Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Alerts


  • This topic is locked This topic is locked
10 replies to this topic

#1 some12

some12

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 05 August 2007 - 06:27 PM

This morning trend micro started picking up Trojans and has kept doing so.
Please help with this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:01 PM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\tftpmi.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:01 PM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\tftpmi.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\tftpmi.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=T3418
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=T3418
F2 - REG:system.ini: Shell=explorer.exe
F3 - REG:win.ini: run="C:\tftpmi.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE


C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\tftpmi.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=T3418
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=T3418
F2 - REG:system.ini: Shell=explorer.exe
F3 - REG:win.ini: run="C:\tftpmi.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1154121519\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.0.314.0\OEAddOn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\RunServices: [DHCP] "C:\tftpmi.exe"
O4 - HKCU\..\Run: [DHCP] "C:\tftpmi.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6566 bytes

BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:19 PM

Posted 05 August 2007 - 10:32 PM

Hello and welcome aboard :thumbsup:

Through Add/Remove Programs list under Control Panel, please uninstall the following application if found:

Zango

===

Next, please run a scan with HijackThis and check the following objects for removal:

F3 - REG:win.ini: run="C:\tftpmi.exe"
O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.0.314.0\OEAddOn.exe
O4 - HKLM\..\RunServices: [DHCP] "C:\tftpmi.exe"
O4 - HKCU\..\Run: [DHCP] "C:\tftpmi.exe"


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

===

Then, navigate to and delete the following folder (if found):

C:\Program Files\Zango

===

Finally, surf here: http://www.virustotal.com

Paste the following filepath to the blank box, then hit "Send File":

C:\tftpmi.exe

Wait for the scanners to finish; it'll take a while. Once it has finished, please copy & paste all of the contents of the results here along with a fresh HijackThis log :flowers:
Hi there, stranger!

#3 some12

some12
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 06 August 2007 - 07:34 AM

Hi thank you for responding so fast. I could not find zango in both add/remove programs and in program files.

Here are the VirusTotal scan results, hope im pasting the right.



Antivirus Version Last Update Result
AhnLab-V3 2007.8.3.0 2007.08.06 -
AntiVir 7.4.0.57 2007.08.06 TR/Agent.266240.3
Authentium 4.93.8 2007.08.03 -
Avast 4.7.1029.0 2007.08.06 -
AVG 7.5.0.476 2007.08.05 SHeur.AYO
BitDefender 7.2 2007.08.06 Generic.Malware.SIFDYBd.8F72A364
CAT-QuickHeal 9.00 2007.08.04 -
ClamAV 0.91 2007.08.06 -
DrWeb 4.33 2007.08.06 modification of Win32.HLLW.Generic.204
eSafe 7.0.15.0 2007.07.31 -
eTrust-Vet 31.1.5037 2007.08.06 -
Ewido 4.0 2007.08.06 -
FileAdvisor 1 2007.08.06 -
Fortinet 2.91.0.0 2007.08.06 -
F-Prot 4.3.2.48 2007.08.03 -
F-Secure 6.70.13030.0 2007.08.06 -
Ikarus T3.1.1.8 2007.08.06 Win32.SuspectCrc
Kaspersky 4.0.2.24 2007.08.06 -
McAfee 5090 2007.08.03 -
Microsoft 1.2704 2007.08.06 -
NOD32v2 2439 2007.08.06 -
Norman 5.80.02 2007.08.06 -
Panda 9.0.0.4 2007.08.06 -
Prevx1 V2 2007.08.06 -
Rising 19.35.02.00 2007.08.06 -
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.04 -
Symantec 10 2007.08.06 -
TheHacker 6.1.7.162 2007.08.04 -
VBA32 3.12.2.2 2007.08.04 -
Webwasher-Gateway 6.0.1 2007.08.06 Trojan.Agent.266240.3
Additional information
File size: 266240 bytes
MD5: 7961f44fd6a5140de3c1dadcb5977ee6
SHA1: 8f6f7c03950ecb265536632e6de3c30d293b1166

-------------------------------------------------------------------------------------------------------------------------------------------

Now here is the HJT log fresh

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:20 AM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Common Files\AOL\1154121519\ee\AOLSoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\tftpmi.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=T3418
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=T3418
F2 - REG:system.ini: Shell=explorer.exe
F3 - REG:win.ini: run="C:\tftpmi.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1154121519\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\RunServices: [DHCP] "C:\tftpmi.exe"
O4 - HKCU\..\Run: [DHCP] "C:\tftpmi.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6414 bytes

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:19 PM

Posted 06 August 2007 - 07:39 AM

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\tftpmi.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

====

Please rerun HijackThis and check these entries for removal again:

F3 - REG:win.ini: run="C:\tftpmi.exe"
O4 - HKLM\..\RunServices: [DHCP] "C:\tftpmi.exe"
O4 - HKCU\..\Run: [DHCP] "C:\tftpmi.exe"


Close ALL other open windows but HijackThis and hit FIX CHECKED. Exit HijackThis.

===

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply. :thumbsup:
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#5 some12

some12
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 06 August 2007 - 08:47 AM

C:\tftpmi.exe moved successfully.

Created on 08/06/2007 09:32:07


ComboFix 07-08-04.3 - "Owner" 2007-08-06 9:37:31.1 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\wr.txt
D:\Autorun.inf


((((((((((((((((((((((((( Files Created from 2007-07-06 to 2007-08-06 )))))))))))))))))))))))))))))))


2007-08-05 20:39 <DIR> d-------- C:\WINDOWS\pss
2007-08-05 15:33 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-05 15:32 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-08-05 12:27 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-01 17:04 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-08-01 17:04 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-01 17:04 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-08-01 17:04 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-08-01 17:04 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-08-01 17:04 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-07-26 20:58 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-07-26 20:58 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-26 20:58 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-07-25 16:07 <DIR> d-------- C:\Program Files\Netflix
2007-07-20 12:59 0 --a------ C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat
2007-07-20 12:46 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Real
2007-07-20 09:09 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-07-19 16:34 <DIR> d-------- C:\Program Files\WarRock
2007-07-19 16:33 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\InstallShield
2007-07-15 22:20 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-15 22:15 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-15 22:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-06 09:34 --------- d-------- C:\Program Files\SwiftSwitch
2007-08-05 20:50 --------- d-------- C:\Program Files\MSN Encarta Plus
2007-08-05 15:29 --------- d-------- C:\Program Files\Trend Micro
2007-08-05 09:27 36112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-08-05 09:27 203024 --a------ C:\WINDOWS\system32\drivers\TmXPFlt.sys
2007-08-05 09:27 1126328 --a------ C:\WINDOWS\system32\drivers\VSAPINT.SYS
2007-07-29 15:31 --------- d-------- C:\Program Files\LimeWire
2007-07-29 14:14 --------- d-------- C:\Program Files\Incomplete
2007-07-29 14:13 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\LimeWire
2007-07-28 19:12 --------- d--h----- C:\DOCUME~1\Owner\APPLIC~1\Move Networks
2007-07-20 13:04 --------- d-------- C:\Program Files\Real
2007-07-20 13:04 --------- d-------- C:\Program Files\Common Files\Real
2007-07-19 16:33 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-14 17:15 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Reno 911 Paintball
2007-05-16 11:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2004-07-22 10:51 3432656 --a------ C:\Program Files\ManagedDX.CAB
2004-07-19 22:58 1156363 --a------ C:\Program Files\BDANT.cab
2004-07-19 22:53 976020 --a------ C:\Program Files\BDAXP.cab
2004-07-09 14:17 13265040 --a------ C:\Program Files\dxnt.cab
2004-07-09 09:13 703080 --a------ C:\Program Files\BDA.cab
2004-07-09 09:13 15493481 --a------ C:\Program Files\DirectX.cab
2004-07-09 04:08 472576 --a------ C:\Program Files\dxsetup.exe
2004-07-09 04:08 2242560 --a------ C:\Program Files\dsetup32.dll
2004-07-09 03:03 62976 --a------ C:\Program Files\DSETUP.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 06:01]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 15:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-09-18 11:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 15:00 C:\WINDOWS\system32\rundll32.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"HostManager"="C:\Program Files\Common Files\AOL\1154121519\ee\AOLSoftware.exe" [2006-05-09 20:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-07-07 17:16]
"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 18:51]
"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 18:51]
"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 18:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-07-28 17:18:19]

R0 SSFS041A;Spy Sweeper File System Filer Driver: 041A;C:\WINDOWS\system32\Drivers\SSFS041A.SYS
R0 SSHRMD;Spy Sweeper Hookrack MiniDriver;C:\WINDOWS\system32\Drivers\SSHRMD.SYS
R0 SSIDRV;Spy Sweeper Interdiction Driver;C:\WINDOWS\system32\Drivers\SSIDRV.SYS
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 tmtdi;Trend Micro TDI Driver;C:\WINDOWS\system32\Drivers\tmtdi.sys
R2 Tmfilter;Tmfilter;C:\WINDOWS\system32\drivers\TmXPFlt.sys
R2 Tmpreflt;Tmpreflt;C:\WINDOWS\system32\drivers\Tmpreflt.sys
R2 Vsapint;Vsapint;C:\WINDOWS\system32\drivers\Vsapint.sys
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\system32\Drivers\sskbfd.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\mxnic.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d2e9a91-1e7b-11db-ba68-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


Contents of the 'Scheduled Tasks' folder
2007-08-06 13:43:00 C:\WINDOWS\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-06 13:43:00 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-5E2704140D-Administrator).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-06 03:00:04 C:\WINDOWS\Tasks\wrSpySweeper_2EC9EADE661945F1BF5528860A9A228F.job - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
2007-08-06 07:00:06 C:\WINDOWS\Tasks\wrSpySweeper_AEE3D14A65AF4620A0B080E672455401.job - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
2007-08-06 05:00:05 C:\WINDOWS\Tasks\wrSpySweeper_CE7A8A6857AF4C3EB102ED0445B5318C.job - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
2007-08-06 11:00:06 C:\WINDOWS\Tasks\wrSpySweeper_E3EC5D84720D4D72AD03BC9AE402FDAC.job - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
2007-08-06 09:00:06 C:\WINDOWS\Tasks\wrSpySweeper_FE115FFB9C8F417B940723C3C695AD3D.job - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 09:42:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-06 9:43:25
C:\ComboFix-quarantined-files.txt ... 2007-08-06 09:43

--- E O F ---


______________________________________________________________________________

thank you again for the fast response

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:19 PM

Posted 06 August 2007 - 09:16 AM

Open notepad and copy/paste the text in the quotebox into it

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d2e9a91-1e7b-11db-ba68-806d6172696f}]


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply along with a description of all your current issues with the PC. :thumbsup:

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#7 some12

some12
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 06 August 2007 - 10:09 AM

I dont think i have any other problems from what i can tell, maybe you will see different in this.

ComboFix 07-08-04.3 - "Owner" 2007-08-06 10:54:20.2 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-06 to 2007-08-06 )))))))))))))))))))))))))))))))


2007-08-05 20:39 <DIR> d-------- C:\WINDOWS\pss
2007-08-05 15:33 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-05 15:32 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-08-05 12:27 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-01 17:04 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-08-01 17:04 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-01 17:04 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-08-01 17:04 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-08-01 17:04 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-08-01 17:04 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-07-26 20:58 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-07-26 20:58 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-26 20:58 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-07-25 16:07 <DIR> d-------- C:\Program Files\Netflix
2007-07-20 12:59 0 --a------ C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat
2007-07-20 12:46 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Real
2007-07-20 09:09 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-07-19 16:34 <DIR> d-------- C:\Program Files\WarRock
2007-07-19 16:33 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\InstallShield
2007-07-15 22:20 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-15 22:15 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-15 22:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-06 10:53 --------- d-------- C:\Program Files\SwiftSwitch
2007-08-05 20:50 --------- d-------- C:\Program Files\MSN Encarta Plus
2007-08-05 15:29 --------- d-------- C:\Program Files\Trend Micro
2007-08-05 09:27 36112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-08-05 09:27 203024 --a------ C:\WINDOWS\system32\drivers\TmXPFlt.sys
2007-08-05 09:27 1126328 --a------ C:\WINDOWS\system32\drivers\VSAPINT.SYS
2007-07-29 15:31 --------- d-------- C:\Program Files\LimeWire
2007-07-29 14:14 --------- d-------- C:\Program Files\Incomplete
2007-07-29 14:13 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\LimeWire
2007-07-28 19:12 --------- d--h----- C:\DOCUME~1\Owner\APPLIC~1\Move Networks
2007-07-20 13:04 --------- d-------- C:\Program Files\Real
2007-07-20 13:04 --------- d-------- C:\Program Files\Common Files\Real
2007-07-19 16:33 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-14 17:15 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Reno 911 Paintball
2007-05-16 11:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2004-07-22 10:51 3432656 --a------ C:\Program Files\ManagedDX.CAB
2004-07-19 22:58 1156363 --a------ C:\Program Files\BDANT.cab
2004-07-19 22:53 976020 --a------ C:\Program Files\BDAXP.cab
2004-07-09 14:17 13265040 --a------ C:\Program Files\dxnt.cab
2004-07-09 09:13 703080 --a------ C:\Program Files\BDA.cab
2004-07-09 09:13 15493481 --a------ C:\Program Files\DirectX.cab
2004-07-09 04:08 472576 --a------ C:\Program Files\dxsetup.exe
2004-07-09 04:08 2242560 --a------ C:\Program Files\dsetup32.dll
2004-07-09 03:03 62976 --a------ C:\Program Files\DSETUP.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 06:01]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 15:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-09-18 11:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 15:00 C:\WINDOWS\system32\rundll32.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"HostManager"="C:\Program Files\Common Files\AOL\1154121519\ee\AOLSoftware.exe" [2006-05-09 20:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-07-07 17:16]
"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 18:51]
"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 18:51]
"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 18:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-07-28 17:18:19]

R0 SSFS041A;Spy Sweeper File System Filer Driver: 041A;C:\WINDOWS\system32\Drivers\SSFS041A.SYS
R0 SSHRMD;Spy Sweeper Hookrack MiniDriver;C:\WINDOWS\system32\Drivers\SSHRMD.SYS
R0 SSIDRV;Spy Sweeper Interdiction Driver;C:\WINDOWS\system32\Drivers\SSIDRV.SYS
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 tmtdi;Trend Micro TDI Driver;C:\WINDOWS\system32\Drivers\tmtdi.sys
R2 Tmfilter;Tmfilter;C:\WINDOWS\system32\drivers\TmXPFlt.sys
R2 Tmpreflt;Tmpreflt;C:\WINDOWS\system32\drivers\Tmpreflt.sys
R2 Vsapint;Vsapint;C:\WINDOWS\system32\drivers\Vsapint.sys
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\system32\Drivers\sskbfd.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\mxnic.sys

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-08-06 14:58:00 C:\WINDOWS\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-06 14:58:00 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-5E2704140D-Administrator).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-06 03:00:04 C:\WINDOWS\Tasks\wrSpySweeper_2EC9EADE661945F1BF5528860A9A228F.job - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
2007-08-06 07:00:06 C:\WINDOWS\Tasks\wrSpySweeper_AEE3D14A65AF4620A0B080E672455401.job - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
2007-08-06 05:00:05 C:\WINDOWS\Tasks\wrSpySweeper_CE7A8A6857AF4C3EB102ED0445B5318C.job - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
2007-08-06 11:00:06 C:\WINDOWS\Tasks\wrSpySweeper_E3EC5D84720D4D72AD03BC9AE402FDAC.job - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
2007-08-06 09:00:06 C:\WINDOWS\Tasks\wrSpySweeper_FE115FFB9C8F417B940723C3C695AD3D.job - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 10:58:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-06 11:00:03
C:\ComboFix-quarantined-files.txt ... 2007-08-06 10:59
C:\ComboFix2.txt ... 2007-08-06 09:43

--- E O F ---

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:19 PM

Posted 06 August 2007 - 10:27 AM

So are you still getting alerts? Popups? Anything? :thumbsup:
Hi there, stranger!

#9 some12

some12
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 06 August 2007 - 12:38 PM

i dont think so

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:19 PM

Posted 06 August 2007 - 01:24 PM

Great :thumbsup:

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definitely a must have. Two good free versions are Kerio Personal Firewall and ZoneLabs. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice:
So how did I get infected in the first place?
Hi there, stranger!

#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:19 PM

Posted 09 August 2007 - 04:56 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users