Infection Note: Ldpinch Trojan

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

Infection Note: Ldpinch Trojan

Options

chapin33 View Member Profile	Oct 20 2007, 03:06 PM Post #1
Member Group: Members Posts: 58 Joined: 19-December 05 From: CA Member No.: 45,468	I have XP Pro on my PC and XP Home on my lap top. Both computers have AVG free for virus protection and the following for spyware programs: Spyware Blaster, Spybot, Ad-Aware, a-squared Free, and Spy Sweeper. I have run all of the programs and like the previous entry, Spy Sweeper is the only one, that id this and it id it on both the PC and lap top. Note AVG is updated with latest definitions and it did not catch anything and I did a thorough sweep. I found another thread that noted similar problem and it advised the use of Super AntiSpyware download. I wondered if a second virus scan is ok as I know having more than one virus program is not good. Please advise. Also, one additional thing I forgot to mention, when running Spy Sweeper, I ran a quick scan on both computers and both times it caught this "ldpinch trojan" . At the completion of the scan, it first advised to quarantine the item, which I did and then it advised at a full sweep was needed so I did the full sweep. At the conclusion of the full sweeps on both the lap top and the PC, there was nothing detected. That seems odd because it (ldpinch trojan) is still there but quarantined so doesn't it get recognized? Please advise.

quietman7 View Member Profile	Oct 20 2007, 03:58 PM Post #2
Bleepin' Janitor Group: Global Moderator Posts: 13,112 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Are you doing your scans in "SAFE MODE" and doing them while logged into the "Administrator Account" or an "account with administrator privileges"? If rescan in safe modes does not help, then do this: Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet. Please download Dr.Web CureIt & save it to your desktop. DO NOT perform a scan yet. Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Double-click ATF-Cleaner.exe to run the program. Under Main "Select Files to Delete" choose: Select All. Click the Empty Selected button. If you use Firefox browser click Firefox at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser click Opera at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator". Scan with Dr.Web CureIt as follows: Double-click on cureit.exe to start the program. (ignore any prompts to update or check for a new version) When the Dr.Web opens, an "Express Scan of your PC" notice will appear. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes* button when it asks you if you want to cure it.* Once the short scan has finished, Click Options > Change settings Choose the "Scan tab" and UNcheck "Heuristic analysis" Back at the main window, click "Select drives" (a red dot will show which drives have been chosen) Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start. When done, a message will be displayed at the bottom advising if any viruses were found. Click "Yes to all" if it asks if you want to cure/move the file. When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured) Next, in the Dr.Web CureIt menu on top, click file and choose save report list. Save the DrWeb.csv report to your desktop. (You can use Notepad to open the DrWeb.cvs report) Exit Dr.Web Cureit when done. Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web in your next reply. Then perform this online Virus scan: BitDefender Online Scanner. <- Add a check by "Autoclean". (Requires Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.) -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2008

quietman7 View Member Profile	Oct 20 2007, 04:09 PM Post #3
Bleepin' Janitor Group: Global Moderator Posts: 13,112 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	I saw that you were reading the other thread where another member has this same Trojan infection. The warning I provided to him about this being very dangerous applies to you as well. If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect your computer from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2008

buddy215 View Member Profile	Oct 20 2007, 05:49 PM Post #4
Forum Addict Group: Members Posts: 3,283 Joined: 14-April 06 Member No.: 64,042	To answer your question about quarantined files being recognized, a different security program would probably note the malware that you have quarantined but the same program that the malware is quarantined in would not note it. After a period of time and you are sure the quarantined files are malware, not a file that you need, you should permanently delete the quarantined files.

chapin33 View Member Profile	Oct 20 2007, 06:27 PM Post #5
Member Group: Members Posts: 58 Joined: 19-December 05 From: CA Member No.: 45,468	As advised by quietman, I ran the scans in safe mode and the spyware programs I used in Safe mode found nothing so I went and did the scans with Dr. Web and the other program. Here is the report from Dr. Web... Please note these trojans listed are NOT the one listed in quarantine in Spy Sweeper. So are we dealing with multiple or are they all the same? Please advise. Here's the Dr. Web report: 3 Months Free NetZero.exe;C:\Program Files\Dell\Launcher\files;Trojan.Click.1487;Deleted.; A0056564.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP179;Trojan.Click.1487;Deleted.; Note: this is only from the PC. I assume that I will need to do the same thing w/the lap top. Right? And now I am off to do the virus scan through BitDefender. Will post when completed but am anxious to hear comments about this information posted here. Also, what if the trojan is still in spy sweeper? I read the comments above and was told to keep it in quarantine. Ok but don't I have to unquarantine it to fully remove it? I am a bit confused so please walk me through it. Thanks.

chapin33 View Member Profile	Oct 20 2007, 08:08 PM Post #6
Member Group: Members Posts: 58 Joined: 19-December 05 From: CA Member No.: 45,468	Here is the report from the Bit Defender Virus Scan: BitDefender Online Scanner Scan report generated at: Sat, Oct 20, 2007 - 17:59:41 Scan path: A:\;C:\;D:\;E:\;F:\;G:\; Statistics Time 01:28:52 Files 231755 Folders 8132 Boot Sectors 6 Archives 5383 Packed Files 13643 Results Identified Viruses 1 Infected Files 1 Suspect Files 0 Warnings 0 Disinfected 0 Deleted Files 0 Engines Info Virus Definitions 855982 Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36) Scan plugins 14 Archive plugins 38 Unpack plugins 7 E-mail plugins 6 System plugins 1 Scan Settings First Action Disinfect Second Action Prompt Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\WINDOWS\system32\ActiveScan\pskahk.dll Infected with: Generic.Malware.SIMDWYNVdprn.D9407F4E C:\WINDOWS\system32\ActiveScan\pskahk.dll Disinfection failed C:\WINDOWS\system32\ActiveScan\pskahk.dll Disinfection failed Please advise as it looks like the disinfection did not work. I don't understand what the problem is so all help would be greatly appreciated.

quietman7 View Member Profile	Oct 20 2007, 10:45 PM Post #7
Bleepin' Janitor Group: Global Moderator Posts: 13,112 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	DrWeb found other malware. Go ahead and delete your quarantined files. pskavs.dll is a legitimate file installed by Panda ActiveScan but there are some AV vendors that tag it as malicious. This a false positive detection caused by Panda's on-line scanner not encrypting its virus signature files. Download and scan with AVG Anti-Spyware 7.5 in "SAFE MODE". (This is Ewdio 4.0 renamed and updated with a special "clean driver" for removing persistent malware.) Be sure to print out and follow the AVG Anti-Spyware Install-Scan Instructions While in safe mode search for and delete the following file(s)/folder(s) if they are present. You can use Windows Explorer to navigate to or use Windows Search feature > More advanced options to locate them. parser.dpr parser.exe pinch.asm pinch.dpr pinch.tbp pinchbuilder.cfg pinchbuilder.dof pinchbuilder.dpr pinchbuilder.exe pinchbuilder.res trojan.psw.ldpinch.p.exe. To do this, go to Start -> Search and click For Files or Folders.... Click All files and folders. Type in the name of the file under "Search by...criteria." Click More advanced options and check these options: "Search system folders" "Search hidden files and folders" "Search subfolders" Then click "Search" to look for the file(s). When found right-click the file, choose delete and empty your recycle bin. If you get an error when deleting a file, right-click on it and check to see if the read only attribute is checked. If it is, uncheck it and try again. If that does not work, then open Task Manager, look for and kill the process if running, then delete the file. Reboot normally and then perform this online Virus scan: F-Secure Online Scanner <- Be sure to follow the directions on the F-Secure page for proper Installation. (also checks for rootkits). (Requires Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.) -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2008

chapin33 View Member Profile	Oct 21 2007, 12:52 PM Post #8
Member Group: Members Posts: 58 Joined: 19-December 05 From: CA Member No.: 45,468	]DrWeb found other malware. Go ahead and delete your quarantined files. [/color] so delete the files found in Dr. Web or the file quarantined in Spy Sweeper? Note these are different files and Buddy advised to keep the one in Spy Sweeper quarantined. I am confused. pskavs.dll is a legitimate file installed by Panda ActiveScan but there are some AV vendors that tag it as malicious. This a false positive detection caused by Panda's on-line scanner not encrypting its virus signature files. [color="#FF0000"]Ok, but delete it? As for the next steps, I already did a scan in safe mode using AVG 7.5. As mentioned above, AVG found nothing. So isn't what you are asking above the same thing? or is it some different scan? I will await your response before I go through that step and then into explorer looking for the files. Also, are we really dealing with legit trojan in Spy Sweeper or another false positive? This post has been edited by chapin33: Oct 21 2007, 01:01 PM

quietman7 View Member Profile	Oct 21 2007, 01:47 PM Post #9
Bleepin' Janitor Group: Global Moderator Posts: 13,112 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	SpySweeper removed the Trojan so it is no longer a threat. You can delete the quarantined files from both programs. Don't worry about pskavs.dll. It will only install again the next time you use ActiveScan so just remember its legit. QUOTE As for the next steps, I already did a scan in safe mode using AVG 7.5. As mentioned above, AVG found nothing. So isn't what you are asking above the same thing? or is it some different scan? You mentioned in your first post scanning with AVG free anti-virus which found nothing. The scan I asked you to perform was with AVG Anti-spyware which is different. Many times Trojan infections drop other malware files that may not be detected by some of your existing security programs. That's why we are checking with other tools to make sure we find and remove anything else that may be lurking about. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2008

chapin33 View Member Profile	Oct 21 2007, 06:03 PM Post #10
Member Group: Members Posts: 58 Joined: 19-December 05 From: CA Member No.: 45,468	Ok... it's been a long day but here's what I have done... 1. I deleted all quarantined files. 2. I went into safe mode and ran AVG Anti-Spyware. It did find some cookies but no trojans. Here is the report: AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 11:47:22 AM 10/21/2007 + Scan result: C:\Documents and Settings\Jo Ann\Cookies\jo_ann@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned. C:\Documents and Settings\Jo Ann\Cookies\jo_ann@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned. C:\Documents and Settings\Jo Ann\Cookies\jo_ann@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned. ::Report end 3. In safe mode I used Windows Explorer and looked for the following files: parser.dpr parser.exe pinch.asm pinch.dpr pinch.tbp pinchbuilder.cfg pinchbuilder.dof pinchbuilder.dpr pinchbuilder.exe pinchbuilder.res trojan.psw.ldpinch.p.exe. None of these files were found. 4. While still in safe mode, I ran another Spy Sweeper scan because I was curious to see if there was anything found and this program is the one that denoted a trojan on my PC. It found nothing. 5. I then rebooted and ran the F-Secure online scanner. It found two spyware, no trojan, but a possible browser hijack. Both of these were disinfected. Here is the report: Scanning Report Sunday, October 21, 2007 13:11:11 - 15:40:40 Computer name: JOANNDESK Scanning type: Scan system for viruses, rootkits, spyware Target: C:\ G:\ -------------------------------------------------------------------------------- Result: 2 malware found Possible Browser Hijack attempt (spyware) System (Disinfected) Tracking Cookie (spyware) System (Disinfected) -------------------------------------------------------------------------------- Statistics Scanned: Files: 42245 System: 4308 Not scanned: 4 Actions: Disinfected: 2 Renamed: 0 Deleted: 0 None: 0 Submitted: 0 Files not scanned: C:\HIBERFIL.SYS C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3AD391678A806EC4D691E83AAA393B6F_50E417E0-E461-474B-96E2-077B80325612 -------------------------------------------------------------------------------- Options Scanning engines: F-Secure Libra: 2.4.2, 2007-10-19 F-Secure AVP: 7.0.171, 2007-10-21 F-Secure Orion: 1.2.37, 2007-10-19 F-Secure Blacklight: 1.0.64 F-Secure Draco: 1.0.35, 0597-150-72 F-Secure Pegasus: 1.19.0, 2007-09-18 Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX Use Advanced heuristics Quietman, I believe that I have done everything that you have asked. So is the problem gone? Also, if it is gone, do I do the exact steps outlined here with my lap top? As you may recall this was on both the PC and the lap top. Please advise and thanks so much for your assistance.

quietman7 View Member Profile	Oct 21 2007, 06:20 PM Post #11
Bleepin' Janitor Group: Global Moderator Posts: 13,112 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Yes, you can start to repeat those steps on your laptop. I have one other scan for you to perform. Please download Combofix and save it directly to your Desktop <- (Important!). Temporarily disable any anti-virus/anti-malware real-time protection before performing a scan so they don't interfere with ComboFix. Disconnect from the Internet. <- (Important!) Double click on combofix.exe & follow the prompts. When finished, it will produce a logfile located at C:\ComboFix.txt. Post the contents of that log in your next reply. Re-enable your anti-virus/anti-malware when done. * Do not mouseclick combofix's window while it is running as that may cause your system to stall/hang. * Disable BOClean and script blocking if you have NAV installed so it will not interfere with the fix. * Do NOT post the ComboFix-quarantined-files.txt unless asked. * ComboFix may reset Internet Explorer's settings, including making it the default browser. QUOTE Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could adversely impact your system and prevent it from ever starting again. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2008

chapin33 View Member Profile	Oct 21 2007, 06:30 PM Post #12
Member Group: Members Posts: 58 Joined: 19-December 05 From: CA Member No.: 45,468	before I do this, I have a router which connects the lap top and the PC. when disconnecting from internet, will I have a problem with router when reconnecting? I really hate messing with the setup of that. I have a router and the internet is through the cable. Please advise

quietman7 View Member Profile	Oct 21 2007, 06:36 PM Post #13
Bleepin' Janitor Group: Global Moderator Posts: 13,112 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	If your hesitant about disconnecting the router, then leave it alone. I prefer to do the scan when disconnected from the net but its not mandatory. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2008

chapin33 View Member Profile	Oct 21 2007, 06:55 PM Post #14
Member Group: Members Posts: 58 Joined: 19-December 05 From: CA Member No.: 45,468	Here is the Combo Fix report: ComboFix 07-10-20.6 - Jo Ann 2007-10-21 16:42:51.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.524 [GMT -7:00] Running from: C:\Documents and Settings\Jo Ann\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\_000008_.tmp.dll . ((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 ))))))))))))))))))))))))))))))) . 2007-10-21 16:38 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-21 11:12 <DIR> d-------- C:\Documents and Settings\Jo Ann\Application Data\Grisoft 2007-10-21 11:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-10-20 15:00 <DIR> d-------- C:\Documents and Settings\Jo Ann\DoctorWeb 2007-10-09 13:50 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-09-30 12:39 <DIR> d-------- C:\Program Files\iTunes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-21 20:01 --------- d-----w C:\Documents and Settings\Jo Ann\Application Data\AVG7 2007-10-21 18:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2007-10-21 17:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2007-10-20 19:15 --------- d-----w C:\Program Files\a-squared Free 2007-10-20 18:51 --------- d-----w C:\Program Files\SpywareBlaster 2007-10-14 20:26 --------- d-----w C:\Documents and Settings\Jo Ann\Application Data\U3 2007-10-07 18:26 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2007-09-30 19:39 --------- d-----w C:\Program Files\iPod 2007-09-15 16:52 --------- d-----w C:\Program Files\Apple Software Update 2007-07-28 17:01 164 ----a-w C:\install.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-13 17:40] "NvCplDaemon"="RUNDLL32.exe" [2004-08-04 03:00 C:\WINDOWS\system32\rundll32.exe] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk.disabled [2007-01-14 14:27:40] HP Digital Imaging Monitor.lnk.disabled [2006-12-23 11:20:24] HP Image Zone Fast Start.lnk.disabled [2006-12-23 11:20:24] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoViewOnDrive"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "<NO NAME>"= "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" "NvCplDaemon"="RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" "SigmatelSysTrayApp"=stsystra.exe "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS R2 BCMNTIO;BCMNTIO;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys R2 MAPMEM;MAPMEM;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys . Contents of the 'Scheduled Tasks' folder "2007-09-15 16:47:34 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-21 16:46:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-10-21 16:53:09 - machine was rebooted . --- E O F --- Please advise....

chapin33 View Member Profile	Oct 21 2007, 09:40 PM Post #15
Member Group: Members Posts: 58 Joined: 19-December 05 From: CA Member No.: 45,468	I have completed all of the steps on both the PC and the lap top. I ran all of the scans on my lap top as outlined above and each report has not found anything so I am not posting any report unless you tell me I need to do so. Please advise if this situation has been corrected and if we are done? Thanks for your assistance.

« Next Oldest · Am I infected? What do I do? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members: