Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tesllar Cang Get Off


  • This topic is locked This topic is locked
13 replies to this topic

#1 rc25707

rc25707

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 31 January 2008 - 09:05 PM

i cant get this trojan tesllar A off my computer, and im getting alot of popups

i have already downloaded most of the stuff such as spybot stinger and bit defender and hijack this is downloaded to my desktop also i realy need this off here and i would be eternaly greatful if yall could help me and i have other viruses and trojans plzzzzzz

can yall plz help me?
i am new sorry if im posting wrong

i also found these on spybot

zlob.downloader.ixt
microsoft security center disabled
nous-tech ultimate fake security center
smitfraud-c.coreservice
spyware detector
virtumonde
win32.agent.cmn
zlob.DNSchanger
and more and more plzzzz
iiiii need help to get rid of this virus tesllar a

i also see some stuff about legacy


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:56 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Bobby\Local Settings\Temporary Internet Files\Content.IE5\UJXF9LFB\stinger[1].exe
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mechquest.ipbfree.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4729A8FE-F536-4CF6-B23E-C2E8D8DEFAA6} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67270207-b9ee-4d26-9270-860fdb060ca1} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {DEEFECF6-6CCE-45F0-B058-E4F6C960181C} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - C:\WINDOWS\system32\ssqnoml.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [PDUiP6210DMon] C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [{D44C4337-0514-1033-0831-010803010001}] "C:\Program Files\Common Files\{D44C4337-0514-1033-0831-010803010001}\Update.exe" mc-110-12-0000272
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16ABABC9-9538-469A-A45C-118560B202D2}: NameServer = 85.255.114.39,85.255.112.99
O17 - HKLM\System\CCS\Services\Tcpip\..\{5338E38C-0F94-4761-B47E-7FA72293067A}: NameServer = 85.255.114.39,85.255.112.99
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.99
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.99
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.99
O20 - Winlogon Notify: ssqnoml - ssqnoml.dll (file missing)
O21 - SSODL: gloomily - {9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f} - (no file)
O22 - SharedTaskScheduler: gloomily - {9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8320 bytes

Edited by rc25707, 31 January 2008 - 11:40 PM.


BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:58 AM

Posted 01 February 2008 - 08:34 AM

Hi,

Please perform next instructions in the right order without missing any steps...

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - {4729A8FE-F536-4CF6-B23E-C2E8D8DEFAA6} - (no file)
O2 - BHO: (no name) - {67270207-b9ee-4d26-9270-860fdb060ca1} - (no file)
O2 - BHO: (no name) - {DEEFECF6-6CCE-45F0-B058-E4F6C960181C} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - C:\WINDOWS\system32\ssqnoml.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKCU\..\Policies\Explorer\Run: [{D44C4337-0514-1033-0831-010803010001}] "C:\Program Files\Common Files\{D44C4337-0514-1033-0831-010803010001}\Update.exe" mc-110-12-0000272
O17 - HKLM\System\CCS\Services\Tcpip\..\{16ABABC9-9538-469A-A45C-118560B202D2}: NameServer = 85.255.114.39,85.255.112.99
O17 - HKLM\System\CCS\Services\Tcpip\..\{5338E38C-0F94-4761-B47E-7FA72293067A}: NameServer = 85.255.114.39,85.255.112.99
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.99
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.99
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.99
O20 - Winlogon Notify: ssqnoml - ssqnoml.dll (file missing)
O21 - SSODL: gloomily - {9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f} - (no file)
O22 - SharedTaskScheduler: gloomily - {9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f} - (no file)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Please download FixwareOut from the following site:
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads - It will open a log. I need that log later. The log will be present in your C:\FixwareOut folder.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log and the log from FixwareOut (report.txt)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 rc25707

rc25707
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 02 February 2008 - 08:37 PM

~combofix's log~

ComboFix 08-02.03.1 - Bobby 2008-02-02 19:11:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.217 [GMT -6:00]
Running from: C:\Documents and Settings\Bobby\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Bobby\Application Data\.#
C:\Program Files\Common Files\{344C4~1
C:\Program Files\Common Files\{D44C4~1
C:\Program Files\Common Files\stem~1
C:\Program Files\mcroso~1
C:\Program Files\Temporary
C:\Temp\1cb
C:\temp\tn3
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\b3
C:\WINDOWS\system32\components
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINDOWS\system32\e9
C:\WINDOWS\system32\e9\farstadcom2.exe
C:\WINDOWS\system32\kjkkj.ini
C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\okudeegl.ini
C:\WINDOWS\system32\p2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\t8
C:\WINDOWS\system32\taskkill.exe
C:\WINDOWS\system32\yfmigsrf.ini
C:\WINDOWS\system32\z4
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 19:20 . 2008-02-02 19:20 <DIR> d-------- C:\Temp\tn3
2008-02-02 19:02 . 2008-02-02 19:05 <DIR> d-------- C:\fixwareout
2008-01-31 20:18 . 2008-01-31 20:21 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-31 20:18 . 2008-01-31 20:18 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-31 20:18 . 2008-02-02 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 18:13 . 2001-01-12 18:04 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-01-31 18:12 . 2008-01-31 18:15 <DIR> d-------- C:\Program Files\Verizon Online
2008-01-31 17:50 . 2008-01-31 17:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-30 23:20 . 2008-01-31 17:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-30 22:29 . 2008-01-30 22:29 <DIR> d-------- C:\Program Files\Sun
2008-01-30 22:20 . 2008-01-30 22:20 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-30 22:17 . 2008-01-30 22:17 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-01-30 21:47 . 2008-01-30 21:59 <DIR> d-------- C:\Documents and Settings\Bobby\.SunDownloadManager
2008-01-30 21:37 . 2008-01-30 21:37 <DIR> d-------- C:\Documents and Settings\Bobby\DoctorWeb
2008-01-30 19:30 . 2008-01-30 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-29 19:11 . 2008-01-29 19:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-29 19:10 . 2008-01-29 19:10 <DIR> d-------- C:\WINDOWS\.mpr_file_store_32
2008-01-29 19:10 . 2008-01-29 19:10 <DIR> d-------- C:\Documents and Settings\Bobby\Shared
2008-01-29 19:10 . 2008-01-29 19:10 <DIR> d-------- C:\Documents and Settings\Bobby\Incomplete
2008-01-29 19:02 . 2008-01-29 19:02 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-01-29 19:02 . 2008-01-30 18:08 <DIR> d-------- C:\Program Files\Symantec
2008-01-29 19:02 . 2008-01-30 22:48 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-01-28 19:50 . 2007-08-29 14:18 577,928 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-01-28 19:50 . 2007-08-23 17:57 207,240 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-01-27 15:18 . 2008-01-29 19:11 <DIR> d-------- C:\Program Files\Common Files\Java(2)
2008-01-26 21:38 . 2007-10-10 17:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-26 21:38 . 2007-06-30 21:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-26 21:38 . 2007-06-30 21:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-26 21:38 . 2007-10-10 17:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-26 21:38 . 2007-10-10 17:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-26 21:38 . 2007-10-10 17:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-26 21:38 . 2007-10-10 17:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-26 21:38 . 2007-10-10 17:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-26 21:38 . 2007-10-10 04:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-26 16:49 . 2008-01-30 22:38 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-01-18 17:04 . 2008-01-18 17:58 <DIR> d-------- C:\Documents and Settings\Bobby\Application Data\IGN_DLM
2008-01-17 14:57 . 2008-01-20 18:34 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-17 14:57 . 2008-01-20 18:34 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-17 14:57 . 2008-01-20 18:34 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-17 14:57 . 2008-01-20 18:34 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-17 14:55 . 2008-01-30 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-17 14:41 . 2008-01-29 19:27 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-16 21:45 . 2008-01-16 21:45 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-16 21:45 . 2008-01-16 21:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-16 21:44 . 2008-01-16 21:44 <DIR> d-------- C:\Program Files\Support.com
2008-01-16 21:44 . 2008-01-16 21:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-16 20:07 . 2008-01-16 20:07 4,608 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-01-16 17:51 . 2008-01-16 17:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 17:51 . 2008-01-16 17:51 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 17:37 . 2008-01-16 21:45 <DIR> d-------- C:\Program Files\Apple Software Update(2)
2008-01-15 20:39 . 2008-01-16 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-15 19:57 . 2008-01-15 19:57 260 --a------ C:\4029.bat
2008-01-15 19:57 . 2008-01-15 19:57 77 --a------ C:\Documents and Settings\Bobby\7609.bat
2008-01-15 19:29 . 2008-01-15 19:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-01-15 19:24 . 2008-01-15 19:24 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-15 19:20 . 2008-01-17 15:31 <DIR> d-------- C:\WINDOWS\system32\edcA18
2008-01-15 19:20 . 2008-01-18 00:36 <DIR> d--hs---- C:\WINDOWS\RXZlbHluIENvb3Blcg
2008-01-15 19:20 . 2008-01-15 19:20 <DIR> d-------- C:\Temp\Ryuan1
2008-01-15 19:20 . 2008-02-02 19:20 <DIR> d-------- C:\Temp
2008-01-15 19:20 . 2008-01-15 19:20 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-15 19:20 . 2008-01-15 19:20 86,016 --a------ C:\WINDOWS\system32\drivers\alim15411.sys
2008-01-15 19:20 . 2008-01-15 19:20 260 --a------ C:\5915.bat
2008-01-15 19:20 . 2008-01-15 19:20 77 --a------ C:\Documents and Settings\Bobby\2496.bat
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 00:15 --------- d-----w C:\Program Files\Common Files\Verizon Online
2008-01-31 05:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-31 04:28 --------- d-----w C:\Program Files\Java
2008-01-30 01:13 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-30 01:12 --------- d-----w C:\Documents and Settings\Bobby\Application Data\Lavasoft
2008-01-30 01:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-27 23:50 --------- d-----w C:\Program Files\Yahoo!
2008-01-17 03:48 --------- d-----w C:\Documents and Settings\Bobby\Application Data\Yahoo!
2008-01-17 03:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-17 03:36 --------- d-----w C:\Program Files\Canon
2008-01-16 02:37 --------- d-----w C:\Documents and Settings\Bobby\Application Data\LimeWire
2006-12-06 03:06 1,428,912 --sha-w C:\WINDOWS\system32\hgjjl.bak1
2006-12-13 02:24 843,286 --sha-w C:\WINDOWS\system32\hgjjl.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-17 15:15 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"PDUiP6210DMon"="C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe" [2005-05-06 19:28 69632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 23:07 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 22:53 714608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 02:15:54 65588]

R1 alim15411;alim15411;C:\WINDOWS\system32\drivers\alim15411.sys [2008-01-15 19:20]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2007-08-24 23:07]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 14:55]
S3 Mp3Drv;Mp3 Player Control Driver;C:\WINDOWS\system32\Drivers\Mp3Drv.sys [2002-05-23 16:22]
S3 S3chipid;S3chipid;C:\WINDOWS\TEMP\_ISTMP0.DIR\S3chipid.sys []
S3 StScsi;StScsi;C:\WINDOWS\system32\DRIVERS\StScsi.sys [2002-05-23 16:21]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 06:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 21:23:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 19:20:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
.
**************************************************************************
.
Completion time: 2008-02-02 19:24:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 01:24:32
.
2008-01-31 20:36:36 --- E O F ---

~firewareout's log~

Username "Bobby" - 02/02/2008 19:03:38 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1545B3F4-EAC0-4986-8454-FEF2489B781A}
"DhcpNameServer"="85.255.114.39,85.255.112.99" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{16ABABC9-9538-469A-A45C-118560B202D2}
"DhcpNameServer"="85.255.114.39,85.255.112.99" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_04\\bin\\jusched.exe\""
"YSearchProtection"="\"C:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe\""
"PDUiP6210DMon"="C:\\Program Files\\Canon\\Memory Card Utility\\iP6210D\\PDUiP6210DMon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


~highjakthis's log~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:05 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mechquest.ipbfree.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [PDUiP6210DMon] C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 5730 bytes

oh and do i realy need the combofix recovery thing? because i dont have any good floppies!

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:58 AM

Posted 03 February 2008 - 03:59 AM

Hi,

oh and do i realy need the combofix recovery thing? because i dont have any good floppies!

You don't need any floppies to install it. Just read the link here again:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

It's explained there how to install the Recovery Console with Combofix.
In your case, you need to download the one for Windows XP Home Edition SP2 (see below)
Then, once you've downloaded it to your desktop,

Drag the file you've downloaded from the Microsoft website into Combofix.exe as you see in the image below:

Posted Image

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Then, after you installed the Recovery Console,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\alim15411.sys
C:\5915.bat
C:\Documents and Settings\Bobby\2496.bat
C:\WINDOWS\system32\hgjjl.bak1
C:\WINDOWS\system32\hgjjl.bak2
C:\WINDOWS\system32\vbzip10.dll
C:\4029.bat
C:\Documents and Settings\Bobby\7609.bat

Folder::
C:\WINDOWS\system32\edcA18
C:\WINDOWS\RXZlbHluIENvb3Blcg
C:\Temp

Driver::
alim15411

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"=-
"QuickTime Task"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:58 AM

Posted 03 February 2008 - 04:01 AM

Also, please let me know if your Norton is up to date...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 rc25707

rc25707
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 03 February 2008 - 02:37 PM

ComboFix 08-02.03.1 - Bobby 2008-02-03 13:25:07.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.220 [GMT -6:00]
Running from: C:\Documents and Settings\Bobby\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bobby\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\4029.bat
C:\5915.bat
C:\Documents and Settings\Bobby\2496.bat
C:\Documents and Settings\Bobby\7609.bat
C:\WINDOWS\system32\drivers\alim15411.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\hgjjl.bak1
C:\WINDOWS\system32\hgjjl.bak2
C:\WINDOWS\system32\vbzip10.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\alim15411.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\4029.bat
C:\5915.bat
C:\Documents and Settings\Bobby\2496.bat
C:\Documents and Settings\Bobby\7609.bat
C:\Temp
C:\Temp\Ryuan1\tepU.log
C:\temp\tn3
C:\WINDOWS\RXZlbHluIENvb3Blcg
C:\WINDOWS\system32\drivers\alim15411.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\edcA18
C:\WINDOWS\system32\hgjjl.bak1
C:\WINDOWS\system32\hgjjl.bak2
C:\WINDOWS\system32\vbzip10.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ALIM15411
-------\alim15411


((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-03 13:07 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-03 13:07 . 2006-12-09 22:14 211 --a------ C:\Boot.bak
2008-02-02 19:51 . 2008-02-02 19:51 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-02 19:02 . 2008-02-02 19:05 <DIR> d-------- C:\fixwareout
2008-01-31 20:18 . 2008-01-31 20:21 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-31 20:18 . 2008-01-31 20:18 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-31 20:18 . 2008-02-02 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 18:13 . 2001-01-12 18:04 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-01-31 18:12 . 2008-01-31 18:15 <DIR> d-------- C:\Program Files\Verizon Online
2008-01-31 17:50 . 2008-01-31 17:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-30 23:20 . 2008-01-31 17:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-30 22:29 . 2008-01-30 22:29 <DIR> d-------- C:\Program Files\Sun
2008-01-30 22:20 . 2008-01-30 22:20 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-30 22:17 . 2008-01-30 22:17 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-01-30 21:47 . 2008-01-30 21:59 <DIR> d-------- C:\Documents and Settings\Bobby\.SunDownloadManager
2008-01-30 21:37 . 2008-01-30 21:37 <DIR> d-------- C:\Documents and Settings\Bobby\DoctorWeb
2008-01-30 19:30 . 2008-01-30 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-29 19:11 . 2008-01-29 19:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-29 19:10 . 2008-01-29 19:10 <DIR> d-------- C:\WINDOWS\.mpr_file_store_32
2008-01-29 19:10 . 2008-01-29 19:10 <DIR> d-------- C:\Documents and Settings\Bobby\Shared
2008-01-29 19:10 . 2008-01-29 19:10 <DIR> d-------- C:\Documents and Settings\Bobby\Incomplete
2008-01-29 19:02 . 2008-01-29 19:02 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-01-29 19:02 . 2008-01-30 18:08 <DIR> d-------- C:\Program Files\Symantec
2008-01-29 19:02 . 2008-01-30 22:48 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-01-28 19:50 . 2007-08-29 14:18 577,928 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-01-28 19:50 . 2007-08-23 17:57 207,240 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-01-27 15:18 . 2008-01-29 19:11 <DIR> d-------- C:\Program Files\Common Files\Java(2)
2008-01-26 21:38 . 2007-10-10 17:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-26 21:38 . 2007-06-30 21:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-26 21:38 . 2007-06-30 21:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-26 21:38 . 2007-10-10 17:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-26 21:38 . 2007-10-10 17:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-26 21:38 . 2007-10-10 17:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-26 21:38 . 2007-10-10 17:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-26 21:38 . 2007-10-10 17:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-26 21:38 . 2007-10-10 04:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-26 16:49 . 2008-01-30 22:38 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-01-18 17:04 . 2008-01-18 17:58 <DIR> d-------- C:\Documents and Settings\Bobby\Application Data\IGN_DLM
2008-01-17 14:57 . 2008-01-20 18:34 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-17 14:57 . 2008-01-20 18:34 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-17 14:57 . 2008-01-20 18:34 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-17 14:57 . 2008-01-20 18:34 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-17 14:55 . 2008-01-30 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-17 14:41 . 2008-01-29 19:27 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-16 21:45 . 2008-01-16 21:45 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-16 21:45 . 2008-01-16 21:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-16 21:44 . 2008-01-16 21:44 <DIR> d-------- C:\Program Files\Support.com
2008-01-16 21:44 . 2008-01-16 21:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-16 20:07 . 2008-01-16 20:07 4,608 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-01-16 17:51 . 2008-01-16 17:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 17:51 . 2008-01-16 17:51 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 17:37 . 2008-01-16 21:45 <DIR> d-------- C:\Program Files\Apple Software Update(2)
2008-01-15 20:39 . 2008-01-16 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-15 19:29 . 2008-01-15 19:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 00:15 --------- d-----w C:\Program Files\Common Files\Verizon Online
2008-01-31 05:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-31 04:28 --------- d-----w C:\Program Files\Java
2008-01-30 01:13 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-30 01:12 --------- d-----w C:\Documents and Settings\Bobby\Application Data\Lavasoft
2008-01-30 01:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-27 23:50 --------- d-----w C:\Program Files\Yahoo!
2008-01-17 03:48 --------- d-----w C:\Documents and Settings\Bobby\Application Data\Yahoo!
2008-01-17 03:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-17 03:36 --------- d-----w C:\Program Files\Canon
2008-01-16 02:37 --------- d-----w C:\Documents and Settings\Bobby\Application Data\LimeWire
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-17 15:15 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"PDUiP6210DMon"="C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe" [2005-05-06 19:28 69632]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 23:07 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 22:53 714608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 02:15:54 65588]

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2007-08-24 23:07]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 14:55]
S3 Mp3Drv;Mp3 Player Control Driver;C:\WINDOWS\system32\Drivers\Mp3Drv.sys [2002-05-23 16:22]
S3 S3chipid;S3chipid;C:\WINDOWS\TEMP\_ISTMP0.DIR\S3chipid.sys []
S3 StScsi;StScsi;C:\WINDOWS\system32\DRIVERS\StScsi.sys [2002-05-23 16:21]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 06:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 21:23:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 13:29:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
.
**************************************************************************
.
Completion time: 2008-02-03 13:33:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 19:33:04
ComboFix2.txt 2008-02-03 19:22:24
ComboFix3.txt 2008-02-03 01:24:36
.
2008-01-31 20:36:36 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:36 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mechquest.ipbfree.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [PDUiP6210DMon] C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 5505 bytes

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:58 AM

Posted 03 February 2008 - 02:41 PM

Hi,

Can you also answer this question please?

Also, please let me know if your Norton is up to date...

Also - is it still properly running? Because I see some related components not running...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 rc25707

rc25707
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 03 February 2008 - 03:30 PM

oh sry i dont have norton anymore those components wont go off my computer i want it off tho

i had norton 07

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:58 AM

Posted 03 February 2008 - 04:57 PM

Ok,

* To fully remove Norton AntiVirus or other Symantec related products, select the product you want to uninstall from this list in order to download the removal tool.
Please read the instructions first before you use it.

Also read the next article in case you're having problems with uninstalling Norton if above instructions didn't work, or noticed problems after uninstalling Norton: http://basconotw.mvps.org/SymRem.htm

After you removed Norton,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then * Please install Avira Antivirus: http://www.free-av.com/
Because you really need an active Antivirus. Because how are you supposed to prevent malware in the future if no working Antivirus is installed?

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 rc25707

rc25707
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 03 February 2008 - 07:34 PM

here's avira report



AntiVir PersonalEdition Classic
Report file date: Sunday, February 03, 2008 16:39

Scanning for 1089295 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: EVELYN-532D99B0

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 20:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 19:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 22:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 19:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 21:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 22:38:29
ANTIVIR2.VDF : 7.0.2.49 1339904 Bytes 1/25/2008 22:38:29
ANTIVIR3.VDF : 7.0.2.82 259072 Bytes 2/1/2008 22:38:29
AVEWIN32.DLL : 7.6.0.62 3240448 Bytes 2/3/2008 22:38:30
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 17:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 14:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 20:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2/3/2008 22:38:31
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 14:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 19:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 14:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 18:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 19:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 19:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 16:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, February 03, 2008 16:39

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'PDUiP6210DMon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
24 processes with 24 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '26' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Quarantine\{000043E5-0000-0000-44B9-CF1096E39A94}\DATA.CAB
[0] Archive type: CAB (Microsoft)
--> RESOURCE3
[DETECTION] Contains detection pattern of the dropper DR/Dldr.Small.ece
[INFO] The file was deleted!
C:\Program Files\Windows Media Player\promyfsywue.html
[DETECTION] Is the Trojan horse TR/Click.HTML.IFrame.DN
[INFO] The file was deleted!


End of the scan: Sunday, February 03, 2008 18:26
Used time: 1:46:49 min

The scan has been done completely.

4581 Scanning directories
231441 Files were scanned
2 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
2 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
231439 Files not concerned
1228 Archives were scanned
2 Warnings
2 Notes

here's hijack this's report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:46 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mechquest.ipbfree.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [PDUiP6210DMon] C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 5340 bytes


oh and do i realy need hijack this or spy bot or reset teatimer or firewareout?

and i also have 2 internet explorer icons on my computer see here

and again lol sorry for all this umm i have the windows xp recovery thingy on my computer desktop so do i need that on my comp????????

Attached Files


Edited by rc25707, 03 February 2008 - 07:59 PM.


#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:58 AM

Posted 04 February 2008 - 01:12 AM

Hi,

Check and fix next entry in HijackThis:

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then enable your Teatimer again.

Delete the Recovery Console installer, FixwareOut and resetteatimer.bat from your desktop.

The 2 IE icons is because Combofix also created one. You may delete one of them.

Then let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 rc25707

rc25707
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 04 February 2008 - 07:56 PM

wow my internet is running super fast now tyvm

also do i need spybot?

and do i also need hijack this

and ty again :thumbsup:

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:58 AM

Posted 05 February 2008 - 01:04 AM

Yes, you can keep Spybot S&D... and scan with it once in a while.
No need to keep HijackThis.

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:58 AM

Posted 10 February 2008 - 01:46 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users