To help you understand this, please be aware that my favorite OS is DOS 6.2, my favorite browser is Netscape 3, and my favorite programming language is GWbasic. Everything else to me is fluff or I am ancient.
shelf life
2008-06-17, 05:52
hi
ok thanks for the info. no problem.
see if you can run sdfix in safe mode now. if not dont worry about it. hows it looking on your end? please check malwarebytes for updates then do another scan with it and post the log from it.
we will get 2 files checked out:
to help show all files:
FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
navigate here:
C:\WINDOWS\system32
see if you can find:
C7C146FA42.sys and
beep.sys
if so go to this website below, browse for the two files and upload each one by clicking the send button. they will be scanned. you can copy/paste the results in your reply
website to upload files:
http://www.virustotal.com/
---------------------------------------------------------
also after the above do a online scan here:
ESET online scanner:
http://www.eset.com/onlinescan/
uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.
sorry for all this double checking but malware is getting much more better at hiding itself.
shelf life
greenh25
2008-06-18, 03:13
Hi,
Here is the SDFix report:
SDFix: Version 1.192
Run by vidas on Mon 06/16/2008 at 11:45 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 23:53:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
Remaining Files :
Files with Hidden Attributes :
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 8 Jan 2006 104 A.SHR --- "C:\WINDOWS\system32\C7C146FA42.sys"
Sun 8 Jan 2006 4,184 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT10.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\vidas\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Fri 13 Apr 2007 8 A..H. --- "C:\Documents and Settings\vidas\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\vidas\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sun 22 Apr 2007 8 A..H. --- "C:\Documents and Settings\vidas\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Finished!
Here is the malwarebytes report:
Malwarebytes' Anti-Malware 1.17
Database version: 862
12:34:26 AM 6/17/2008
mbam-log-6-17-2008 (00-34-26).txt
Scan type: Full Scan (C:\|)
Objects scanned: 164673
Time elapsed: 29 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Here is the C7C146FA42.sys report from http://www.virustotal.com/
File C7C146FA42.sys received on 06.17.2008 05:07:36 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/33 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.6.17.0 2008.06.16 -
AntiVir 7.8.0.55 2008.06.16 -
Authentium 5.1.0.4 2008.06.17 -
Avast 4.8.1195.0 2008.06.16 -
AVG 7.5.0.516 2008.06.16 -
BitDefender 7.2 2008.06.17 -
CAT-QuickHeal 9.50 2008.06.16 -
ClamAV 0.93.1 2008.06.17 -
DrWeb 4.44.0.09170 2008.06.16 -
eSafe 7.0.15.0 2008.06.16 -
eTrust-Vet 31.6.5880 2008.06.17 -
Ewido 4.0 2008.06.16 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.17 -
Fortinet 3.14.0.0 2008.06.16 -
GData 2.0.7306.1023 2008.06.17 -
Ikarus T3.1.1.26.0 2008.06.17 -
Kaspersky 7.0.0.125 2008.06.17 -
McAfee 5318 2008.06.16 -
Microsoft 1.3604 2008.06.17 -
NOD32v2 3192 2008.06.17 -
Norman 5.80.02 2008.06.16 -
Panda 9.0.0.4 2008.06.16 -
Prevx1 V2 2008.06.17 -
Rising 20.49.02.00 2008.06.16 -
Sophos 4.30.0 2008.06.17 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.17 -
TheHacker 6.2.92.352 2008.06.17 -
TrendMicro 8.700.0.1004 2008.06.16 -
VBA32 3.12.6.7 2008.06.16 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.17 -
Additional information
File size: 104 bytes
MD5...: 6e6e602453dea3116a8a1ef2a473532c
SHA1..: 3b21c62a480e3029dedb23e0b6bf9814a361ec39
SHA256: b88e97a49cc854d0d5a0e2c481253bd1a39c6f77e65ca5c34d28ad8a53e75c41
SHA512: bd265c6468c6a230af37b84978f5a64852d940d5995e748c374d5dd132424b35
0d77213077dfcbb806259b257244ec18d1d583b975fb6578a822a0d361c63825
PEiD..: -
PEInfo: -
Here is the beep.sys report from http://www.virustotal.com/
File beep.sys received on 06.17.2008 05:12:00 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/33 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.6.17.0 2008.06.16 -
AntiVir 7.8.0.55 2008.06.16 -
Authentium 5.1.0.4 2008.06.17 -
Avast 4.8.1195.0 2008.06.16 -
AVG 7.5.0.516 2008.06.16 -
BitDefender 7.2 2008.06.17 -
CAT-QuickHeal 9.50 2008.06.16 -
ClamAV 0.93.1 2008.06.17 -
DrWeb 4.44.0.09170 2008.06.16 -
eSafe 7.0.15.0 2008.06.16 -
eTrust-Vet 31.6.5880 2008.06.17 -
Ewido 4.0 2008.06.16 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.17 -
Fortinet 3.14.0.0 2008.06.16 -
GData 2.0.7306.1023 2008.06.17 -
Ikarus T3.1.1.26.0 2008.06.17 -
Kaspersky 7.0.0.125 2008.06.17 -
McAfee 5318 2008.06.16 -
Microsoft 1.3604 2008.06.17 -
NOD32v2 3192 2008.06.17 -
Norman 5.80.02 2008.06.16 -
Panda 9.0.0.4 2008.06.16 -
Prevx1 V2 2008.06.17 -
Rising 20.49.02.00 2008.06.16 -
Sophos 4.30.0 2008.06.17 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.17 -
TheHacker 6.2.92.352 2008.06.17 -
TrendMicro 8.700.0.1004 2008.06.16 -
VBA32 3.12.6.7 2008.06.16 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.17 -
Additional information
File size: 4224 bytes
MD5...: da1f27d85e0d1525f6621372e7b685e9
SHA1..: e3d2dc5eb273fa701de8af13b60d6baac7629260
SHA256: 5a81a46a3bdd19dafc6c87d277267a5d44f3a1b5302f2cc1111d84b7bad5610d
SHA512: 8b8a95965ccaf51d578c2dd761abfc750fe464360e8244e5a06c2089586ac6fd
e2989e3ab7cc8b28a034c8c9fdba69c2641730674ca55d172d0d1a3e7e53fa8b
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1066c
timedatestamp.....: 0x3b7d82e5 (Fri Aug 17 20:47:33 2001)
machinetype.......: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x424 0x480 5.77 64f775a399d212649b5b58a280791c2d
.rdata 0x780 0xad 0x100 2.62 0ace5f365131534c66de4137833221ad
INIT 0x880 0x284 0x300 4.44 13a9d0bea8490140305ffa9291acfd99
.rsrc 0xb80 0x3c8 0x400 3.22 9b654fc1759147ff04b147754f347be4
.reloc 0xf80 0x9a 0x100 2.80 5c4742feb834ca0995d1e806fe06cc57
( 2 imports )
> ntoskrnl.exe: MmLockPagableDataSection, KeCancelTimer, MmUnlockPagableImageSection, IoStartNextPacket, KeSetTimer, _allmul, IoStartPacket, KeInitializeEvent, KeInitializeTimer, KeInitializeDpc, IoCreateDevice, RtlInitUnicodeString, IoAcquireCancelSpinLock, KeRemoveDeviceQueue, KeRemoveEntryDeviceQueue, IoReleaseCancelSpinLock, IoDeleteDevice, IofCompleteRequest
> HAL.dll: ExReleaseFastMutex, KfRaiseIrql, KfLowerIrql, HalMakeBeep, ExAcquireFastMutex
( 0 exports )
Here is the online scan report
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3192 (20080616)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=0fdda021a4efd743a2f0ea35aa2bba1b
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-06-17 05:40:54
# local_time=2008-06-17 01:40:54 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=416476
# found=5
# scan_time=3698
C:\Documents and Settings\vidas\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.84767 probably a variant of Win32/Genetik trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\vidas\My Documents\CDload\AOPs\realVNC440\RealVNC Enterprise v4.4.0\vpk.exe probably a variant of Win32/Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\vidas\My Documents\CDload\movies\adobeaudition3\Keygen\Adobe AuditionV3.0Keygen.EXE probably a variant of Win32/Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\CatRoot\bbihkqho.dll a variant of Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\netrax06\netrax061083.exe Win32/TrojanDownloader.VB.AWJ trojan (unable to clean - deleted) 00000000000000000000000000000000
At my end things appear to be fairly normal. The PC is not sluggish, there is no hesitation when I browse to a site, there are no popups. Windows update is working, it d/l 6 updates and installed them. Task manager is working.
One reservation that I have is that every time that I boot up, in c:\documents and settings\vidas\local settings\temp a file is created named ~df????.tmp that is 16kb in size. The file can not be renamed or deleted because it is in use. These files have no information on them in "right click and properties". Looking at the file in notepad is meaningless. What do you think?
shelf life
2008-06-18, 05:26
hi greenh25,
ok looking better. i dont think that .tmp file is anything to worry about could be some software creating it or windows. all the logs look good as far as malware goes.
a couple of things:
remove tools:
a easy way to delete all the tools we used is to download OTmoveit2:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
* Save it to your desktop.
* Please double-click OTMoveIt2.exe to run it. click the CleanUp! button to begin.
java:
Vulnerabilities/exploits in versions of Sun Java may be responsible for some malware installs via your browser.
It is important to keep Sun Java up to date and also to remove older versions which may have vulnerabilites/exploits that can be taken advantage of to possibly introduce malware via your browser.
* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.
to check if you have the latest version of Java and to download the latest version:
http://www.java.com/en/download/installed.jsp
system restore:
One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
always check malwarebytes first- for updates before scanning with it.
if all is good, some info for you:
My Top Ten
The Short Version:
1) Keep your OS, browser and software up to date.
2) Know what you are installing to your computer. Do you trust the source?
3) Install, keep updated: antivirus and one or two anti-malware applications.
4) Dont click on adds/pop ups or offers from websites to install software.
5) Dont click on offers to "scan" your computer.
6) Dont click on links or install files you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting the message. Do you trust the source?
7) Set up and use limited accounts rather than administrator accounts.
8) Consider using an alternate browser and E-mail client.
9) Install and understand the limitations of a third party software firewall.
10) If your habits include visiting or installing files from: warez, cracks/keygens, P2P or adult sites you are much more likely to encounter malicious code. Do you trust the source?
long version in link below. happy safe surfing out there.
greenh25
2008-06-18, 14:51
Hello shelf life,
Once again, thank you very much for making my PC clean and pristine. Also, thanks for your advice, your top ten tips. It sounds like excellent advice.
shelf life
2008-06-19, 01:28
hi greenh25,
your welcome. happy safe surfing out there.
shelf life