Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Insecure Internet Activity. Thread Of Virus Attack


  • This topic is locked This topic is locked
3 replies to this topic

#1 goonsquad

goonsquad

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 18 August 2008 - 06:32 PM

Hi. I ran across a similar thread where the person had this same issue and was able to fix the problem by deleting temporary files, running Malwarebytes, and them running combofix. I've taken these steps and pasted my logs below. Since performing the steps, I haven't had any problems. Could you please give me an idea of whether I've fixed the problem and if not, what else I need to do? Many many thanks...

Malwarebytes' Anti-Malware 1.25
Database version: 1066
Windows 5.1.2600 Service Pack 2

6:36:28 PM 8/18/2008
mbam-log-08-18-2008 (18-36-28).txt

Scan type: Quick Scan
Objects scanned: 54548
Time elapsed: 9 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 30
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\gnucdna.core (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{2850bdc7-2330-4e31-9fa0-88268846539a} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0be385a3-85a5-4722-b677-68dae891ff21} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{272c0d60-0561-4c83-b3db-eb0a71f9d2eb} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{284477e4-a7cb-4055-9e1b-0ea7cba28945} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{70ca4938-6a0f-4641-a9a9-c936e4c1e7de} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7468213e-010e-4ec6-a17d-642e909ba7ec} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{89dc33a2-f86f-42a1-8b5f-d4d1943efc9c} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a916af3c-976d-4358-8736-95bea0b5fd2c} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b86f4810-19a9-4050-9ac9-b5cf60b5799a} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bb5b7e14-f8b4-4365-a24d-f4965c33e1ee} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{be45f056-e005-437b-be88-23acf70b0b6a} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c13d4627-02f5-4b03-897a-bf6a90022dd2} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c636f1fc-6ae4-4e6a-90ab-6d61d821a0dd} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cb971ac0-6408-40da-a540-92f9f256f51f} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d5694dfe-43b6-4e05-aa29-8c556c968973} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e2032ec2-a9ac-4ed7-9bdb-ebecacf076f2} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ebab4a71-8c34-461a-b57d-dd041d439555} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f06fea43-0cc3-4bf6-a85b-5efb1c07aa4b} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fc94a0f7-9c7c-4ae2-9106-5c212332b209} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f02c0ae1-d796-42c9-81e1-084d88f79b8e} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\onesecurity.iesecurity (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{4eeafd15-6a8a-4957-8932-259100d9c18b} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e81a8baf-b19c-4857-9a78-26419429134d} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b85bb239-f685-4547-b0ac-e8835cd8ed24} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b85bb239-f685-4547-b0ac-e8835cd8ed24} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\onesecurity.iesecurity.1 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\GnucDNA.dll (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\GnucDNA.dll (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vav.cpl (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav.cpl (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav.exe (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav.ooo (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav0.dat (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav1.dat (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rlls.dll (Trojan.Agent) -> Quarantined and deleted successfully.

---------------------------------------------------------------

ComboFix 08-08-18.01 - Lionardo santos 2008-08-18 18:53:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.118 [GMT -7:00]
Running from: C:\Documents and Settings\Lionardo santos\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lionardo santos\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dinora\Cookies\dinora@myspace[2].txt
C:\Documents and Settings\Dinora\Cookies\dinora@revsci[2].txt
C:\Documents and Settings\Lionardo santos\Application Data\macromedia\Flash Player\#SharedObjects\8F8QEAKN\interclick.com
C:\Documents and Settings\Lionardo santos\Application Data\macromedia\Flash Player\#SharedObjects\8F8QEAKN\interclick.com\ud.sol
C:\Documents and Settings\Lionardo santos\Application Data\macromedia\Flash Player\#SharedObjects\8F8QEAKN\www.broadcaster.com
C:\Documents and Settings\Lionardo santos\Application Data\macromedia\Flash Player\#SharedObjects\8F8QEAKN\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Lionardo santos\Application Data\macromedia\Flash Player\#SharedObjects\8F8QEAKN\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Lionardo santos\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Lionardo santos\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Lionardo santos\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Lionardo santos\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\newdotnet
C:\Program Files\newdotnet\nncore.dll
C:\Program Files\newdotnet\nnrun.exe
C:\Program Files\newdotnet\readme.html
C:\Program Files\newdotnet\uninstall.exe
C:\Program Files\security toolbar
C:\Program Files\security toolbar\Security Toolbar.dll
C:\Program Files\security toolbar\Uninstall.bat
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall7_48.exe
C:\WINDOWS\system32\rk.bin
C:\WINDOWS\system32\rlvknlg.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NNSERV
-------\Service_NNServ


((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.

2008-08-18 18:10 . 2008-08-18 18:10 <DIR> d-------- C:\Program Files\Malwarebytes Anti-Malware
2008-08-18 18:10 . 2008-08-18 18:10 <DIR> d-------- C:\Documents and Settings\Lionardo santos\Application Data\Malwarebytes
2008-08-18 18:10 . 2008-08-18 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 18:10 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 18:10 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-14 21:31 . 2008-05-01 07:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 10:45 --------- d-----w C:\Documents and Settings\Lionardo santos\Application Data\AdobeUM
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2007-01-08 07:41 0 ----a-w C:\Documents and Settings\Lionardo santos\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 23:26 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-18 12:04 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05 212992]

C:\Documents and Settings\Dinora\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-01-29 14:33:41 122880]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metamail Trust Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Metamail Trust Manager.lnk
backup=C:\WINDOWS\pss\Metamail Trust Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetScreen-Remote.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetScreen-Remote.lnk
backup=C:\WINDOWS\pss\NetScreen-Remote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-12-18 12:04 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 22:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2002-09-13 13:21 73728 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-08-01 06:10 122940 C:\WINDOWS\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2005-11-02 20:01 50792 C:\Program Files\Common Files\AOL\1145813310\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2005-05-19 08:57 188416 C:\Program Files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
--a------ 2004-08-06 04:50 139320 C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 19:29 303104 c:\PROGRA~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 13:05 212992 C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
--a------ 2003-10-07 10:48 147514 C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
--a------ 2007-05-23 10:40 95800 C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2005-07-15 11:52 1077322 C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-10-23 14:18 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2005-03-17 18:37 151552 c:\TOSHIBA\IVP\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
--a------ 2004-08-18 09:00 94208 C:\Program Files\Network Associates\VirusScan\shstat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-04-26 17:13 122880 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-03 23:26 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-10-14 16:26 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-10-14 16:28 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
--a------ 2005-11-25 14:07 352256 C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-23 02:32 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2004-12-30 01:32 65536 C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
--a------ 2005-11-10 11:24 73728 C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a------ 2005-08-10 13:49 163840 c:\PROGRA~1\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2005-07-08 19:18 151552 C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-01-19 13:49 4670968 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-10-15 07:29 88203 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 19:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2005-11-10 12:14 15473664 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
--a------ 2005-05-31 22:00 282624 C:\WINDOWS\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Common Files\\AOL\\1145813310\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1145813310\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Ares Ultra\\Ares Ultra.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\MP3 Music Search\\MP3MusicSearch.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Ares MP3\\AresMP3.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"C:\Program Files\Juniper\NetScreen-Remote\ViewLog.exe"= C:\Program Files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"C:\Program Files\Juniper\NetScreen-Remote\CmonApp.exe"= C:\Program Files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"C:\Program Files\Juniper\NetScreen-Remote\vpn.exe"= C:\Program Files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 St320hg;St320hg;C:\WINDOWS\system32\DRIVERS\st320hg.sys [2002-09-12 12:49]
R1 IPSECDRV;SafeNet IPSec Plugin;C:\WINDOWS\system32\Drivers\IPSECDRV.sys [2006-02-01 11:38]
R2 Crypto;Crypto;C:\WINDOWS\system32\Drivers\Crypto.sys [2005-08-15 08:27]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 14:38]
R3 DniVap;SafeNet WAN Miniport (VA);C:\WINDOWS\system32\DRIVERS\vap.sys [2001-12-14 15:26]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-07-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Antivirus - C:\Program Files\VAV\vav.exe
MSConfigStartUp-New - C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
MSConfigStartUp-RelevantKnowledge - c:\windows\system32\rlvknlg.exe
MSConfigStartUp-slide - C:\Program Files\Slide\Slide.exe
MSConfigStartUp-WhenUSave - C:\Program Files\Save\Save.exe
MSConfigStartUp-CFSServ - CFSServ.exe
MSConfigStartUp-NDSTray - NDSTray.exe
MSConfigStartUp-TFncKy - TFncKy.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Lionardo santos\Application Data\Mozilla\Firefox\Profiles\q4ios34c.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 19:00:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
.
**************************************************************************
.
Completion time: 2008-08-18 19:08:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-19 02:08:51

Pre-Run: 38,551,105,536 bytes free
Post-Run: 38,746,275,840 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

258 --- E O F --- 2008-08-15 21:04:50

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:32 AM

Posted 18 August 2008 - 07:02 PM

You have posted in a forum not ment for malware logs. I will move you to the proper site
http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 goonsquad

goonsquad
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 27 August 2008 - 12:32 PM

Bumping this since it hasn't seen any action.

(I hope this doesn't break protocol! :thumbsup: )

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:32 AM

Posted 27 August 2008 - 01:14 PM

I don't know what I was thinking when I originally moved this thread, but we need to start over The scans that you are using should not be used outside the Hijack This forum. Please read the preparation guide here:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Them post your problem and log here:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

This post is closed
I'm sorry for the mix-up
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users