Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Virtumonde. Help Me Please.


  • This topic is locked This topic is locked
34 replies to this topic

#16 rush3r_8

rush3r_8
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 03 January 2008 - 06:45 PM

Combo FIX EXE. LOG

ComboFix 07-12-31.4 - JULIAN 2008-01-03 15:36:18.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.87 [GMT -8:00]
Running from: C:\Documents and Settings\JULIAN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JULIAN\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-03 11:19 . 2008-01-03 11:19 <DIR> d-------- C:\RegSearch
2007-12-31 15:58 . 2007-12-31 15:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-31 15:58 . 2007-12-31 15:58 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-12-31 12:37 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 20:38 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-29 00:43 . 2007-12-29 00:43 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-12-28 02:05 . 2007-12-28 02:05 <DIR> d-------- C:\Program Files\XoftSpySE
2007-12-28 01:39 . 2007-12-28 01:39 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 23:48 . 2007-12-27 23:48 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-27 23:48 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-27 23:48 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-27 23:48 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-27 23:48 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-26 12:45 . 2007-12-26 12:45 <DIR> d-------- C:\Program Files\LimeWire
2007-12-26 12:44 . 2007-12-26 12:44 <DIR> d-------- C:\Documents and Settings\JULIAN\.limewire
2007-12-26 09:32 . 2007-12-26 09:32 290,816 --a------ C:\WINDOWS\system32\khooker.exe
2007-12-20 16:36 . 2007-12-20 16:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2007-12-19 21:47 . 2007-12-19 21:47 <DIR> d-------- C:\Program Files\Real
2007-12-17 18:14 . 2007-12-17 18:14 <DIR> d-------- C:\Program Files\KCeasy
2007-12-14 19:10 . 2007-12-14 19:11 <DIR> d-------- C:\Documents and Settings\JULIAN\Trillian
2007-12-14 19:02 . 2007-12-14 19:02 <DIR> d-------- C:\Program Files\MySpace
2007-12-14 19:02 . 2007-12-14 19:02 <DIR> d-------- C:\Documents and Settings\JULIAN\Application Data\MySpace
2007-12-08 23:36 . 2007-12-08 23:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 08:30 3,314 ----a-w C:\WINDOWS\system32\tmp.reg
2007-12-26 17:32 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2007-12-26 17:32 4,224 ----a-w C:\WINDOWS\system32\dllcache\beep.sys
2007-12-20 05:47 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-20 05:47 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-11-13 20:30 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-13 20:30 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-11-13 20:28 --------- d-----w C:\Program Files\Zune
2007-11-13 19:38 --------- d-----w C:\Program Files\MSXML 6.0
2007-11-13 19:35 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-07 03:10 245,664 ----a-w C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2007-11-07 03:09 80,288 ----a-w C:\WINDOWS\system32\ZuneIpTransport.dll
2007-11-07 03:09 72,608 ----a-w C:\WINDOWS\system32\ZuneUsbTransport.dll
2007-11-07 03:09 59,296 ----a-w C:\WINDOWS\system32\ZuneBusEnum.exe
2007-11-07 03:09 45,472 ----a-w C:\WINDOWS\system32\ZuneUsbConnection.dll
2007-11-07 03:09 155,552 ----a-w C:\WINDOWS\system32\ZuneMTPZ.dll
2007-11-07 02:58 40,832 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2007-11-06 04:06 --------- d-----w C:\Program Files\DIFX
2007-10-18 20:48 1,419,232 ----a-w C:\WINDOWS\system32\WdfCoInstaller01005.dll
2002-08-28 21:39 114,688 ---h--r C:\Program Files\Common Files\jcsetcom.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-31_12.50.37.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 16:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2005-05-24 20:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 23:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 23:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-12-28 20:24:26 63,130 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-31 20:55:24 63,130 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-28 20:24:26 403,528 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-31 20:55:26 403,528 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-12-26 09:32 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-26 09:32 68856]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-12-26 09:32 2321600]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-26 09:32 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACU"="C:\Program Files\Airlink101\AWLL4030\ACU.exe" [2007-12-26 09:32 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-26 09:32 282624]
"SiS KHooker"="C:\WINDOWS\system32\khooker.exe" [2007-12-26 09:32 290816]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-26 09:32 270648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-12-26 09:32 32768]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2007-12-26 09:32 166304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-26 09:32 185896]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-26 09:32 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-20 16:36 219136]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-19 20:53:42]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-07 08:39]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-06 18:58]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-06 19:09]
R3 AR5523;Atheros USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5523.sys [2005-02-24 22:38]
R3 MemStPCI;Sony Memory Stick controller (PCI);C:\WINDOWS\system32\DRIVERS\MemStPCI.SYS [2004-08-03 22:00]
R3 SiS630;SiS630;C:\WINDOWS\system32\DRIVERS\sis630p.sys [2003-01-23 18:12]
S3 ATHFMWDL;Atheros USB Wireless Adapter Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2005-02-24 22:42]
S3 lac97inf;lac97inf;C:\DOCUME~1\JULIAN\LOCALS~1\Temp\lac97inf.sys []
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-06 19:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 23:29:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-05-28 00:06:58 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
"2007-12-29 07:08:08 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 15:40:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 15:42:27
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-03 23:42:20
C:\qoobox\ComboFix3.txt 2007-12-31 20:51:24
C:\qoobox\ComboFix2.txt 2007-12-31 23:46:56


HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:45 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\WINDOWS\System32\Tablet.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Airlink101\AWLL4030\ACU.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\khooker.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Airlink101\AWLL4030\ACU.exe" -nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194963808417
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194963673823
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 8607 bytes

BC AdBot (Login to Remove)

 


#17 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:55 AM

Posted 04 January 2008 - 09:13 AM

Hi,

I have some bad news for you. Some of the auto loading programs are infected. It's a very new infection and our experts are working on it. But, in the mean time, we'll have to remove them all. You'll need to reinstall those programs afterwards.

We are also interested in some files which were present in your system, so first I am going to ask you to upload them to our experts.

Using Windows Explorer (right click on Start, click on Explore) navigate to the following folder folder:

C:Qoobox\Quarantine

a. Right-click folder Quarantine
b. Point to Send To
c. Then click Compressed (zipped) Folder

This will make a compressed folder, identified by a zipper icon, which displays the same name as the folder you compressed, i.e. Quarantine.zip.

Please submit it to this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please include a link to this topic in the message.

============================================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/123477/persistent-virtumonde-help-me-please/?p=699951

Collect::[4]
C:\WINDOWS\system32\khooker.exe

File::
C:\Program Files\Airlink101\AWLL4030\ACU.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\khooker.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
c:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

Suspect::[4]
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=-
"swg"=-
"AdobeUpdater"=-
"Yahoo! Pager"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACU"=-
"QuickTime Task"=-
"SiS KHooker"=-
"iTunesHelper"=-
"RemoteControl"=-
"SNM"=-
"Zune Launcher"=-
"TkBellExe"=-
"AVG7_CC"=-

Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply and a fresh HijackThis log please.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

#18 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:55 AM

Posted 06 January 2008 - 07:45 PM

Hi,

When finished, it shall produce a log for you. Post that log in your next reply and a fresh HijackThis log please.


Do you have the logs for me ?

#19 rush3r_8

rush3r_8
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 January 2008 - 03:47 PM

Hey, yeah, I sent the log about the Quarintine zip file to the hyperlink. I will give you the fresh Hijack log. But I accidentally closed the log of the Combofix when I finished scanning it. I completed the scan for the Combo Fix, however, I had to shut down my computer because of doctor appointment. So where do I find the log file for it?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:28 PM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\WINDOWS\System32\Tablet.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194963808417
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194963673823
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 7319 bytes

#20 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:55 AM

Posted 07 January 2008 - 07:39 PM

Hey, yeah, I sent the log about the Quarintine zip file to the hyperlink.

We got that. Thank you.

So where do I find the log file for it?


C:\qoobox\ComboFix.txt (check the dates and post the latest please)

#21 rush3r_8

rush3r_8
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 08 January 2008 - 01:20 AM

I found two different comfix. logs that are updated from my last scan. Not sure which one you want but I'll send both of them to you.

CFScript_used_2008-01-04@15.35
http://www.bleepingcomputer.com/forums/top...tml#entry699951

Collect::[4]
C:\WINDOWS\system32\khooker.exe

File::
C:\Program Files\Airlink101\AWLL4030\ACU.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\khooker.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
c:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

Suspect::[4]
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=-
"swg"=-
"AdobeUpdater"=-
"Yahoo! Pager"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACU"=-
"QuickTime Task"=-
"SiS KHooker"=-
"iTunesHelper"=-
"RemoteControl"=-
"SNM"=-
"Zune Launcher"=-
"TkBellExe"=-
"AVG7_CC"=-

ComboFix-quarantined-files


2007-10-14 11:08 6465 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ututv.bak1.vir
2007-10-15 23:09 425586 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ututv.bak2.vir
2007-10-15 23:23 693481 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xqtodvfx.ini.vir
2007-10-15 23:33 693481 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xqtodvfx.ini2.vir
2007-10-15 23:34 116 --a------ C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2007-10-16 11:50 431586 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ututv.tmp.vir
2007-10-16 13:51 433196 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ututv.ini.vir
2007-10-16 21:40 433256 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ututv.ini2.vir
2007-10-18 22:39 1902 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Start Menu\Live Safety Center.lnk.vir
2007-10-18 22:39 1902 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Start Menu\Online Security Guide.lnk.vir
2007-10-18 22:39 1902 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\JULIAN\Desktop\Live Safety Center.lnk.vir
2007-10-18 22:39 1902 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\JULIAN\Desktop\Online Security Guide.lnk.vir
2007-10-18 22:39 1902 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\JULIAN\Favorites\Online Security Guide.lnk.vir
2007-12-26 08:58 8192 --a------ C:\Qoobox\Quarantine\C\WINDOWS\medichi2.exe.vir
2007-12-26 09:32 16384 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\users32.dat.vir
2007-12-26 09:32 166304 --a------ C:\Qoobox\Quarantine\C\Program Files\Zune\zunelauncher.exe.vir
2007-12-26 09:32 185896 --a------ C:\Qoobox\Quarantine\C\Program Files\Common Files\Real\Update_OB\realsched.exe.vir
2007-12-26 09:32 2321600 --a------ C:\Qoobox\Quarantine\C\Program Files\Common Files\Adobe\Updater5\adobeupdater.exe.vir
2007-12-26 09:32 270648 --a------ C:\Qoobox\Quarantine\C\Program Files\iTunes\ituneshelper.exe.vir
2007-12-26 09:32 282624 --a------ C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask.exe.vir
2007-12-26 09:32 286720 --a------ C:\Qoobox\Quarantine\C\Program Files\Airlink101\AWLL4030\acu.exe.vir
2007-12-26 09:32 290816 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\khooker.exe.vir
2007-12-26 09:32 32768 --a------ C:\Qoobox\Quarantine\C\Program Files\CyberLink\PowerDVD\PDVDServ.exe.vir
2007-12-26 09:32 4670704 --a------ C:\Qoobox\Quarantine\C\Program Files\Yahoo!\Messenger\yahoomessenger.exe.vir
2007-12-26 09:32 5674352 --a------ C:\Qoobox\Quarantine\C\Program Files\MSN Messenger\msnmsgr.exe.vir
2007-12-26 09:32 579072 --a------ C:\Qoobox\Quarantine\C\PROGRA~1\Grisoft\AVG7\avgcc.exe.vir
2007-12-26 09:32 68856 --a------ C:\Qoobox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe.vir
2007-12-27 00:20 17006 --a------ C:\Qoobox\Quarantine\C\VundoFix Backups\ieofpygv.dllbox.bad.vir
2007-12-27 00:20 764416 --a------ C:\Qoobox\Quarantine\C\VundoFix Backups\NCTRMFile.dll.bad.vir
2007-12-31 02:29 9216 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\susp32.exe.vir
2007-12-31 12:29 6144 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\user32.dat.vir
2007-12-31 12:43 650 --a------ C:\Qoobox\Quarantine\Registry_backups\hklm_windowsNT_windows.reg.dat
2008-01-04 12:09 487 --a------ C:\Qoobox\Quarantine\C\ComboFix\errdbg.dat.vir

#22 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:55 AM

Posted 08 January 2008 - 12:11 PM

None of these. I need the Combofix.txt. Check for C:\Combofix.txt

#23 rush3r_8

rush3r_8
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 08 January 2008 - 04:23 PM

ComboFix 07-12-31.4 - JULIAN 2008-01-04 15:35:21.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.57 [GMT -8:00]
Running from: C:\Documents and Settings\JULIAN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JULIAN\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Airlink101\AWLL4030\ACU.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
c:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\khooker.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Airlink101\AWLL4030\ACU.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
c:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\khooker.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 12:15 . 2008-01-04 12:15 <DIR> d--hs---- C:\FOUND.022
2008-01-03 11:19 . 2008-01-03 11:19 <DIR> d-------- C:\RegSearch
2007-12-31 15:58 . 2007-12-31 15:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-31 15:58 . 2007-12-31 15:58 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-12-31 12:37 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 20:38 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-29 00:43 . 2007-12-29 00:43 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-12-28 02:05 . 2007-12-28 02:05 <DIR> d-------- C:\Program Files\XoftSpySE
2007-12-28 01:39 . 2007-12-28 01:39 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 23:48 . 2007-12-27 23:48 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-27 23:48 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-27 23:48 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-27 23:48 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-27 23:48 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-26 12:45 . 2007-12-26 12:45 <DIR> d-------- C:\Program Files\LimeWire
2007-12-26 12:44 . 2007-12-26 12:44 <DIR> d-------- C:\Documents and Settings\JULIAN\.limewire
2007-12-20 16:36 . 2007-12-20 16:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2007-12-19 21:47 . 2007-12-19 21:47 <DIR> d-------- C:\Program Files\Real
2007-12-17 18:14 . 2007-12-17 18:14 <DIR> d-------- C:\Program Files\KCeasy
2007-12-14 19:10 . 2007-12-14 19:11 <DIR> d-------- C:\Documents and Settings\JULIAN\Trillian
2007-12-14 19:02 . 2007-12-14 19:02 <DIR> d-------- C:\Program Files\MySpace
2007-12-14 19:02 . 2007-12-14 19:02 <DIR> d-------- C:\Documents and Settings\JULIAN\Application Data\MySpace
2007-12-08 23:36 . 2007-12-08 23:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 08:30 3,314 ----a-w C:\WINDOWS\system32\tmp.reg
2007-12-26 17:32 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2007-12-26 17:32 4,224 ----a-w C:\WINDOWS\system32\dllcache\beep.sys
2007-12-20 05:47 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-20 05:47 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-11-13 20:30 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-13 20:30 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-11-13 20:28 --------- d-----w C:\Program Files\Zune
2007-11-13 19:38 --------- d-----w C:\Program Files\MSXML 6.0
2007-11-13 19:35 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-07 03:10 245,664 ----a-w C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2007-11-07 03:09 80,288 ----a-w C:\WINDOWS\system32\ZuneIpTransport.dll
2007-11-07 03:09 72,608 ----a-w C:\WINDOWS\system32\ZuneUsbTransport.dll
2007-11-07 03:09 59,296 ----a-w C:\WINDOWS\system32\ZuneBusEnum.exe
2007-11-07 03:09 45,472 ----a-w C:\WINDOWS\system32\ZuneUsbConnection.dll
2007-11-07 03:09 155,552 ----a-w C:\WINDOWS\system32\ZuneMTPZ.dll
2007-11-07 02:58 40,832 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2007-11-06 04:06 --------- d-----w C:\Program Files\DIFX
2007-10-18 20:48 1,419,232 ----a-w C:\WINDOWS\system32\WdfCoInstaller01005.dll
2002-08-28 21:39 114,688 ---h--r C:\Program Files\Common Files\jcsetcom.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-31_12.50.37.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 16:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2005-05-24 20:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 23:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 23:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-12-28 20:24:26 63,130 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-04 04:19:52 63,130 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-28 20:24:26 403,528 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-04 04:19:52 403,528 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-20 16:36 219136]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-19 20:53:42]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-07 08:39]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-06 18:58]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-06 19:09]
R3 AR5523;Atheros USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5523.sys [2005-02-24 22:38]
R3 MemStPCI;Sony Memory Stick controller (PCI);C:\WINDOWS\system32\DRIVERS\MemStPCI.SYS [2004-08-03 22:00]
R3 SiS630;SiS630;C:\WINDOWS\system32\DRIVERS\sis630p.sys [2003-01-23 18:12]
S3 ATHFMWDL;Atheros USB Wireless Adapter Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2005-02-24 22:42]
S3 lac97inf;lac97inf;C:\DOCUME~1\JULIAN\LOCALS~1\Temp\lac97inf.sys []
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-06 19:10]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 23:29:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-05-28 00:06:58 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
"2008-01-04 23:01:48 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 15:39:21
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 15:40:48
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-04 23:40:44
C:\qoobox\ComboFix4.txt 2007-12-31 20:51:24
C:\qoobox\ComboFix3.txt 2007-12-31 23:46:56
C:\qoobox\ComboFix2.txt 2008-01-03 23:42:30

#24 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:55 AM

Posted 08 January 2008 - 05:36 PM

Hi,

Thank you for the log.

Please uninstall LimeWire via Add or Remove Programs in Control Panel and then delete the following files and folders:

C:\FOUND.022<========== this file
C:\Program Files\LimeWire <======== this folder
C:\Documents and Settings\JULIAN\.limewire <========this folder

I've told you earlier that you'd need to re-install some programs. Below is a list of programs to be re-installed:

MSN Messenger
Google ToolbarNotifier
YahooMessenger
Airlink101
QuickTime
iTunes
CyberLink Power DVD
Zune
Real
AVG7

===================================

When you are done with the above, run this online scanner please.

Go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner is present prior to downloading the most up-to-date one.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop in txt format.
Copy and paste that information from Kapersky in your next post.


*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans for no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Or use Firefox with IE-Tab plugin

============================

Please post a fresh HijackThis log (taken after a reboot) and the Kaspersky results. How is the computer running now?

#25 rush3r_8

rush3r_8
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 10 January 2008 - 12:10 AM

I have uninstalled most of what you said, but I can't remove Zune software or google tool bar. It keeps on saying "Another installion is in process, first close that installation and retry"

#26 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:55 AM

Posted 10 January 2008 - 07:35 AM

Try it in Safe Mode.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for
more information.

#27 rush3r_8

rush3r_8
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 12 January 2008 - 04:13 AM

I'm sorry but I think I downloaded the Kaspersky Anti-Virus instead of the Kasper online scanner. Well, should I scan with the Kasper online thing? Here is the log from the Kaspersky anti-virus software I downloaded. I deleted all of the threats there.

Scan My Computer
----------------
Scanned: 312203
Detected: 19
Untreated: 0
Start time: 1/11/2008 8:53:13 PM
Duration: 04:14:46
Finish time: 1/12/2008 1:07:59 AM
Signatures published: 1/11/2008 3:05:58 PM


Detected
--------
Status Object
------ ------
deleted: adware not-a-virus:AdWare.Win32.SecToolBar.g File: C:\System Volume Information\_restore{620F364A-6664-4BD3-ABAD-857E36465E76}\RP36\A0009267.exe
deleted: Trojan program Trojan.Win32.Obfuscated.ml File: C:\System Volume Information\_restore{620F364A-6664-4BD3-ABAD-857E36465E76}\RP72\A0014476.sys
deleted: Trojan program Trojan.Win32.Obfuscated.ml File: C:\System Volume Information\_restore{620F364A-6664-4BD3-ABAD-857E36465E76}\RP72\A0014477.sys
deleted: Trojan program Trojan-Downloader.Win32.Small.hhm File: C:\System Volume Information\_restore{620F364A-6664-4BD3-ABAD-857E36465E76}\RP72\A0014607.exe//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Wixud.n File: C:\System Volume Information\_restore{620F364A-6664-4BD3-ABAD-857E36465E76}\RP72\A0014608.exe//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Wixud.n File: C:\System Volume Information\_restore{620F364A-6664-4BD3-ABAD-857E36465E76}\RP74\A0015774.exe//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Wixud.n File: C:\System Volume Information\_restore{620F364A-6664-4BD3-ABAD-857E36465E76}\RP75\A0015789.exe//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Wixud.n File: C:\System Volume Information\_restore{620F364A-6664-4BD3-ABAD-857E36465E76}\RP76\A0015883.exe//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Wixud.n File: C:\System Volume Information\_restore{620F364A-6664-4BD3-ABAD-857E36465E76}\RP78\A0016046.exe//PE_Patch.UPX//UPX
deleted: adware not-a-virus:AdWare.Win32.Mostofate.aa File: C:\WINDOWS\system32\mi2.exe//WiseSFXDropper//WISE0044.BIN//stream//data0005
deleted: adware not-a-virus:AdWare.Win32.Mostofate.j File: C:\Documents and Settings\JULIAN\My Documents\BearShareV6.exe//WiseSFXDropper//WISE0044.BIN//stream//data0005
deleted: adware not-a-virus:AdWare.Win32.Mostofate.aa File: C:\System Volume Information\_restore{620F364A-6664-4BD3-ABAD-857E36465E76}\RP92\A0018414.exe//WiseSFXDropper//WISE0044.BIN//stream//data0005
deleted: Trojan program Trojan-Downloader.Win32.Wixud.n File: C:\QooBox\Quarantine.zip/Quarantine/C/WINDOWS/system32/susp32.exe.vir//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Clicker.Win32.Agent.ph File: C:\QooBox\Quarantine.zip/Quarantine/C/WINDOWS/system32/user32.dat.vir//PE_Patch.UPX//UPX
deleted: adware not-a-virus:AdWare.Win32.Agent.zb File: C:\QooBox\Quarantine.zip/Quarantine/C/WINDOWS/system32/users32.dat.vir
deleted: Trojan program Trojan-Clicker.Win32.Agent.ph File: C:\QooBox\Quarantine\C\WINDOWS\system32\user32.dat.vir//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Wixud.n File: C:\QooBox\Quarantine\C\WINDOWS\system32\susp32.exe.vir//PE_Patch.UPX//UPX
deleted: adware not-a-virus:AdWare.Win32.Agent.zb File: C:\QooBox\Quarantine\C\WINDOWS\system32\users32.dat.vir
deleted: adware not-a-virus:AdWare.Win32.Mostofate.aa File: C:\System Volume Information\_restore{620F364A-6664-4BD3-ABAD-857E36465E76}\RP92\A0018414.exe//WiseSFXDropper


Events
------
Time Name Status Reason
---- ---- ------ ------
1/11/2008 8:53:51 PM Running module: SMSS.EXE\smss.exe ok iChecker


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Record information about dangerous objects to program statistics Yes

#28 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:55 AM

Posted 12 January 2008 - 11:11 AM

Hi,

I'm sorry but I think I downloaded the Kaspersky Anti-Virus instead of the Kasper online scanner.


I guess you installed the trial version. That's fine but you'll have to uninstall it via Add or Remove Programs since you already have an onboard antivirus application. It's not a good idea to have two antivirus applications running at the same time. They will conflict with each other and render the system vulnerable.

How is the computer running now?

#29 rush3r_8

rush3r_8
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 13 January 2008 - 04:45 AM

It's doing great! I don't think anything is wrong at the moment. If you still think I have a virus in my computer, then tell me what to do. It just doesn't seem anything is wrong with my computer. I appreciate the help and patience you given me. Thank you so much Amatuer!

#30 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:55 AM

Posted 13 January 2008 - 11:51 AM

Hi,

Glad to hear that everything is running well. However, it has been a few days since I had a look at your HijackThis log. Please post a fresh HijackThis log and let's make sure that nothing is changed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users