View Full Version : Infected computer
Had someone look at computer and install anti virus programs but traces from the trojan virus are still existant. Original symptoms included virus changing wallpaper, inaccesibility to task manager, etc. Ran spybot in safemode and now have HJT log as follows. Any help greatly appreciated!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:01 AM, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: .security
O8 - Extra context menu item: &Search - ?p=ZJxdm035YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 2553 bytes
Baabiouz
2008-08-18, 06:21
Hello :)
I will be handling your log to help you get cleaned up. :greeting:
Step #1
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Step #2
Rename HijackThis.exe
1. Right click on the HijackThis icon.
http://i71.photobucket.com/albums/i125/timray2006/hjtrename1.jpg
2. Select Rename.
http://i71.photobucket.com/albums/i125/timray2006/hjtrename2.jpg
3. Now type the following scanner.exe <<< NOTE: make sure to put period before exe when typing.
Hit the enter key on keyboard.
http://i71.photobucket.com/albums/i125/timray2006/hjtrename3.jpg
Double click on Scanner.exe.
Click on Do a system scan and save a logfile. Post that log and Combofix log back here :)
Hey there:laugh:I ran the scan like instructed. The results are as follows:
ComboFix 08-08-17.03 - Zerina 2008-08-18 1:29:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.203 [GMT -4:00]
Running from: C:\Documents and Settings\Zerina\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Zerina\Application Data\macromedia\Flash Player\#SharedObjects\4HXLLWAD\interclick.com
C:\Documents and Settings\Zerina\Application Data\macromedia\Flash Player\#SharedObjects\4HXLLWAD\interclick.com\ud.sol
C:\Documents and Settings\Zerina\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Zerina\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Zerina\Application Data\rhcr98j0ev6j
C:\Documents and Settings\Zerina\Cookies\zerina@ad.yieldmanager[2].txt
C:\Documents and Settings\Zerina\Cookies\zerina@myspace[1].txt
C:\Documents and Settings\Zerina\UserData
C:\Documents and Settings\Zerina\UserData\IJMF6ZA5\YL[1].xml
C:\Documents and Settings\Zerina\UserData\index.dat
C:\WINDOWS\system32\akttzn.exe
C:\WINDOWS\system32\anticipator.dll
C:\WINDOWS\system32\awtoolb.dll
C:\WINDOWS\system32\bdn.com
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\system32\dpcproxy.exe
C:\WINDOWS\system32\hoproxy.dll
C:\WINDOWS\system32\hxiwlgpm.dat
C:\WINDOWS\system32\hxiwlgpm.exe
C:\WINDOWS\system32\msgp.exe
C:\WINDOWS\system32\msnbho.dll
C:\WINDOWS\system32\mssecu.exe
C:\WINDOWS\system32\msvchost.exe
C:\WINDOWS\system32\mtr2.exe
C:\WINDOWS\system32\mwin32.exe
C:\WINDOWS\system32\netode.exe
C:\WINDOWS\system32\newsd32.exe
C:\WINDOWS\system32\ps1.exe
C:\WINDOWS\system32\psof1.exe
C:\WINDOWS\system32\psoft1.exe
C:\WINDOWS\system32\regc64.dll
C:\WINDOWS\system32\regm64.dll
C:\WINDOWS\system32\Rundl1.exe
C:\WINDOWS\system32\smp
C:\WINDOWS\system32\smp\msrc.exe
C:\WINDOWS\system32\sncntr.exe
C:\WINDOWS\system32\ssurf022.dll
C:\WINDOWS\system32\ssvchost.com
C:\WINDOWS\system32\ssvchost.exe
C:\WINDOWS\system32\sysreq.exe
C:\WINDOWS\system32\taack.dat
C:\WINDOWS\system32\taack.exe
C:\WINDOWS\system32\temp#01.exe
C:\WINDOWS\system32\thun.dll
C:\WINDOWS\system32\thun32.dll
C:\WINDOWS\system32\VBIEWER.OCX
C:\WINDOWS\system32\vbsys2.dll
C:\WINDOWS\system32\vcatchpi.dll
C:\WINDOWS\system32\winlogonpc.exe
C:\WINDOWS\system32\winsystem.exe
C:\WINDOWS\system32\WINWGPX.EXE
.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.
2008-08-17 18:33 . 2008-08-17 18:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 18:14 . 2008-08-17 18:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-17 18:14 . 2008-08-17 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-15 20:16 . 2008-08-15 20:16 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-14 13:23 . 2008-08-14 13:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-14 07:25 . 2008-08-14 07:25 73 --a------ C:\WINDOWS\st_affiliate.ini
2008-08-14 07:21 . 2008-08-14 07:38 <DIR> d-------- C:\Program Files\CyberDefender
2008-08-13 23:25 . 2008-08-13 23:25 0 --a------ C:\WINDOWS\system32\2A.tmp
2008-08-13 23:21 . 2008-08-14 13:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-13 23:16 . 2008-08-13 23:16 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-13 23:11 . 2008-08-13 23:11 0 --ah----- C:\WINDOWS\.security
2008-08-13 23:11 . 2008-08-13 23:11 0 --ah----- C:\.security
2008-08-13 22:47 . 2008-08-13 22:47 <DIR> d-------- C:\Program Files\ufxjbsc
2008-08-13 22:47 . 2008-08-14 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\adsrsrgt
2008-07-20 20:21 . 2008-08-06 17:27 <DIR> d-------- C:\Program Files\MySpace
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 03:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-18 03:49 --------- d-----w C:\Program Files\iPod
2008-08-18 00:17 --------- d-----w C:\Program Files\Google
2008-08-16 00:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-14 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2006-04-26 21:51 15,360 ----a-w C:\Program Files\Rooming List.xls
2006-04-23 12:15 30,208 ----a-w C:\Program Files\greentreesales schedule April3-21.xls
2006-04-11 21:50 56,320 ----a-w C:\Program Files\greentreesales schedule April10-21.xls
2006-04-07 19:03 365,927 ----a-w C:\Program Files\Greentree05030410420.pdf
2006-04-03 20:33 144,405 ----a-w C:\Program Files\Bi Annual Training.pdf
2006-04-03 20:24 3,963,304 ----a-w C:\Program Files\msasync.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 18:04 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2006-06-15 00:11 53248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
C:\Documents and Settings\Zerina\Start Menu\Programs\Startup\
.security [2008-08-13 23:11:49 0]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\StubInstaller.exe"=
"C:\\Documents and Settings\\Zerina\\Application Data\\vusbsp\\VonageTalkUSB.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Loaderw.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6286776a-2c47-11dd-ba13-000fb04b36c1}]
\Shell\AutoRun\command - E:\Loaderw.exe
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Zerina\Application Data\Mozilla\Firefox\Profiles\7h67x1s1.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 01:34:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-08-18 1:38:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-18 05:38:22
Pre-Run: 66,567,725,056 bytes free
Post-Run: 66,748,243,968 bytes free
155 --- E O F --- 2008-08-14 12:37:36
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:45, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: .security
O8 - Extra context menu item: &Search - ?p=ZJxdm035YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 2844 bytes
Baabiouz
2008-08-18, 16:24
Hello
Step #1
Please click on Start > Control Panel > Add/Remove Programs (http://www.bleepingcomputer.com/forums/topic42133.html) and uninstall the following programs(if present):
CyberDefender
Step #2
Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,
File::
C:\WINDOWS\system32\2A.tmp
Folder::
C:\Program Files\ufxjbsc
C:\Documents and Settings\All Users\Application Data\adsrsrgt
C:\Program Files\CyberDefender
Dirlook::
C:\WINDOWS\.security
C:\.security
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
Step #3
Please download ATF-cleaner (http://www.atribune.org/ccount/click.php?id=1) and save it to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Step #4
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here (http://www.besttechie.net/tools/mbam-setup.exe) and save to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Step #5
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti
Please visit Jotti (http://virusscan.jotti.org/)
Copy/paste the the following file path into the window
C:\StubInstaller.exe
Click Submit/Send File
Please post back, to let me know the results.
If Jotti is too busy please try Virustotal (http://www.virustotal.com/en/indexf.html)
Step #6
Please post Combofix log, Mbam log, Jotti/Virustotal results and a fresh HijackThis log back here :)
I couldn't do step one bc I did not find a program in my comuter with that name (cyber defender).
Here is the new long from combofix:
ComboFix 08-08-17.03 - Zerina 2008-08-18 14:28:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.272 [GMT -4:00]
Running from: C:\Documents and Settings\Zerina\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Zerina\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\2A.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\adsrsrgt
C:\Documents and Settings\Zerina\Cookies\zerina@ad.yieldmanager[2].txt
C:\Documents and Settings\Zerina\Cookies\zerina@ads.pointroll[1].txt
C:\Documents and Settings\Zerina\Cookies\zerina@afy11[2].txt
C:\Documents and Settings\Zerina\Cookies\zerina@insightexpressai[1].txt
C:\Documents and Settings\Zerina\Cookies\zerina@myspace[2].txt
C:\Documents and Settings\Zerina\Cookies\zerina@trafficmp[1].txt
C:\Documents and Settings\Zerina\Cookies\zerina@turn[2].txt
C:\Program Files\CyberDefender
C:\Program Files\CyberDefender\AntiSpyware\config.ini
C:\Program Files\CyberDefender\AntiSpyware\E.tmp
C:\Program Files\CyberDefender\AntiSpyware\WsLiveUpdateHost.ini
C:\Program Files\CyberDefender\AntiSpyware\WsLiveUpFiles\tmp\cdavpat.dat.03
C:\Program Files\CyberDefender\AntiSpyware\WsLiveUpFiles\wsliveup.dat.03
C:\Program Files\CyberDefender\AntiSpyware\wslvucfg.ini
C:\Program Files\ufxjbsc
C:\Program Files\ufxjbsc\winadmhlp.dll
C:\WINDOWS\system32\2A.tmp
.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.
2008-08-17 18:33 . 2008-08-17 18:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 18:14 . 2008-08-17 18:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-17 18:14 . 2008-08-17 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-15 20:16 . 2008-08-15 20:16 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-14 13:23 . 2008-08-14 13:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-14 07:25 . 2008-08-14 07:25 73 --a------ C:\WINDOWS\st_affiliate.ini
2008-08-13 23:21 . 2008-08-14 13:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-13 23:16 . 2008-08-13 23:16 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-13 23:11 . 2008-08-13 23:11 0 --ah----- C:\WINDOWS\.security
2008-08-13 23:11 . 2008-08-13 23:11 0 --ah----- C:\.security
2008-07-20 20:21 . 2008-08-06 17:27 <DIR> d-------- C:\Program Files\MySpace
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 03:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-18 03:49 --------- d-----w C:\Program Files\iPod
2008-08-18 00:17 --------- d-----w C:\Program Files\Google
2008-08-16 00:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-14 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2006-04-26 21:51 15,360 ----a-w C:\Program Files\Rooming List.xls
2006-04-23 12:15 30,208 ----a-w C:\Program Files\greentreesales schedule April3-21.xls
2006-04-11 21:50 56,320 ----a-w C:\Program Files\greentreesales schedule April10-21.xls
2006-04-07 19:03 365,927 ----a-w C:\Program Files\Greentree05030410420.pdf
2006-04-03 20:33 144,405 ----a-w C:\Program Files\Bi Annual Training.pdf
2006-04-03 20:24 3,963,304 ----a-w C:\Program Files\msasync.EXE
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\.security ----
C:\.security\
---- Directory of C:\WINDOWS\.security ----
C:\WINDOWS\.security\
((((((((((((((((((((((((((((( snapshot@2008-08-18_ 1.37.50.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-18 00:26:00 52,962 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-18 16:53:05 52,962 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-18 00:26:00 380,588 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-18 16:53:05 380,588 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 18:04 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2006-06-15 00:11 53248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
C:\Documents and Settings\Zerina\Start Menu\Programs\Startup\
.security [2008-08-13 23:11:49 0]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\StubInstaller.exe"=
"C:\\Documents and Settings\\Zerina\\Application Data\\vusbsp\\VonageTalkUSB.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Loaderw.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6286776a-2c47-11dd-ba13-000fb04b36c1}]
\Shell\AutoRun\command - E:\Loaderw.exe
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 14:31:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-18 14:32:45
ComboFix-quarantined-files.txt 2008-08-18 18:32:25
ComboFix2.txt 2008-08-18 05:38:27
Pre-Run: 66,685,067,264 bytes free
Post-Run: 66,741,940,224 bytes free
125 --- E O F --- 2008-08-14 12:37:36
Malwarebytes' Anti-Malware 1.25
Database version: 1066
Windows 5.1.2600 Service Pack 2
3:00:20 PM 8/18/2008
mbam-log-08-18-2008 (15-00-20).txt
Scan type: Full Scan (C:\|)
Objects scanned: 57659
Time elapsed: 19 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcr98j0ev6j (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\drivers\etc\.security (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\.security (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\.security (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Zerina\Start Menu\Programs\Startup\.security (Trojan.FakeAlert) -> Quarantined and deleted successfully.
File: StubInstaller.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
MD5: e2e6b01d43c2555b1be3f46d8297d409
Packers detected: -
Scanner results
Scan taken on 18 Aug 2008 19:11:05 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found Adware/180Solutions (probable variant)
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
ComboFix 08-08-17.03 - Zerina 2008-08-18 15:21:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.201 [GMT -4:00]
Running from: C:\Documents and Settings\Zerina\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Zerina\Application Data\macromedia\Flash Player\#SharedObjects\4HXLLWAD\interclick.com
C:\Documents and Settings\Zerina\Application Data\macromedia\Flash Player\#SharedObjects\4HXLLWAD\interclick.com\ud.sol
C:\Documents and Settings\Zerina\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Zerina\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Zerina\Cookies\zerina@revsci[1].txt
C:\Documents and Settings\Zerina\Cookies\zerina@usatoday[2].txt
.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.
2008-08-18 14:38 . 2008-08-18 14:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 14:38 . 2008-08-18 14:38 <DIR> d-------- C:\Documents and Settings\Zerina\Application Data\Malwarebytes
2008-08-18 14:38 . 2008-08-18 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 14:38 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 14:38 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-17 18:33 . 2008-08-17 18:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 18:14 . 2008-08-17 18:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-17 18:14 . 2008-08-17 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-15 20:16 . 2008-08-15 20:16 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-14 13:23 . 2008-08-14 13:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-14 07:25 . 2008-08-14 07:25 73 --a------ C:\WINDOWS\st_affiliate.ini
2008-08-13 23:21 . 2008-08-14 13:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-13 23:16 . 2008-08-13 23:16 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-20 20:21 . 2008-08-06 17:27 <DIR> d-------- C:\Program Files\MySpace
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 03:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-18 03:49 --------- d-----w C:\Program Files\iPod
2008-08-18 00:17 --------- d-----w C:\Program Files\Google
2008-08-16 00:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-14 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2006-04-26 21:51 15,360 ----a-w C:\Program Files\Rooming List.xls
2006-04-23 12:15 30,208 ----a-w C:\Program Files\greentreesales schedule April3-21.xls
2006-04-11 21:50 56,320 ----a-w C:\Program Files\greentreesales schedule April10-21.xls
2006-04-07 19:03 365,927 ----a-w C:\Program Files\Greentree05030410420.pdf
2006-04-03 20:33 144,405 ----a-w C:\Program Files\Bi Annual Training.pdf
2006-04-03 20:24 3,963,304 ----a-w C:\Program Files\msasync.EXE
.
((((((((((((((((((((((((((((( snapshot@2008-08-18_ 1.37.50.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-18 00:26:00 52,962 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-18 16:53:05 52,962 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-18 00:26:00 380,588 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-18 16:53:05 380,588 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 18:04 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2006-06-15 00:11 53248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\StubInstaller.exe"=
"C:\\Documents and Settings\\Zerina\\Application Data\\vusbsp\\VonageTalkUSB.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Loaderw.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6286776a-2c47-11dd-ba13-000fb04b36c1}]
\Shell\AutoRun\command - E:\Loaderw.exe
*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Zerina\Application Data\Mozilla\Firefox\Profiles\7h67x1s1.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 15:23:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-18 15:25:21
ComboFix-quarantined-files.txt 2008-08-18 19:25:02
ComboFix2.txt 2008-08-18 18:32:46
ComboFix3.txt 2008-08-18 05:38:27
Pre-Run: 66,741,678,080 bytes free
Post-Run: 66,742,714,368 bytes free
112 --- E O F --- 2008-08-14 12:37:36
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:26, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Search - ?p=ZJxdm035YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 2784 bytes
by the way, i didn't find cyber defender in add/remove programs but a folder with the location C:\QooBox\Quarantine\C\Program Files came up on a search of my computer. Should I delete this file?
Baabiouz
2008-08-19, 06:13
Hello
C:\QooBox -folder is Combofix's quarantine, we'll remove it later.
Step #1
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:
8 - Extra context menu item: &Search - ?p=ZJxdm035YYUS
Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Step #2
You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:
Antivir (http://www.free-av.com/)
Avast Free (http://www.avast.com/eng/download-avast-home.html)
AVG Free (http://www.majorgeeks.com/download886.html)
Bitdefender Free (http://www.bitdefender.com/)
Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.
Step #3
Looking over your log, it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za)
(At installing Zonealarm, please uncheck this option "include a ZoneAlarm Spy Blocker...". The Toolbar is not recommended... You can read more about it here (http://sunbeltblog.blogspot.com/2007/12/another-security-company-succumbs-to.html).)
2) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Comodo (http://www.personalfirewall.comodo.com/)
(at installing Comodo, please uncheck these options: "Install Comodo SafeSurf..", "Make Comodo my default search provider" and "Make Comodo Search my homepage")
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Step #4
Please posta fresh HijackThis log back here :)
How's your PC working now?
Hi, I tried to install one of the antiviral s/w from the list of links you gave me and once it was finished scanning my cpu it asked me to register/purchase the program to remove the infected files/threats. That program was called "spyware doctor". Anyways I then downloaded another one after that. My cpu is running pretty slow now..I don't know if it's bc I have all these programs but is it necessary to have like 10 different ones? Maybe you can help me sort through them? Thanks!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:20, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 4308 bytes
Baabiouz
2008-08-19, 20:41
Hello
All you need would be Mbam, Comodo and Antivir. I think you should uninstall Spyware Doctor if your cpu is running slow. If that didn't help, try disable Spybot S&D (Teatimer).
Looks clean, great job! :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Next we remove all used tools.
Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.
Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1644)
Malwarebytes' Anti-Malware Scanning Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1645)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
If your computer is running slow, please read this article:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Thanks for all you're help you've been wonderful. I did what you instructed me to do but unfortunately my cpu is still running REALLY slow.. :( I don't know what else to do. I also don't know how to disable teatimer for spybot. Also is there a way to do things on the cpu w/o that pop up window from comodo and antivira askin me if i want to allow changes?
Baabiouz
2008-08-20, 06:08
Hello
Did you read this?
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Instructions to disbale Teatimer:
First:
Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
Choose Exit Spybot S&D Resident
Second:
Open Spybot S&D
Click Mode, check Advanced Mode
Go To Left Panel, Click Tools, then also in left panel, click Resident
If your firewall raises a question, say OK
Uncheck the box labeled Resident Tea-Timer and OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Hello, thanks for your response. I did read the article before but I couldn't figure out what the problem was. Anyway, it's okay I will figure it out. My virus was my main concern anyway. Thanks for being so knowledgable and helpful. Take care!
Baabiouz
2008-08-20, 14:39
You're Welcome.
Hope you get fixed slow cpu problem.