possible virus (facebook)-- internet connection very slow, please help

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

possible virus (facebook)-- internet connection very slow, please help, i would appreciate any help very much, i have tried everything.

Options

screaminjoe View Member Profile	Oct 29 2008, 08:03 AM Post #1
Member Group: Members Posts: 22 Joined: 29-October 08 Member No.: 251,122	Hello all, Here is my problem: I clicked on a facebook link (stupid, yes, I know, i was tricked into it), and since then, my internet connection has been extremely slow. There is definitely a problem somewhere, and assume it is probably due to this facebook link. I am running windows XP pro, SP3, with firefox 3.0.3, zone alarm free version. All windows security patches for windows XP are currently up to date. I have followed all the guidelines here and have tried everything I can do before posting. I am using bitdefender antivirus, and definitions were updated -- scan showed no problems. I have cleaned out everything using ccleaner, my drives are all defragmented, and have tried spybot search & destroy, spyeraser, and scanned with mcaffe stinger with no luck. update: also tried kapersky's online virus scanner = nothing I am no expert, but usually can handle most problems myself, until now. Thanks very much in advance-- any help is greatly appreciated. joseph This post has been edited by screaminjoe: Oct 29 2008, 09:53 AM

nod32fen View Member Profile	Oct 29 2008, 09:57 AM Post #2
Member Group: Members Posts: 95 Joined: 29-May 08 From: Bulgaria Member No.: 212,645	Scan with MalwareBytes' Anti-Malware: QUOTE Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2 Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. On the Scanner tab: Make sure the "Perform Quick Scan" option is selected. Then click on the Scan button. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. Make sure that *everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Then, submit log file ESET SysInspector, to see what the situation. QUOTE Download ESET SysInspector http://www.eset.com/download/sysinspector.php - Start program through the SysInspector.exe The program will collect information about the situation on your machine. - When "inspector" is ready and log file - generated, select File> Save Log - Confirm their wish Choose to save the file somewhere and then upload on http://4storing.com/ (when you open the page, click on the Great Britain flag to open the page in English), then give me the link. --------------------

screaminjoe View Member Profile	Oct 29 2008, 11:01 AM Post #3
Member Group: Members Posts: 22 Joined: 29-October 08 Member No.: 251,122	Hi nod32fen, Thanks very much for your response. Here is the log file from malwarebytes quick scan: --- Malwarebytes' Anti-Malware 1.30 Database version: 1335 Windows 5.1.2600 Service Pack 3 29.10.2008 16:41:54 mbam-log-2008-10-29 (16-41-54).txt Scan type: Quick Scan Objects scanned: 50247 Time elapsed: 5 minute(s), 49 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) --- then the ESET SYSinspector logs link is here: http://4storing.com/pjmd7/3bc9e73ccdaa04b9...92b8a5472b.html thank you again, joseph

nod32fen View Member Profile	Oct 29 2008, 11:28 AM Post #4
Member Group: Members Posts: 95 Joined: 29-May 08 From: Bulgaria Member No.: 212,645	Log in Safe Mode and replace the original hosts file: http://4storing.com/c556w/84f68dcf58c40349...3914e1d08b.html with yours. Copy hosts file and paste it into: C:\WINDOWS\System32\drivers\etc\ --------------------

screaminjoe View Member Profile	Oct 29 2008, 12:02 PM Post #5
Member Group: Members Posts: 22 Joined: 29-October 08 Member No.: 251,122	Hello nod32fen, I went to the link you supplied and was not able to download anything: Message in bulgarian was: Файлът е временно недостъпен. Моля опитайте отново по-късно.. thanks.

xblindx View Member Profile	Oct 29 2008, 03:04 PM Post #6
Forum Addict Group: Members Posts: 1,430 Joined: 21-September 08 From: NeverLand Member No.: 240,362	Please perform a Full Scan with Malwarebytes and post the log in your next reply. -------------------- Please help people in need for free by visiting Free Rice Increase the security of your computer by using SpywareBlaster Please use the button to post a reply. Do not use the button

screaminjoe View Member Profile	Oct 30 2008, 12:00 PM Post #7
Member Group: Members Posts: 22 Joined: 29-October 08 Member No.: 251,122	Hello xblindx, Thanks for your help. Here are the results. Nothing was found. Malwarebytes' Anti-Malware 1.30 Database version: 1340 Windows 5.1.2600 Service Pack 3 30.10.2008 17:54:44 mbam-log-2008-10-30 (17-54-44).txt Scan type: Full Scan (C:\\|D:\\|) Objects scanned: 316711 Time elapsed: 2 hour(s), 43 minute(s), 10 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

xblindx View Member Profile	Oct 30 2008, 03:51 PM Post #8
Forum Addict Group: Members Posts: 1,430 Joined: 21-September 08 From: NeverLand Member No.: 240,362	Hmm.....are you still experience issues with your computer? -------------------- Please help people in need for free by visiting Free Rice Increase the security of your computer by using SpywareBlaster Please use the button to post a reply. Do not use the button

screaminjoe View Member Profile	Oct 31 2008, 09:08 AM Post #9
Member Group: Members Posts: 22 Joined: 29-October 08 Member No.: 251,122	yes, still the same problems. And, I am positive something is wrong due to the slow internet connection. Loading normal pages is taking ten times longer then they normally do. thanks.

harrythook View Member Profile	Nov 1 2008, 07:04 PM Post #10
Study Hall Admin Group: Study Hall Admin Posts: 4,129 Joined: 16-May 07 From: Philadelphia Member No.: 131,269	Hey screaminjoe, sorry for the delay here. There have been a few changes in the lineup, and I'll help you from here. Do me a favor, restate the problems as of today. I think that we might move this topic to another area if you still need help. Sorry for the confusion, and the delays. Harry -------------------- Veni Vidi Vici THE FIGHT AGAINST MALWARE Become a BleepingComputer fan: *Facebook*

screaminjoe View Member Profile	Nov 3 2008, 06:58 AM Post #11
Member Group: Members Posts: 22 Joined: 29-October 08 Member No.: 251,122	Hi Harry, Thanks for your reply. I am still having a problem and still believe that it is a virus affecting my computer, even though all scans I have run thus far haven't found much. Thanks very much for your help. All info is below as it stands now. Ever since clicking on a facebook link (which I was tricked into clicking on) my internet connection has been extremely slow. I have a hi speed internet connection, but now, all internet pages take very long to load. spybot s&d & ad aware hasn't found anything. Malwarebytes' Anti-Malware 1.30 found nothing. superantispyware found the problems listed below, but now scans clean, even though the problem still exists. Unclassified.Unknown Origin/System C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265565.EXE C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265566.EXE C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265567.EXE C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265568.EXE C:\WINDOWS\SYSTEM32\REINSTALLBACKUPS\0020\DRIVERFILES\SW20.EXE C:\WINDOWS\SYSTEM32\REINSTALLBACKUPS\0020\DRIVERFILES\SW24.EXE C:\WINDOWS\SYSTEM32\SW20.EXE C:\WINDOWS\SYSTEM32\SW24.EXE Uniblue's spyeraser found the following malware problems: Infected registry keys/values detected hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\blazefind.com\ hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\clickspring.net\ hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mt-download.com\ hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmiracle.com\ hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotch.com\ hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\xxxtoolbar.com\ hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\ranges\range1\:range\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\05p.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\1987324.com\www\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\awmdabest.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\blazefind.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\clickspring.net\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\crazywinnings.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\elitemediagroup.net\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\flingstone.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\master69.biz\www\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mt-download.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\neededware.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\scoobidoo.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchbarcash.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmiracle.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\sgrunt.biz\www\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\skoobidoo.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotch.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotchbar.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\topconverting.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\windupdates.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\xxxtoolbar.com\ hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\ysbweb.com\ hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\awmdabest.com\ hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\crazywinnings.com\ hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\scoobidoo.com\ hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\skoobidoo.com\ hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotchbar.com\ hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\topconverting.com\ hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\windupdates.com\ hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\ysbweb.com\

harrythook View Member Profile	Nov 3 2008, 08:55 PM Post #12
Study Hall Admin Group: Study Hall Admin Posts: 4,129 Joined: 16-May 07 From: Philadelphia Member No.: 131,269	Ok screaminjoe, I am having this moved to another section of the forum Follow these instructions: Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. This post has been edited by Orange Blossom: Nov 3 2008, 08:58 PM Reason for edit: Moving to HiJack This forum at harrythook' request. ~ OB -------------------- Veni Vidi Vici THE FIGHT AGAINST MALWARE Become a BleepingComputer fan: Facebook**

screaminjoe View Member Profile	Nov 4 2008, 10:22 AM Post #13
Member Group: Members Posts: 22 Joined: 29-October 08 Member No.: 251,122	Hi Harry, Thanks again for your help. Yes, as you will notice, this isn't the first time I have run combofix. You can probably make more light of this than I have been able to. If there is anything else from previous scans that you need please let me know. I hope this doesn't make things harder for you. I am also including the quarantined text file log from previous runs here: 1996-01-11 22:00:00 A------- 24,576 C:\Qoobox\Quarantine\C\WINDOWS\system32\REGSVR32.DLL.vir 2008-10-28 15:20:13 A------- 702 C:\Qoobox\Quarantine\catchme.log 2008-10-28 16:23:38 A------- 5,826 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2008-10-28 16:25:23 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat 2008-10-28 16:25:23 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat 2008-10-28 16:25:23 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat ---- ComboFix 08-11-03.06 - joe 2008-11-04 16:01:44.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1501 [GMT 1:00] Running from: c:\documents and settings\joe\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 ))))))))))))))))))))))))))))))) . 2008-11-03 19:42 . 2008-11-03 19:42 <DIR> d-------- C:\SAV32CLI 2008-11-03 15:00 . 2008-11-03 15:00 50,968 --a------ c:\windows\system32\avgfwdx.dll 2008-11-03 15:00 . 2008-11-03 15:00 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys 2008-11-03 13:01 . 2008-11-03 13:01 1,928 --a------ c:\windows\system32\tmp.reg 2008-11-03 12:42 . 2008-11-03 19:40 <DIR> d-------- c:\program files\a-squared Free 2008-10-30 21:36 . 2008-11-03 19:50 <DIR> d-------- C:\MGtools 2008-10-30 21:36 . 2008-10-30 21:37 55,287 --a------ C:\MGlogs.zip 2008-10-30 21:36 . 2005-01-14 04:41 11,254 --a------ c:\windows\system32\locate.com 2008-10-30 21:09 . 2008-10-30 21:09 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll 2008-10-30 21:06 . 2008-10-30 21:06 <DIR> d-------- c:\windows\ERUNT 2008-10-30 21:01 . 2008-11-03 19:43 <DIR> d-------- C:\SDFix 2008-10-30 20:29 . 2008-10-30 20:30 1,238,055 --a------ C:\MGtools.exe 2008-10-30 20:15 . 2008-10-30 20:15 <DIR> d-------- c:\documents and settings\joe\Application Data\Grisoft 2008-10-30 20:14 . 2008-10-30 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft 2008-10-30 20:13 . 2008-10-30 20:13 <DIR> d-------- c:\program files\RogueRemover FREE 2008-10-30 13:04 . 2007-11-20 20:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer 2008-10-30 13:04 . 2008-10-30 13:04 <DIR> d-------- c:\documents and settings\Administrator 2008-10-29 16:00 . 2008-10-29 16:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-10-29 15:59 . 2008-10-29 15:59 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-10-29 15:59 . 2008-10-29 15:59 <DIR> d-------- c:\documents and settings\joe\Application Data\SUPERAntiSpyware.com 2008-10-29 14:51 . 2008-10-29 14:51 <DIR> d-------- c:\program files\Lavasoft 2008-10-29 14:51 . 2008-10-29 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-10-29 14:50 . 2008-10-29 15:58 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-10-28 15:01 . 2008-10-28 15:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-10-28 15:01 . 2008-10-28 15:01 <DIR> d-------- c:\documents and settings\joe\Application Data\Malwarebytes 2008-10-28 15:01 . 2008-10-28 15:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-10-28 15:01 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-10-28 15:01 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-10-28 14:56 . 2008-10-28 14:56 <DIR> d-------- c:\windows\SxsCaPendDel 2008-10-28 14:43 . 2008-10-28 14:43 <DIR> d-------- c:\program files\Trend Micro 2008-10-27 16:40 . 2008-09-17 23:55 201,050 --a------ c:\windows\system32\nvapps.nvb 2008-10-27 16:39 . 2008-10-27 16:42 <DIR> d-------- c:\windows\NV28003780.TMP 2008-10-24 09:55 . 2008-10-15 17:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-19 21:09 . 2008-08-14 11:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-19 21:09 . 2008-08-14 11:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-19 21:09 . 2008-08-14 10:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-19 21:09 . 2008-08-14 10:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-19 21:09 . 2008-09-15 13:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-10-19 21:09 . 2008-09-08 11:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys 2008-10-09 13:13 . 2008-10-09 13:22 <DIR> d-------- C:\priska_old_comp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-04 15:04 81,984 ----a-w c:\windows\system32\bdod.bin 2008-11-04 14:48 221,600 --sha-w c:\windows\system32\drivers\fidbox.idx 2008-11-04 14:48 18,835,488 --sha-w c:\windows\system32\drivers\fidbox.dat 2008-11-03 10:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-11-03 10:47 --------- d-----w c:\program files\SpywareBlaster 2008-11-01 09:10 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-10-31 14:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-10-31 11:46 --------- d-----w c:\program files\Uniblue 2008-10-28 18:22 --------- d-----w c:\program files\XPcleanv5 2008-10-28 14:19 --------- d-----w c:\documents and settings\All Users\Application Data\BOC427 2008-10-27 18:18 --------- d-----w c:\program files\CCleaner 2008-10-27 18:17 --------- d-----w c:\program files\Bonjour 2008-10-27 16:24 --------- d-----w c:\documents and settings\joe\Application Data\.BitTornado 2008-10-27 08:30 --------- d-----w c:\program files\ZKB Onba 2008-10-21 07:31 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-01 12:31 --------- d-----w c:\program files\Apple Software Update 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys 2008-09-01 07:00 15,045,028 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_08_31_22_49_19_full.dmp.zip 2008-09-01 06:59 12,541,135 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_08_31_22_48_50_full.dmp.zip 2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll 2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe 2008-06-02 09:48 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat 2008-06-02 09:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060220080603\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016] "BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480] "BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440] "BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-19 368640] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144] "nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-09-26 114688] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\LMabcoms.exE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2008-11-03 29208] S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2008-11-03 29208] S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [2005-07-04 6828] S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-10 42112] S3 wacommousefilter;Wacom Mouse Filter Driver;c:\windows\system32\DRIVERS\wacommousefilter.sys [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bdx REG_MULTI_SZ scan . Contents of the 'Scheduled Tasks' folder 2008-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2008-08-20 c:\windows\Tasks\Uniblue SpyEraser.job - c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-02 08:50] . . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\joe\Application Data\Mozilla\Firefox\Profiles\akalo6vr.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - FF -: plugin - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\browser\nppdf32.dll FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-04 16:04:32 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-11-04 16:06:25 ComboFix-quarantined-files.txt 2008-11-04 15:06:21 ComboFix2.txt 2008-10-30 21:19:05 ComboFix3.txt 2008-10-30 12:18:17 ComboFix4.txt 2008-10-28 20:19:13 ComboFix5.txt 2008-11-04 15:00:41 Pre-Run: 66'884'304'896 bytes free Post-Run: 66,855,501,824 bytes free 159 --- E O F --- 2008-11-04 14:56:31

harrythook View Member Profile	Nov 4 2008, 10:17 PM Post #14
Study Hall Admin Group: Study Hall Admin Posts: 4,129 Joined: 16-May 07 From: Philadelphia Member No.: 131,269	Hey screamin, Do this: Click Start > Run -then type in ComboFix /u (note the space before the/) Hit enter and Combofix should remove itself. Run ATF: Please download ATF Cleaner by Atribune & save it to your desktop. Double-click ATF-Cleaner.exe to run the program. Under Main "*Select Files to Delete" choose: Select All. Click the Empty Selected* button. If you use Firefox browser click Firefox at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser click Opera at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator". Next, download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop. Note: You must be logged on to the system with an account that has Administrator privileges to run this program. Close ALL OTHER PROGRAMS. Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator). Now click the Run Scan button on the toolbar. Let it run unhindered until it finishes. When the scan is complete Notepad will open with the report file loaded in it. Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it. Save the file to your desktop or other location where you can find it back. Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post). Lets see some results please -------------------- Veni Vidi Vici THE FIGHT AGAINST MALWARE Become a BleepingComputer fan: *Facebook*

screaminjoe View Member Profile	Nov 5 2008, 06:47 AM Post #15
Member Group: Members Posts: 22 Joined: 29-October 08 Member No.: 251,122	Hi Harry, Here are the results from the attached text doc. Thanks again. best, screaminjoe Attached File(s) OTScanIt.Txt ( 99.69k ) Number of downloads: 18

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides