Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Visa Advanced Verification Virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 clg003

clg003

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 02 September 2008 - 01:21 PM

Whenever I try and do some type of checkout activity I get a popup saying visa advanced verification and I never fill out any info on the form but I kill it and cancel my credit card. This has done this twice and started a few months back and I thought it was cleaned but it just happened again and I really dont do much online checkout actvity so I am not sure if it was just never fully cleaned. I also have IE crash all of the time. Not sure whats up. I have scanned with adware, spybot, superantispyware, Stinger, House call. I have posted my Hijack Log. I am not sure if I am clean or not. Can someone heklp me out?



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:38 PM, on 9/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\CINGVPN\VPNCLI~1\cvpnd.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.wdc.cingular.net/proxy.pac
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {BE19C4CA-A1DB-4BDD-8CC0-EB2E37C7110A} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\PROGRA~1\CINGVPN\VPNCLI~1\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8239 bytes

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 06 September 2008 - 02:53 AM

Hello and welcome to BC...


Download this tool to your Desktop

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 clg003

clg003
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 06 September 2008 - 05:24 PM

Thanks. Here is the log. Looks like it found something. I will wait for your response before I actually run what its saying to run.

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x1d1a4f79 size 0x1aa !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

#4 clg003

clg003
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 06 September 2008 - 08:31 PM

I went ahead and ran it with -f and here is the log.

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x1d1a4f79 size 0x1aa !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 06 September 2008 - 11:18 PM

Ok.. run mbr.exe again.. This time, don't use the -f switch.. and post the log here :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 clg003

clg003
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 07 September 2008 - 09:31 AM

Here you go.

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 07 September 2008 - 11:14 AM

Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 clg003

clg003
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 07 September 2008 - 02:23 PM

Here you go.


SDFix: Version 1.222
Run by usradm on Sun 09/07/2008 at 02:08 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\Temp\bca4e2da.$$$ - Deleted
C:\WINDOWS\Temp\ed47fa.$ - Deleted
C:\WINDOWS\Temp\fa56d7ec.$$$ - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer




Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 14:31:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000023
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\services\MRxDAV\EncryptedDirectories]
@=""

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 13 May 2005 217,073 A.SHR --- "C:\WINDOWS\meta4.exe"
Mon 24 Oct 2005 66,560 A.SHR --- "C:\WINDOWS\MOTA113.exe"
Thu 13 Oct 2005 422,400 A.SHR --- "C:\WINDOWS\x2.64.exe"
Mon 20 Aug 2007 145,920 ..SHR --- "C:\Program Files\Active Images Express\Setup.exe"
Wed 9 Mar 2005 39,936 A.SHR --- "C:\Program Files\Active Images Express\_Setupx.dll"
Mon 23 Jun 2008 625,664 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 7 Oct 2005 308,224 A.SHR --- "C:\WINDOWS\system32\avisynth.dll"
Thu 14 Jul 2005 27,648 A.SHR --- "C:\WINDOWS\system32\AVSredirect.dll"
Sun 26 Jun 2005 616,448 A.SHR --- "C:\WINDOWS\system32\cygwin1.dll"
Tue 21 Jun 2005 45,568 A.SHR --- "C:\WINDOWS\system32\cygz.dll"
Sun 25 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\i420vfw.dll"
Thu 27 Apr 2006 2,945,024 A.SHR --- "C:\WINDOWS\system32\Smab.dll"
Mon 28 Feb 2005 240,128 A.SHR --- "C:\WINDOWS\system32\x.264.exe"
Tue 14 Nov 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 15 Dec 2006 72,192 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Thu 14 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 4 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Tue 4 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Mon 9 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Mon 9 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Tue 4 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Mon 9 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Mon 9 Dec 2002 94,208 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Mon 9 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sat 3 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 548,940 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Mon 9 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun 7 Sep 2008 65,536 A..H. --- "C:\Documents and Settings\charles gary\Application Data\Microsoft\Outlook\~archive.pst.tmp"
Sun 7 Sep 2008 65,536 A..H. --- "C:\Documents and Settings\charles gary\Application Data\Microsoft\Outlook\~Outlook.pst.tmp"
Sun 7 Sep 2008 65,536 A..H. --- "C:\Documents and Settings\charles gary\Local Settings\Application Data\Microsoft\Outlook\~archive.pst.tmp"
Sun 7 Sep 2008 327,680 A..H. --- "C:\Documents and Settings\charles gary\Local Settings\Application Data\Microsoft\Outlook\~Outlook.pst.tmp"
Sat 11 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sat 11 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sat 11 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Sat 11 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Sat 11 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"

Finished!

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 07 September 2008 - 03:10 PM

Please download Dr.Web CureIt to the Desktop:
  • Please reboot into Safe Mode
  • Once you are in Safe Mode, double-click the launch.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 clg003

clg003
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 07 September 2008 - 10:16 PM

Looks like it found some stuff that may not have been a virus and some stuff found in other antivirus software but I deleted everything. I don't care I'm crazy like that. Man I got milk in the frig that expires tomorrow but I aint going to throw it out until 23:59:59. I'm crazy like that.

SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\charles gary\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\charles gary\Desktop;Archive contains infected objects;Moved.;
mirc62.exe\data007;C:\Documents and Settings\charles gary\Desktop\WAREZ\mirc62.exe;Program.mIRC.60;;
mirc62.exe;C:\Documents and Settings\charles gary\Desktop\WAREZ;Archive contains infected objects;Moved.;
PC_Checkup_Setup[1].exe\data032;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BIW71E0S\PC_Checkup_Setup[1].exe;Probably SCRIPT.Virus;;
PC_Checkup_Setup[1].exe;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BIW71E0S;Archive contains infected objects;Moved.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.60;Incurable.Deleted.;
mirc.exe;C:\Program Files\mIRC\backup;Program.mIRC.60;Incurable.Deleted.;
Process.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Tool.Prockill;Incurable.Deleted.;
restart.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Tool.ShutDown.11;Incurable.Deleted.;
SymXPep2Interface.vbs;C:\Program Files\Norton PC Checkup\executables\vbs;Probably SCRIPT.Virus;Incurable.Deleted.;
ADAPT_Installer.exe\data032;C:\RECYCLER\ADAPT_Installer.exe;Probably SCRIPT.Virus;;
ADAPT_Installer.exe;C:\RECYCLER;Archive contains infected objects;Moved.;
Process.exe;C:\SDFix\SDFix\apps;Tool.Prockill;Incurable.Deleted.;
A0072987.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP716;Trojan.Virtumod.based.18;Deleted.;
A0072988.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP716;Trojan.Virtumod.based.18;Deleted.;
A0072989.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP716;Trojan.Virtumod.441;Deleted.;
A0072993.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP716;Trojan.Virtumod.441;Deleted.;
A0072994.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP716;Trojan.Virtumod.441;Deleted.;
A0072999.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP716;BackDoor.Bulknet.225;Deleted.;
A0073163.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP718;Trojan.Virtumod.456;Deleted.;
A0075742.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP735\A0075742.exe;Tool.Prockill;;
A0075742.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP735;Archive contains infected objects;Moved.;
A0075743.exe\data007;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP735\A0075743.exe;Program.mIRC.60;;
A0075743.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP735;Archive contains infected objects;Moved.;
A0075744.exe\data032;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP735\A0075744.exe;Probably SCRIPT.Virus;;
A0075744.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP735;Archive contains infected objects;Moved.;
ddcApmkK.dll;C:\WINDOWS\system32\quar;Trojan.Virtumod.based.18;Deleted.;
mlJDttsS.dll;C:\WINDOWS\system32\quar;Trojan.Virtumod.based.18;Deleted.;
WinCtrl32.dl_;C:\WINDOWS\system32\quar;BackDoor.Bulknet.225;Deleted.;
wvUkLFvt.dll;C:\WINDOWS\system32\quar;Trojan.Virtumod.based.18;Deleted.;

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 07 September 2008 - 10:53 PM

Looks like it found some stuff that may not have been a virus and some stuff found in other antivirus software but I deleted everything. I don't care I'm crazy like that. Man I got milk in the frig that expires tomorrow but I aint going to throw it out until 23:59:59. I'm crazy like that.


Don't worry.. Dr.Web is "crazy" but it worth it for your infection.. :thumbsup:


Now lets do this..

Please visit below webpage for instructions for downloading and running ComboFix. Make sure you download and save ComboFix DIRECTLY to your Desktop

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 clg003

clg003
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 08 September 2008 - 06:52 PM

Here is the combofix log

ComboFix 08-09-05.09 - usradm 2008-09-08 19:31:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1547 [GMT -4:00]
Running from: C:\Documents and Settings\charles gary\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\quar\IjSAdMoq.ini
C:\WINDOWS\system32\quar\IjSAdMoq.ini2
C:\WINDOWS\system32\quar\KkmpAcdd.ini
C:\WINDOWS\system32\quar\KkmpAcdd.ini2
C:\WINDOWS\system32\quar\SsttDJlm.ini
C:\WINDOWS\system32\quar\SsttDJlm.ini2
C:\WINDOWS\system32\quar\tvFLkUvw.ini
C:\WINDOWS\system32\quar\tvFLkUvw.ini2
C:\WINDOWS\system32\ssprs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LANMANDRV


((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-09-07 19:14 . 2008-09-07 20:37 <DIR> d-------- C:\Documents and Settings\charles gary\DoctorWeb
2008-09-07 14:07 . 2008-09-07 14:07 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-09-07 14:02 . 2008-09-07 14:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-07 14:02 . 2008-04-13 20:12 146,432 --a------ C:\Documents and Settings\charles gary\editreg.exe
2008-09-07 14:02 . 2008-04-13 20:12 27,136 --a------ C:\Documents and Settings\charles gary\rtsdnif.exe
2008-09-07 14:02 . 2008-04-13 20:12 12,288 --a------ C:\Documents and Settings\charles gary\attrib.exe
2008-09-07 14:02 . 2004-08-10 07:00 9,216 --a------ C:\Documents and Settings\charles gary\dnif.exe
2008-09-07 13:42 . 2008-09-07 13:42 <DIR> d-------- C:\SDFix
2008-09-06 16:43 . 2008-09-06 16:43 <DIR> d-------- C:\Program Files\Norton PC Checkup
2008-09-02 14:00 . 2008-09-02 14:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-02 13:35 . 2008-09-08 19:38 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-09-02 13:35 . 2008-09-08 19:38 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-09-02 08:45 . 2008-09-02 08:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-02 08:45 . 2008-09-02 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-02 00:26 . 2008-09-02 00:26 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-02 00:26 . 2008-09-02 00:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-27 20:06 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-20 18:35 . 2008-09-07 09:14 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-08-14 02:13 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-14 02:13 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-09 13:20 . 2008-08-09 13:20 400 --a------ C:\pkg_Totalview_Schedule_Data.zip
2008-08-09 13:19 . 2008-08-09 13:20 118 --a------ C:\pkg_Totalview_Schedule_Data.bat
2008-08-09 13:19 . 2008-08-09 13:20 92 --a------ C:\pkg_Totalview_Data.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-08 03:12 --------- d-----w C:\Program Files\mIRC
2008-09-07 16:40 24 ----a-w C:\Documents and Settings\charles gary\jagex_runescape_preferences.dat
2008-09-06 20:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-02 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-09-02 16:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-02 04:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-28 00:06 --------- d-----w C:\Program Files\Java
2008-08-28 00:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-08-17 12:26 --------- d-----w C:\Program Files\Soulseek
2008-07-30 20:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-30 16:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-30 16:30 --------- d-----w C:\Documents and Settings\charles gary\Application Data\SUPERAntiSpyware.com
2008-07-30 15:55 --------- d-----w C:\Documents and Settings\charles gary\Application Data\Malwarebytes
2008-07-30 15:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 14:38 --------- d-----w C:\Program Files\Daphne
2008-07-30 04:36 --------- d-----w C:\Program Files\games
2008-07-25 13:45 --------- d-----w C:\Program Files\Sun
2008-07-11 23:50 --------- d-----w C:\Program Files\Red Kawa
2008-07-11 23:12 --------- d-----w C:\Documents and Settings\charles gary\Application Data\AVS4YOU
2008-07-11 23:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-11 23:10 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-07-11 23:10 --------- d-----w C:\Program Files\AVS4YOU
2008-06-18 23:16 7 ----a-w C:\tw0001.dat
2007-02-06 01:25 94,080 ----a-w C:\Documents and Settings\charles gary\Application Data\ezplay.sys
2007-02-06 01:25 81,920 ----a-w C:\Documents and Settings\charles gary\Application Data\ezpinst.exe
2007-02-06 01:25 47,360 ----a-w C:\Documents and Settings\charles gary\Application Data\pcouffin.sys
2005-05-13 22:12 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-10-24 16:13 66,560 -csha-r C:\WINDOWS\MOTA113.exe
2005-10-14 02:27 422,400 -csha-r C:\WINDOWS\x2.64.exe
2005-10-08 00:14 308,224 -csha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 17:31 27,648 -csha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 20:32 616,448 -csha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 03:37 45,568 -csha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 05:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-04-27 15:24 2,945,024 -csha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 18:16 240,128 -csha-r C:\WINDOWS\system32\x.264.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"CTHelper"="CTHELPER.EXE" [2006-12-12 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-01 C:\WINDOWS\system32\Ctxfihlp.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-06-12 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-11 24576]
SetPoint.lnk - C:\Program Files\SetPoint\SetPoint.exe [2006-11-11 532480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-27 20:03 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2006-04-27 12:30 53248 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"vidc.dvsd"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winio46.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 CVPNDRV;Cingular Wireless IPsec Driver;C:\WINDOWS\system32\Drivers\CVPNDRV.sys [2001-06-22 154695]
R2 gearsec;gearsec;C:\WINDOWS\system32\gearsec.exe [2003-12-01 53248]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 40832]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 59296]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-12-19 1160504]
S3 KProcWatch;KProcWatch;C:\WINDOWS\system32\drivers\KProcWatch.sys [ ]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 24064]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 245664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\charles gary\Application Data\Mozilla\Firefox\Profiles\jlmgi8ln.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 19:40:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\PROGRA~1\CINGVPN\VPNCLI~1\cvpnd.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-09-08 19:50:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-08 23:49:53

Pre-Run: 14,007,025,664 bytes free
Post-Run: 13,929,467,904 bytes free

179 --- E O F --- 2008-09-03 07:00:48











Here is the new hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:36 PM, on 9/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\CINGVPN\VPNCLI~1\cvpnd.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.wdc.cingular.net/proxy.pac
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SetPoint.lnk = ?
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\PROGRA~1\CINGVPN\VPNCLI~1\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6483 bytes

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 09 September 2008 - 01:09 AM

Please show hidden files and folders. Please visit HERE if you don't know how.
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • C:\Documents and Settings\charles gary\editreg.exe
      C:\Documents and Settings\charles gary\rtsdnif.exe
      C:\Documents and Settings\charles gary\attrib.exe
      C:\Documents and Settings\charles gary\dnif.exe
  • Click on the Upload button. You can upload only one file per entry
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply. Post all four results
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 clg003

clg003
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 09 September 2008 - 09:45 AM

VirSCAN.org Scanned Report :
Scanned time : 2008/09/09 10:25:01 (EDT)
Scanner results: All Scanners reported not find malware!
File Name : attrib.exe
File Size : 12288 byte
File Type : PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5 : e6d680494c812b82a15600fd23c94424
SHA1 : 6be7cccf384b1b05b08b7fc5ae5bc3bb3365cc55
Online report : http://virscan.org/report/4fd14f6a7d01c4b7...eed860445a.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.11 2008.09.06 2008-09-06 1.43 -
AhnLab V3 2008.09.09.02 2008.09.09 2008-09-09 1.59 -
AntiVir 7.8.1.28 7.0.6.135 2008-09-09 2.26 -
Arcavir 1.0.5 200809091005 2008-09-09 1.18 -
AVAST! 3.0.1 080908-0 2008-09-08 0.00 -
AVG 7.5.52.442 270.6.19/1662 2008-09-09 1.56 -
BitDefender 7.60825.1747807 7.20868 2008-09-09 3.00 -
CA (VET) 9.0.0.143 31.6.6078 2008-09-08 3.98 -
ClamAV 0.93.3 8200 2008-09-09 0.01 -
Comodo 2.11 2.0.0.641 2008-09-09 0.41 -
CP Secure 1.1.0.715 2008.09.09 2008-09-09 6.67 -
Dr.Web 4.44.0.9170 2008.09.09 2008-09-09 3.15 -
ewido 4.0.0.2 2008.09.09 2008-09-09 2.80 -
F-Prot 4.4.4.56 20080908 2008-09-08 1.00 -
F-Secure 5.51.6100 2008.09.09.06 2008-09-09 0.04 -
Fortinet 2.81-3.112 9.531 2008-09-09 0.19 -
ViRobot 20080909 2008.09.09 2008-09-09 0.41 -
Ikarus T3.1.01.34 2008.09.09.71425 2008-09-09 3.33 -
JiangMin 11.0.706 2008.09.08 2008-09-08 1.19 -
Kaspersky 5.5.10 2008.09.09 2008-09-09 0.03 -
KingSoft 2008.1.14.15 2008.9.9.20 2008-09-09 0.76 -
McAfee 5.3.00 5379 2008-09-08 1.74 -
Microsoft 1.3903 2008.09.09 2008-09-09 4.30 -
mks_vir 2.01 2008.08.25 2008-08-25 2.61 -
Norman 5.93.01 5.93.00 2008-09-08 5.09 -
Panda 9.05.01 2008.09.08 2008-09-08 1.98 -
Trend Micro 8.700-1004 5.532.04 2008-09-09 0.02 -
Quick Heal 9.50 2008.09.06 2008-09-06 1.73 -
Rising 20.0 20.61.12.00 2008-09-09 0.76 -
Sophos 2.78.0 4.33 2008-09-09 1.74 -
Sunbelt 3.1.1616.1 2220 2008-09-08 0.42 -
Symantec 1.3.0.24 20080908.036 2008-09-08 0.05 -
nProtect 2008-09-09.00 2094719 2008-09-09 4.00 -
The Hacker 6.3.0.6 v00075 2008-09-06 0.42 -
VBA32 3.12.8.5 20080909.0715 2008-09-09 1.23 -
VirusBuster 4.5.11.10 10.87.6/623804 2008-09-08 0.81 -


VirSCAN.org Scanned Report :
Scanned time : 2008/09/09 10:27:49 (EDT)
Scanner results: 3% Scanner(1/36) found malware!
File Name : rtsdnif.exe
File Size : 27136 byte
File Type : PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5 : 75951d8a85067f8eccd0076f21e9e4e8
SHA1 : 90402fc2ec70868961de22e76f1d70ff68108acf
Online report : http://virscan.org/report/d37a0ad66c18a4ee...6e2642e3ee.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.11 2008.09.06 2008-09-06 1.45 -
AhnLab V3 2008.09.09.02 2008.09.09 2008-09-09 0.91 -
AntiVir 7.8.1.28 7.0.6.135 2008-09-09 2.27 -
Arcavir 1.0.5 200809091005 2008-09-09 1.20 -
AVAST! 3.0.1 080908-0 2008-09-08 0.01 -
AVG 7.5.52.442 270.6.19/1662 2008-09-09 1.58 -
BitDefender 7.60825.1747807 7.20868 2008-09-09 3.00 -
CA (VET) 9.0.0.143 31.6.6078 2008-09-08 5.50 -
ClamAV 0.93.3 8200 2008-09-09 0.01 -
Comodo 2.11 2.0.0.641 2008-09-09 0.69 -
CP Secure 1.1.0.715 2008.09.09 2008-09-09 6.66 -
Dr.Web 4.44.0.9170 2008.09.09 2008-09-09 3.15 -
ewido 4.0.0.2 2008.09.09 2008-09-09 3.70 -
F-Prot 4.4.4.56 20080908 2008-09-08 1.00 -
F-Secure 5.51.6100 2008.09.09.06 2008-09-09 0.04 -
Fortinet 2.81-3.112 9.531 2008-09-09 0.20 Suspicious
ViRobot 20080909 2008.09.09 2008-09-09 0.40 -
Ikarus T3.1.01.34 2008.09.09.71425 2008-09-09 3.32 -
JiangMin 11.0.706 2008.09.08 2008-09-08 1.20 -
Kaspersky 5.5.10 2008.09.09 2008-09-09 0.03 -
KingSoft 2008.1.14.15 2008.9.9.20 2008-09-09 0.60 -
McAfee 5.3.00 5379 2008-09-08 1.75 -
Microsoft 1.3903 2008.09.09 2008-09-09 3.94 -
mks_vir 2.01 2008.08.25 2008-08-25 2.56 -
Norman 5.93.01 5.93.00 2008-09-08 5.16 -
Panda 9.05.01 2008.09.08 2008-09-08 2.02 -
Trend Micro 8.700-1004 5.532.04 2008-09-09 0.03 -
Quick Heal 9.50 2008.09.06 2008-09-06 1.73 -
Rising 20.0 20.61.12.00 2008-09-09 0.75 -
Sophos 2.78.0 4.33 2008-09-09 1.72 -
Sunbelt 3.1.1616.1 2220 2008-09-08 0.41 -
Symantec 1.3.0.24 20080908.036 2008-09-08 0.05 -
nProtect 2008-09-09.00 2094719 2008-09-09 4.00 -
The Hacker 6.3.0.6 v00075 2008-09-06 0.42 -
VBA32 3.12.8.5 20080909.0715 2008-09-09 1.24 -
VirusBuster 4.5.11.10 10.87.6/623804 2008-09-08 0.82 -


VirSCAN.org Scanned Report :
Scanned time : 2008/09/09 10:35:15 (EDT)
Scanner results: All Scanners reported not find malware!
File Name : dnif.exe
File Size : 9216 byte
File Type : PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5 : 09b4e22c86f7e9f1e5c7554ac03b9c9d
SHA1 : 2329f2c682f5c7896980f5bf0d5dc26af55fca34
Online report : http://virscan.org/report/2fc40c5a02aaf5fe...64b38aaec7.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.11 2008.09.06 2008-09-06 1.43 -
AhnLab V3 2008.09.09.02 2008.09.09 2008-09-09 0.89 -
AntiVir 7.8.1.28 7.0.6.135 2008-09-09 2.24 -
Arcavir 1.0.5 200809091005 2008-09-09 1.19 -
AVAST! 3.0.1 080908-0 2008-09-08 0.00 -
AVG 7.5.52.442 270.6.19/1662 2008-09-09 1.56 -
BitDefender 7.60825.1747807 7.20868 2008-09-09 3.00 -
CA (VET) 9.0.0.143 31.6.6078 2008-09-08 3.79 -
ClamAV 0.93.3 8200 2008-09-09 0.01 -
Comodo 2.11 2.0.0.641 2008-09-09 0.41 -
CP Secure 1.1.0.715 2008.09.09 2008-09-09 6.66 -
Dr.Web 4.44.0.9170 2008.09.09 2008-09-09 3.18 -
ewido 4.0.0.2 2008.09.09 2008-09-09 5.62 -
F-Prot 4.4.4.56 20080908 2008-09-08 1.00 -
F-Secure 5.51.6100 2008.09.09.06 2008-09-09 0.04 -
Fortinet 2.81-3.112 9.531 2008-09-09 0.18 -
ViRobot 20080909 2008.09.09 2008-09-09 0.40 -
Ikarus T3.1.01.34 2008.09.09.71425 2008-09-09 3.37 -
JiangMin 11.0.706 2008.09.08 2008-09-08 1.36 -
Kaspersky 5.5.10 2008.09.09 2008-09-09 0.03 -
KingSoft 2008.1.14.15 2008.9.9.20 2008-09-09 0.59 -
McAfee 5.3.00 5379 2008-09-08 1.74 -
Microsoft 1.3903 2008.09.09 2008-09-09 4.44 -
mks_vir 2.01 2008.08.25 2008-08-25 2.65 -
Norman 5.93.01 5.93.00 2008-09-08 5.00 -
Panda 9.05.01 2008.09.08 2008-09-08 2.48 -
Trend Micro 8.700-1004 5.532.04 2008-09-09 0.03 -
Quick Heal 9.50 2008.09.06 2008-09-06 1.71 -
Rising 20.0 20.61.12.00 2008-09-09 0.77 -
Sophos 2.78.0 4.33 2008-09-09 1.74 -
Sunbelt 3.1.1616.1 2220 2008-09-08 0.41 -
Symantec 1.3.0.24 20080908.036 2008-09-08 0.05 -
nProtect 2008-09-09.00 2094719 2008-09-09 4.00 -
The Hacker 6.3.0.6 v00075 2008-09-06 0.40 -
VBA32 3.12.8.5 20080909.0715 2008-09-09 1.24 -
VirusBuster 4.5.11.10 10.87.6/623804 2008-09-08 0.81 -


VirSCAN.org Scanned Report :
Scanner results: All Scanners reported not find malware!
File Name : regedit.exe
File Size : 146432 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 058710b720282ca82b909912d3ef28db
SHA1 : 48f4612efeb713a5860726fdb999ceceff07557d
Online report : http://virscan.org/report/c0a990f862328dbb...d0b29f0d76.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.11 2008.09.06 2008-09-06 1.42 -
AhnLab V3 2008.09.08.02 2008.09.08 2008-09-08 0.91 -
AntiVir 7.8.1.28 7.0.6.130 2008-09-08 2.26 -
Arcavir 1.0.5 200809081206 2008-09-08 1.22 -
AVAST! 3.0.1 080908-0 2008-09-08 0.73 -
AVG 7.5.52.442 270.6.19/1660 2008-09-08 1.56 -
BitDefender 7.60825.1746840 7.20858 2008-09-09 3.00 -
CA (VET) 9.0.0.143 31.6.6077 2008-09-08 5.40 -
ClamAV 0.93.3 8194 2008-09-09 0.03 -
Comodo 2.11 2.0.0.640 2008-09-08 0.42 -
CP Secure 1.1.0.715 2008.09.09 2008-09-09 6.68 -
Dr.Web 4.44.0.9170 2008.09.08 2008-09-08 3.20 -
ewido 4.0.0.2 2008.09.08 2008-09-08 2.66 -
F-Prot 4.4.4.56 20080908 2008-09-08 1.02 -
F-Secure 5.51.6100 2008.09.08.11 2008-09-08 3.29 -
Fortinet 2.81-3.112 9.528 2008-09-08 0.24 -
ViRobot 20080908 2008.09.08 2008-09-08 0.41 -
Ikarus T3.1.01.34 2008.09.08.71421 2008-09-08 3.32 -
JiangMin 11.0.706 2008.09.08 2008-09-08 1.19 -
Kaspersky 5.5.10 2008.09.08 2008-09-08 0.05 -
KingSoft 2008.1.14.15 2008.9.8.20 2008-09-08 0.60 -
McAfee 5.3.00 5379 2008-09-08 1.75 -
Microsoft 1.3903 2008.09.08 2008-09-08 4.32 -
mks_vir 2.01 2008.08.25 2008-08-25 2.62 -
Norman 5.93.01 5.93.00 2008-09-08 5.02 -
Panda 9.05.01 2008.09.08 2008-09-08 2.23 -
Trend Micro 8.700-1004 5.530.08 2008-09-08 0.03 -
Quick Heal 9.50 2008.09.06 2008-09-06 1.73 -
Rising 20.0 20.61.02.00 2008-09-08 0.89 -
Sophos 2.78.0 4.33 2008-09-09 1.72 -
Sunbelt 3.1.1616.1 2217 2008-09-05 0.40 -
Symantec 1.3.0.24 20080907.003 2008-09-07 0.06 -
nProtect 2008-09-08.00 2086892 2008-09-08 3.70 -
The Hacker 6.3.0.6 v00075 2008-09-06 0.41 -
VBA32 3.12.8.5 20080908.0650 2008-09-08 1.34 -
VirusBuster 4.5.11.10 10.87.6/623804 2008-09-08 0.94 -

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 09 September 2008 - 11:14 AM

Please download JavaRa to your desktop and unzip it to its own folder. <<MIRROR]>>
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
Then, please download and install the latest Java from HERE




NEXT


Please run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

  • Click on SCAN NOW
  • Click Accept.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  • The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop.
  • In the File name area use KScan, or something similar.
  • In Save as type: click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
Posted Image

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.



Please post me Kaspersky Online result in your next reply :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users