Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection Note: Ldpinch Trojan


  • Please log in to reply
25 replies to this topic

#1 chapin33

chapin33

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:CA
  • Local time:08:50 PM

Posted 20 October 2007 - 03:06 PM

I have XP Pro on my PC and XP Home on my lap top. Both computers have AVG free for virus protection and the following for spyware programs: Spyware Blaster, Spybot, Ad-Aware, a-squared Free, and Spy Sweeper.

I have run all of the programs and like the previous entry, Spy Sweeper is the only one, that id this and it id it on both the PC and lap top. Note AVG is updated with latest definitions and it did not catch anything and I did a thorough sweep.

I found another thread that noted similar problem and it advised the use of Super AntiSpyware download. I wondered if a second virus scan is ok as I know having more than one virus program is not good. Please advise.

Also, one additional thing I forgot to mention, when running Spy Sweeper, I ran a quick scan on both computers and both times it caught this "ldpinch trojan" . At the completion of the scan, it first advised to quarantine the item, which I did and then it advised at a full sweep was needed so I did the full sweep. At the conclusion of the full sweeps on both the lap top and the PC, there was nothing detected. That seems odd because it (ldpinch trojan) is still there but quarantined so doesn't it get recognized? Please advise.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:50 AM

Posted 20 October 2007 - 03:58 PM

Are you doing your scans in "SAFE MODE" and doing them while logged into the "Administrator Account" or an "account with administrator privileges"?

If rescan in safe modes does not help, then do this:

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download Dr.Web CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with Dr.Web CureIt as follows:
  • Double-click on cureit.exe to start the program. (ignore any prompts to update or check for a new version)
  • When the Dr.Web opens, an "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop. (You can use Notepad to open the DrWeb.cvs report)
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply.
Then perform this online Virus scan: BitDefender Online Scanner. <- Add a check by "Autoclean".
(Requires Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:50 AM

Posted 20 October 2007 - 04:09 PM

I saw that you were reading the other thread where another member has this same Trojan infection. The warning I provided to him about this being very dangerous applies to you as well. If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect your computer from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 buddy215

buddy215

  • Moderator
  • 13,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:50 PM

Posted 20 October 2007 - 05:49 PM

To answer your question about quarantined files being recognized, a different security program would probably note the malware that you have quarantined but the same program that the malware is quarantined in would not note it.

After a period of time and you are sure the quarantined files are malware, not a file that you need, you should permanently delete the quarantined files.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 chapin33

chapin33
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:CA
  • Local time:08:50 PM

Posted 20 October 2007 - 06:27 PM

As advised by quietman, I ran the scans in safe mode and the spyware programs I used in Safe mode found nothing so I went and did the scans with Dr. Web and the other program. Here is the report from Dr. Web...

Please note these trojans listed are NOT the one listed in quarantine in Spy Sweeper. So are we dealing with multiple or are they all the same? Please advise.

Here's the Dr. Web report:

3 Months Free NetZero.exe;C:\Program Files\Dell\Launcher\files;Trojan.Click.1487;Deleted.;
A0056564.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP179;Trojan.Click.1487;Deleted.;

Note: this is only from the PC. I assume that I will need to do the same thing w/the lap top. Right?

And now I am off to do the virus scan through BitDefender. Will post when completed but am anxious to hear comments about this information posted here.

Also, what if the trojan is still in spy sweeper? I read the comments above and was told to keep it in quarantine. Ok but don't I have to unquarantine it to fully remove it? I am a bit confused so please walk me through it. Thanks.

#6 chapin33

chapin33
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:CA
  • Local time:08:50 PM

Posted 20 October 2007 - 08:08 PM

Here is the report from the Bit Defender Virus Scan:

BitDefender Online Scanner

Scan report generated at: Sat, Oct 20, 2007 - 17:59:41

Scan path: A:\;C:\;D:\;E:\;F:\;G:\;

Statistics

Time
01:28:52

Files
231755

Folders
8132

Boot Sectors
6

Archives
5383

Packed Files
13643




Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
0




Engines Info

Virus Definitions
855982

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
14

Archive plugins
38

Unpack plugins
7

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Prompt

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\WINDOWS\system32\ActiveScan\pskahk.dll
Infected with: Generic.Malware.SIMDWYNVdprn.D9407F4E

C:\WINDOWS\system32\ActiveScan\pskahk.dll
Disinfection failed

C:\WINDOWS\system32\ActiveScan\pskahk.dll
Disinfection failed




Please advise as it looks like the disinfection did not work. I don't understand what the problem is so all help would be greatly appreciated.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:50 AM

Posted 20 October 2007 - 10:45 PM

DrWeb found other malware. Go ahead and delete your quarantined files.

pskavs.dll is a legitimate file installed by Panda ActiveScan but there are some AV vendors that tag it as malicious. This a false positive detection caused by Panda's on-line scanner not encrypting its virus signature files.

Download and scan with AVG Anti-Spyware 7.5 in "SAFE MODE".
(This is Ewdio 4.0 renamed and updated with a special "clean driver" for removing persistent malware.)
Be sure to print out and follow the AVG Anti-Spyware Install-Scan Instructions

While in safe mode search for and delete the following file(s)/folder(s) if they are present. You can use Windows Explorer to navigate to or use Windows Search feature > More advanced options to locate them.

parser.dpr
parser.exe
pinch.asm
pinch.dpr
pinch.tbp
pinchbuilder.cfg
pinchbuilder.dof
pinchbuilder.dpr
pinchbuilder.exe
pinchbuilder.res
trojan.psw.ldpinch.p.exe.

To do this, go to Start -> Search and click For Files or Folders....
  • Click All files and folders.
  • Type in the name of the file under "Search by...criteria."
  • Click More advanced options and check these options:
    • "Search system folders"
    • "Search hidden files and folders"
    • "Search subfolders"
  • Then click "Search" to look for the file(s).
When found right-click the file, choose delete and empty your recycle bin. If you get an error when deleting a file, right-click on it and check to see if the read only attribute is checked. If it is, uncheck it and try again. If that does not work, then open Task Manager, look for and kill the process if running, then delete the file.

Reboot normally and then perform this online Virus scan: F-Secure Online Scanner <- Be sure to follow the directions on the F-Secure page for proper Installation. (also checks for rootkits).
(Requires Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 chapin33

chapin33
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:CA
  • Local time:08:50 PM

Posted 21 October 2007 - 12:52 PM

]DrWeb found other malware. Go ahead and delete your quarantined files. so delete the files found in Dr. Web or the file quarantined in Spy Sweeper? Note these are different files and Buddy advised to keep the one in Spy Sweeper quarantined. I am confused.

pskavs.dll is a legitimate file installed by Panda ActiveScan but there are some AV vendors that tag it as malicious. This a false positive detection caused by Panda's on-line scanner not encrypting its virus signature files. Ok, but delete it?

As for the next steps, I already did a scan in safe mode using AVG 7.5. As mentioned above, AVG found nothing. So isn't what you are asking above the same thing? or is it some different scan?

I will await your response before I go through that step and then into explorer looking for the files.

Also, are we really dealing with legit trojan in Spy Sweeper or another false positive?

Edited by chapin33, 21 October 2007 - 01:01 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:50 AM

Posted 21 October 2007 - 01:47 PM

SpySweeper removed the Trojan so it is no longer a threat. You can delete the quarantined files from both programs. Don't worry about pskavs.dll. It will only install again the next time you use ActiveScan so just remember its legit.

As for the next steps, I already did a scan in safe mode using AVG 7.5. As mentioned above, AVG found nothing. So isn't what you are asking above the same thing? or is it some different scan?

You mentioned in your first post scanning with AVG free anti-virus which found nothing. The scan I asked you to perform was with AVG Anti-spyware which is different.

Many times Trojan infections drop other malware files that may not be detected by some of your existing security programs. That's why we are checking with other tools to make sure we find and remove anything else that may be lurking about.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 chapin33

chapin33
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:CA
  • Local time:08:50 PM

Posted 21 October 2007 - 06:03 PM

Ok... it's been a long day but here's what I have done...

1. I deleted all quarantined files.
2. I went into safe mode and ran AVG Anti-Spyware. It did find some cookies but no trojans. Here is the report:

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:47:22 AM 10/21/2007

+ Scan result:



C:\Documents and Settings\Jo Ann\Cookies\jo_ann@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Jo Ann\Cookies\jo_ann@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Jo Ann\Cookies\jo_ann@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.


::Report end

3. In safe mode I used Windows Explorer and looked for the following files:

parser.dpr
parser.exe
pinch.asm
pinch.dpr
pinch.tbp
pinchbuilder.cfg
pinchbuilder.dof
pinchbuilder.dpr
pinchbuilder.exe
pinchbuilder.res
trojan.psw.ldpinch.p.exe.

None of these files were found.

4. While still in safe mode, I ran another Spy Sweeper scan because I was curious to see if there was anything found and this program is the one that denoted a trojan on my PC. It found nothing.

5. I then rebooted and ran the F-Secure online scanner. It found two spyware, no trojan, but a possible browser hijack. Both of these were disinfected. Here is the report:
Scanning Report
Sunday, October 21, 2007 13:11:11 - 15:40:40
Computer name: JOANNDESK
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ G:\


--------------------------------------------------------------------------------

Result: 2 malware found
Possible Browser Hijack attempt (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 42245
System: 4308
Not scanned: 4
Actions:
Disinfected: 2
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3AD391678A806EC4D691E83AAA393B6F_50E417E0-E461-474B-96E2-077B80325612

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-10-19
F-Secure AVP: 7.0.171, 2007-10-21
F-Secure Orion: 1.2.37, 2007-10-19
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0597-150-72
F-Secure Pegasus: 1.19.0, 2007-09-18
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics


Quietman, I believe that I have done everything that you have asked. So is the problem gone?
Also, if it is gone, do I do the exact steps outlined here with my lap top? As you may recall this was on both the PC and the lap top. Please advise and thanks so much for your assistance.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:50 AM

Posted 21 October 2007 - 06:20 PM

Yes, you can start to repeat those steps on your laptop.

I have one other scan for you to perform.

Please download Combofix and save it directly to your Desktop <- (Important!).
  • Temporarily disable any anti-virus/anti-malware real-time protection before performing a scan so they don't interfere with ComboFix.
  • Disconnect from the Internet. <- (Important!)
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a logfile located at C:\ComboFix.txt.
  • Post the contents of that log in your next reply.
  • Re-enable your anti-virus/anti-malware when done.
* Do not mouseclick combofix's window while it is running as that may cause your system to stall/hang.
* Disable BOClean and script blocking if you have NAV installed so it will not interfere with the fix.
* Do NOT post the ComboFix-quarantined-files.txt unless asked.
* ComboFix may reset Internet Explorer's settings, including making it the default browser.


Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could adversely impact your system and prevent it from ever starting again.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 chapin33

chapin33
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:CA
  • Local time:08:50 PM

Posted 21 October 2007 - 06:30 PM

before I do this, I have a router which connects the lap top and the PC. when disconnecting from internet, will I have a problem with router when reconnecting? I really hate messing with the setup of that.

I have a router and the internet is through the cable. Please advise

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:50 AM

Posted 21 October 2007 - 06:36 PM

If your hesitant about disconnecting the router, then leave it alone. I prefer to do the scan when disconnected from the net but its not mandatory.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 chapin33

chapin33
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:CA
  • Local time:08:50 PM

Posted 21 October 2007 - 06:55 PM

Here is the Combo Fix report:

ComboFix 07-10-20.6 - Jo Ann 2007-10-21 16:42:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.524 [GMT -7:00]
Running from: C:\Documents and Settings\Jo Ann\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000008_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-21 16:38 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-21 11:12 <DIR> d-------- C:\Documents and Settings\Jo Ann\Application Data\Grisoft
2007-10-21 11:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-20 15:00 <DIR> d-------- C:\Documents and Settings\Jo Ann\DoctorWeb
2007-10-09 13:50 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-09-30 12:39 <DIR> d-------- C:\Program Files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 20:01 --------- d-----w C:\Documents and Settings\Jo Ann\Application Data\AVG7
2007-10-21 18:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-21 17:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-10-20 19:15 --------- d-----w C:\Program Files\a-squared Free
2007-10-20 18:51 --------- d-----w C:\Program Files\SpywareBlaster
2007-10-14 20:26 --------- d-----w C:\Documents and Settings\Jo Ann\Application Data\U3
2007-10-07 18:26 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-30 19:39 --------- d-----w C:\Program Files\iPod
2007-09-15 16:52 --------- d-----w C:\Program Files\Apple Software Update
2007-07-28 17:01 164 ----a-w C:\install.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-13 17:40]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 03:00 C:\WINDOWS\system32\rundll32.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2007-01-14 14:27:40]
HP Digital Imaging Monitor.lnk.disabled [2006-12-23 11:20:24]
HP Image Zone Fast Start.lnk.disabled [2006-12-23 11:20:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
"NvCplDaemon"="RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
"SigmatelSysTrayApp"=stsystra.exe
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R2 BCMNTIO;BCMNTIO;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
R2 MAPMEM;MAPMEM;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-15 16:47:34 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 16:46:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-21 16:53:09 - machine was rebooted
.
--- E O F ---


Please advise....

#15 chapin33

chapin33
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:CA
  • Local time:08:50 PM

Posted 21 October 2007 - 09:40 PM

I have completed all of the steps on both the PC and the lap top.

I ran all of the scans on my lap top as outlined above and each report has not found anything so I am not posting any report unless you tell me I need to do so.

Please advise if this situation has been corrected and if we are done? Thanks for your assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users