Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popup & Antivirus 2009 Malware


  • This topic is locked This topic is locked
7 replies to this topic

#1 Eldon2

Eldon2

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 09 September 2008 - 12:16 PM

Any help is greatly appreciated!

My computer recently got infected with something that creates popups that override my popup blocker. Some popups give me warnings then try to scan my computer with "Antivirus 2009" I suspect that this is the source of the malware to begin with so I immediately close the popups.

My system:
Windows XP Pro
Explorer 7
Earthlink DSL connection
Earthlink Protection Control Center antivirus and firewall (ELPCC)

What I have tried:
Cleaning my hard drive of temp, cookies, prefetch, etc. and any programs I don't want and can safely eliminate
Repeatedly updating then scanning and deleting with ELPCC
Using HiJackthis and Autorun to delete (when I know its safe) or ignore suspicious files nd programs (tried numerous combinations of this)

Results:
I seem to be able to slow the popups sometimes but suspect there is something in the background reinstalling viruses. When I scan with ELPCC it shows several adware, malware, and viruses that I delete. The subsequent report then says it deleted most but ignored two. I think the two are the following viruses that have shown up repeatedly:

C:\windows\system32\catroot\W#@/downldr2.dvhe & .dvhf

These two files do not show up when I explore the relevant folder

I have attached my HJT log

Thanks again for any help!!!

Attached Files


Edited by Orange Blossom, 09 September 2008 - 05:55 PM.
Fix code tags. ~ OB


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:54 AM

Posted 24 September 2008 - 10:13 AM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please reply to this topic stating that you still need help and I will work with you on resolving your computer problems. If your problem has been resolved, please post a reply letting us know so we can close your topic.

Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

Once again, I apologize for the delay in responding to this topic.

#3 Eldon2

Eldon2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 24 September 2008 - 07:40 PM

Yes, please, I still need help!

Since I posted this topic I downloaded the free Avira Antivirus software and scanned my computer. It listed the following viruses:

TR/PSW.AGENT.PR in C:\windows\system32\_C00FCB40.dat
also in C:\ARK48.tmp
TR/SPY.AGENT.NVZ in C:\windows32\_C002740C.dat
also in C:\ARK49.tmp
TR/AGENT.159744.D in C:\windows\system32\mmx77442.dll
also in C:\windows\system32\_c00FAIF.exe

I selected delete to rid my computer of these but I still get persistant warnings about TR/PSW.AGENT.PR that keeps coming back after deleting. I usually end up deactivating the Avira software to make my computer usable. Then I occationally get a firewall warning from my Earthlink Protection Control Center (PCC) software about an unnamed site accessing my computer. Blocking this usually results in my Internet Explorer unable to access some sites. The good news is that the popups have stopped but scans with PCC still show the viruses that it did before and it ignores them when I select to delete them.

Thanks again for any help you can give me!
Eldon

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:54 AM

Posted 24 September 2008 - 08:06 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.

#5 Eldon2

Eldon2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 25 September 2008 - 12:33 PM

I tried to very carefully follow your instructions. A few unexpected things happened:

1. I downloaded WindowsXP-KB310994-SP2-Home-BootDisk-ENU from the microsoft website to my desktop then dragged it to the ComboFix Icon as per the instructions. Immediately afterwards the Run Combofix Windows Security Warning came up instead of the prompt asking if I want to proceed with scanning my computer. In my confusion I clicked run. Later I noticed from the Combofix logfile that the Recovery Console was not installed. Fortunately things seem to be ok.
2. When I ran Combofix I got a message that there was a newer version available and chose to download it before running.
3. While running Combofix I had all programs closed, including my Antivirus programs deactivated. After running all stages but before preparing the log report my computer rebooted, including prompting for my user password, which I entered to get the system to proceed. In the process of rebooting, the Avira and possibly Earthlink Protection Control Center antivirus software reactivated while Combofix was preparing the Log Report. I heeded the warnings about touching the computer while Combofix was running so I didn't try to shut them down.

Attached are the log files you requested. I had no problem accessing the internet and haven't got any messages from my antivirus programs so I am very optimistic and appreciative. I hope it continues!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:05 AM, on 9/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Authentium\Firewall SDK\AuthFw.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/?e15=PSP_OGP_ELNKNAV
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.taxsimple.com/tsweb/msrdp.cab
O16 - DPF: {9E515FE4-2A60-4D08-8E96-CF9A967BE49B} (SSMEarthLink Control) - http://check.earthlinksecurity.com/SSMEarthLink.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{A523D060-EDBC-4D60-8B73-D26C07D34139}: NameServer = 207.69.188.185,207.69.188.186
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AuthFw - Authentium - C:\Program Files\Authentium\Firewall SDK\AuthFw.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 9320 bytes


ComboFix 08-09-25.01 - Eldon Hofeling 2008-09-25 9:48:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.225 [GMT -7:00]
Running from: C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\eldon hofeling.home-yn0co7ywj1\cookies\eldon_hofeling@advertising[1].txt
c:\documents and settings\eldon hofeling.home-yn0co7ywj1\cookies\eldon_hofeling@insightexpressai[1].txt
c:\documents and settings\eldon hofeling.home-yn0co7ywj1\cookies\eldon_hofeling@specificclick[1].txt
c:\documents and settings\eldon hofeling.home-yn0co7ywj1\cookies\eldon_hofeling@turn[2].txt
C:\setup.exe
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\__c00FCB40.dat
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml

.
((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.

2018-06-18 07:21 . 2018-06-18 07:21 <DIR> d-------- C:\Program Files\DirectX
2008-09-16 07:48 . 2008-09-16 07:48 <DIR> d-------- C:\Program Files\Avira
2008-09-16 07:48 . 2008-09-16 07:48 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-09-06 08:51 . 2008-09-11 10:14 <DIR> d-------- C:\Program Files\Camstudio
2008-09-04 09:42 . 2008-09-04 09:42 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2018-06-18 14:21 266 --sh--w C:\Program Files\desktop.ini
2018-06-18 14:21 11,079 -c-ha-w C:\Program Files\folder.htt
2008-09-20 20:09 --------- d-----w C:\Program Files\UBNet
2008-09-18 23:57 --------- d-----w C:\Program Files\Google
2008-09-18 23:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 15:56 --------- d-----w C:\Program Files\Microsoft Games
2008-09-06 09:26 --------- d-----w C:\Program Files\PartyGaming
2008-01-31 00:37 292,328 ----a-w C:\Program Files\elnk_pcc.exe
2006-04-10 21:53 14,392 ----a-w C:\Program Files\SolidWorksswxJRNL.BAK
2006-03-09 17:07 32,576 ----a-w C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Application Data\GDIPFONTCACHEV1.DAT
2006-03-09 17:00 376,672 ----a-w C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\musicmatch10.exe
2006-02-09 17:16 2,206,405 ----a-w C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\wbsamp.exe
2003-03-21 13:37 16,056 ----a-w C:\Program Files\owcstp16.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2005-09-01 942080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 286720]
"Earthlink Protection Control Center"="C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" [2007-11-15 58856]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-17 3022848]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 40960]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-02-09 45056]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra------ 2001-07-09 03:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-05-22 11:36 319488 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-05-29 17:21 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 11:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-08-15 00:34 57344 C:\WINDOWS\SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\Microsoft Games\\Links 2001\\LinksMMI.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 GRFILTER;CS NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-04-11 22528]
R2 EarthLinkMonitor;EarthLink Monitor Service;C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe [2005-01-26 65604]
R2 GRTdiMon;GR TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-04-11 42496]
R3 AuthFw;AuthFw;C:\Program Files\Authentium\Firewall SDK\AuthFw.exe [2007-04-05 495616]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys [2007-08-03 57456]
S3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);C:\WINDOWS\system32\drivers\ADSMonitor.sys [2007-08-03 38384]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectDriver.sys [2007-04-26 151832]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [2007-04-26 31000]
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectShim.sys [ ]
S4 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [2004-11-01 17536]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{F27A8280-388D-3F63-85D5-7A65D6576632} - C:\WINDOWS\system32\mmx77442.dll
Notify-14ff1040382 - C:\WINDOWS\system32\__c00FCB40.dat
Notify-AutorunsDisabled - C:\WINDOWS\system32\__c00FCB40.dat C:\WINDOWS\system32\__c002790C.dat
MSConfigStartUp-HP Software Update - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://my.earthlink.net/?e15=PSP_OGP_ELNKNAV
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: EarthLink Google Search - C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 -: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} c:\program files\PartyGaming\PartyPoker\RunApp.exe - c:\program files\partygaming\partypoker\runapp.exe\inprocserver32 does not exist!
O17 -: HKLM\CCS\Interface\{A523D060-EDBC-4D60-8B73-D26C07D34139}: NameServer = 207.69.188.185,207.69.188.186

O16 -: {9E515FE4-2A60-4D08-8E96-CF9A967BE49B} - hxxp://check.earthlinksecurity.com/SSMEarthLink.cab
C:\WINDOWS\Downloaded Program Files\SSMEarthLink.inf
C:\WINDOWS\system32\progressbar.avi
C:\WINDOWS\system32\SSMEarthLink.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-25 09:55:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-09-25 10:01:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-25 17:01:13

Pre-Run: 90,410,935,296 bytes free
Post-Run: 91,272,055,808 bytes free

157 --- E O F --- 2008-06-11 14:04:55

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:54 AM

Posted 26 September 2008 - 09:49 PM

Looks good now. How does your computer feel to you?

#7 Eldon2

Eldon2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 29 September 2008 - 11:43 PM


Shortly after doing the procedure you recommended I rescanned with Avira and found the following two viruses that I had found previously:

TR/PSW.AGENT.PR in C:\windows\system32\_C00FCB40.dat
&
TR/AGENT.159744.D in C:\windows\system32\mmx77442.dll

but this time when I selected delete they were deleted for good. A later scan by Avira & also by my Earthlink Protection Control Center show my computer clean. The only thing I notice now is quite a wait when closing Windows Explorer but everything else seems back to normal. I'll reply again in a few days.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:54 AM

Posted 16 October 2008 - 08:52 AM

As there has been no response, I will be closing this topic. If you require help in the future please create a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users