Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Security Alert


  • Please log in to reply
1 reply to this topic

#1 laurenashley

laurenashley

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 30 October 2007 - 05:57 PM

So I like many other people I see on this site have the bug that gets rid of my background and my control panel and doesn't let me use internet options. It says that my computer is making unauthorized copies.... I ran ComboFix also. Should here is my log...

ComboFix 07-10-29.1** - Alex 2007-10-30 18:27:34.1 - NTFSx86
Running from: C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\BF88IH24\ComboFix[1].exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))
.

2007-10-30 18:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-30 18:12 <DIR> d-------- C:\Program Files\Crawler
2007-10-30 18:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-10-30 18:09 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\Spyware Terminator
2007-10-30 18:08 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-10-30 17:42 <DIR> d-------- C:\Program Files\SpyNoMore
2007-10-30 17:42 1,152 --a------ C:\WINDOWS\SYSTEM32\windrv.sys
2007-10-30 12:53 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-30 12:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-30 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-30 12:53 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\PC Tools
2007-10-30 12:53 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-10-30 12:53 79,688 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-10-30 12:53 62,280 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-10-30 12:53 41,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-10-30 12:53 29,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-10-29 20:06 12,800 --a------ C:\WINDOWS\SYSTEM32\bronto.dll
2007-10-29 20:06 7,680 --a------ C:\WINDOWS\SYSTEM32\winter.exe
2007-10-29 20:06 7,680 --a------ C:\WINDOWS\SYSTEM32\proper.exe
2007-10-29 20:06 6,144 --a------ C:\WINDOWS\SYSTEM32\skuns.dat
2007-10-17 15:46 <DIR> d-------- C:\Program Files\AOD
2007-10-17 15:45 <DIR> d-------- C:\Program Files\AIM
2007-10-10 11:06 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-30 16:53 --------- d-----w C:\Program Files\Google
2007-10-18 23:43 --------- d-----w C:\Documents and Settings\Larry\Application Data\Aim
2007-10-03 16:09 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
2007-10-03 16:09 --------- d-----w C:\Program Files\Comcast Rhapsody
2007-10-03 16:07 --------- d-----w C:\Program Files\Real
2007-09-10 13:59 --------- d-----w C:\Program Files\Yahoo!
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-05 16:30 4,496 -c--a-w C:\Program Files\avatar.jpg
2007-03-30 16:52 37,860,928 -c--a-w C:\Program Files\iTunesSetup.exe
2004-10-21 17:09 51,735,030 -c--a-w C:\Program Files\wsc-en-tis11-1131.zip
2004-02-25 00:16 2,241,545 -c--a-w C:\Program Files\XnView-win-en.exe
2004-02-18 19:00 3,662,787 -c--a-w C:\Program Files\spybotsd12.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CF93F25-CF63-0DEF-8004-60557FF17349}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D27987B8-7244-4DE0-AE10-39B826B492F1}]
2007-10-29 20:06 12800 --a------ C:\WINDOWS\system32\bronto.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 17:19]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 03:04]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 12:27]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 21:47]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 12:49]
"HPHmon04"="C:\WINDOWS\System32\hphmon04.exe" [2002-11-22 12:48]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01]
"kdx"="C:\WINDOWS\kdx\KHost.exe" [2004-01-13 16:23]
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll" [2004-05-21 19:12]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06]
"WD Button Manager"="WDBtnMgr.exe" [2005-12-28 09:42 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-15 09:05]
"PDUiP6600DMon"="C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 09:35]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Undefined"="C:\WINDOWS\system32\winter.exe" [2007-10-29 20:06]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2007-04-14 10:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe" [2005-05-09 19:16]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 14:00]
"Undefined"="C:\WINDOWS\system32\winter.exe" [2007-10-29 20:06]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-30 12:53]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Larry\Start Menu\Programs\Startup\
infos.exe [2007-10-29 20:06:21]

C:\Documents and Settings\Alex\Start Menu\Programs\Startup\
infos.exe [2007-10-29 20:06:21]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
autos.exe [2007-10-29 20:06:21]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-30 12:53:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\system32\proper.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


.
Contents of the 'Scheduled Tasks' folder
"2007-10-29 15:19:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2003-11-14 20:02:38 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 18:40:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-30 18:45:28 - machine was rebooted
.
--- E O F ---

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:37 AM

Posted 31 October 2007 - 12:30 AM

Hello laurenashley and welcome to BleepingComputer!

Apollogies for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users