Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tcpsr removal


  • Please log in to reply
1 reply to this topic

#1 hatedude

hatedude

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 10 October 2008 - 10:40 AM

Hey folks!
My computer is infected with malware, i find it in the registry but im unable to delete the legacy_tcpsr in the currentcontrolset/controllset001/controllset003.
Cant even find the tcpsr.sys in C:/windows/system32/drivers/, my antispyware/virusprogram find the malware but are unable to remove it even if says "Removal Succesull!"
Im using Spyware doctor, malwarebytes, ccleaner, ad-aware, S&D, superantispyware and hijackthis.
The trojan is causing trouble in the network, sometimes internet doesnt work at all, but usually its just jumping up and down, die all the time then comes back for 1 minute then dies again.
Hope you understand what i mean.
Ive got a really bad english, soz for that but im gonna post some logs from my virusprogs and hopefully u guys can help me!

If you need logs or more info just ask me, i really wanna fix this, got alot of universitystudies to send over internet etc.


From ComboFix:

ComboFix 08-10-09.06 - Gunnhildur gjella 2008-10-10 15:25:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.237 [GMT 0:00]
Running from: C:\Documents and Settings\Gunnhildur gjella\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TCPSR


((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))
.

2008-10-10 14:31 . 2008-10-10 14:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-10 14:31 . 2008-10-10 14:31 <DIR> d-------- C:\Documents and Settings\Gunnhildur gjella\Application Data\Malwarebytes
2008-10-10 14:31 . 2008-10-10 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-10 14:31 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-10 14:31 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-10 13:59 . 2008-10-10 13:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-10 13:38 . 2008-10-10 15:29 32,256 --a------ C:\WINDOWS\system32\drivers\ati6ekxx.sys
2008-10-10 12:48 . 2008-10-10 12:48 30,946 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2008-10-10 12:48 . 2008-10-10 12:48 28,672 --a------ C:\WINDOWS\system32\Partizan.exe
2008-10-10 12:21 . 2008-10-10 12:21 (2) -rahs-ot- C:\WINDOWS\winstart.bat
2008-10-10 12:16 . 2008-10-10 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-10 12:14 . 2008-10-10 12:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-10 12:14 . 2008-10-10 12:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-10 12:14 . 2008-10-10 12:14 <DIR> d-------- C:\Documents and Settings\Gunnhildur gjella\Application Data\SUPERAntiSpyware.com
2008-10-09 17:22 . 2008-10-09 18:49 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-09 16:45 . 2008-10-09 16:45 272 --a------ C:\WINDOWS\_delis32.ini
2008-10-09 13:30 . 2008-10-09 15:07 <DIR> d-------- C:\Program Files\Anti Trojan Elite
2008-10-01 20:36 . 2008-10-09 14:40 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-10-01 20:36 . 2008-10-01 20:36 <DIR> d-------- C:\Documents and Settings\Gunnhildur gjella\Application Data\PC Tools
2008-10-01 20:36 . 2008-10-10 12:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-01 20:36 . 2008-10-01 20:46 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-10-01 20:36 . 2008-10-01 20:46 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-10-01 20:36 . 2008-10-01 20:46 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-10-01 20:36 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-10-01 16:42 . 2008-10-01 16:42 <DIR> d-------- C:\Documents and Settings\Gunnhildur gjella\Application Data\TrojanHunter
2008-10-01 16:20 . 2008-10-01 21:12 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-10-01 15:25 . 2008-10-01 15:25 6,924 --a------ C:\WINDOWS\system32\drivers\tcpsr_f8.VIR
2008-09-30 21:01 . 2008-09-30 21:01 6,924 --a------ C:\WINDOWS\system32\drivers\tcpsr_c8.VIR
2008-09-30 04:59 . 2008-09-30 04:59 6,924 --a------ C:\WINDOWS\system32\drivers\tcpsr_994.VIR
2008-09-29 22:24 . 2008-09-29 22:24 6,924 --a------ C:\WINDOWS\system32\drivers\tcpsr_8ac.VIR
2008-09-29 18:04 . 2008-09-29 18:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-29 18:04 . 2008-10-09 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-29 17:26 . 2008-09-29 17:26 6,924 --a------ C:\WINDOWS\system32\drivers\tcpsr_1e4.VIR
2008-09-29 00:01 . 2008-09-29 00:01 <DIR> d-------- C:\Program Files\CCleaner
2008-09-28 23:53 . 2008-09-28 23:53 6,924 --a------ C:\WINDOWS\system32\drivers\tcpsr_b1c.VIR
2008-09-28 23:53 . 2008-09-28 23:53 6,924 --a------ C:\WINDOWS\system32\drivers\tcpsr_b18.VIR
2008-09-25 19:41 . 2008-09-25 19:41 <DIR> d-------- C:\Program Files\Valve
2008-09-24 23:08 . 2008-09-24 23:08 <DIR> d-------- C:\Program Files\uTorrent
2008-09-24 23:07 . 2008-10-09 03:03 <DIR> d-------- C:\Documents and Settings\Gunnhildur gjella\Application Data\uTorrent
2008-09-24 22:52 . 2008-09-24 22:52 <DIR> d-------- C:\Program Files\DNA
2008-09-24 22:52 . 2008-09-29 02:30 <DIR> d-------- C:\Documents and Settings\Gunnhildur gjella\Application Data\DNA
2008-09-23 23:56 . 2008-09-28 13:21 <DIR> d-------- C:\Program Files\Creative
2008-09-23 22:44 . 2008-09-23 22:45 <DIR> d-------- C:\Program Files\CM3 SaveGame_Editor
2008-09-23 04:14 . 2008-10-08 01:36 <DIR> d-------- C:\Program Files\Championship Manager 01-02
2008-09-20 18:22 . 2008-09-20 18:22 <DIR> d-------- C:\Documents and Settings\Gunnhildur gjella\Application Data\Publish Providers
2008-09-20 18:01 . 2002-12-17 16:23 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2008-09-20 18:01 . 2002-10-20 14:05 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2008-09-20 18:00 . 2008-09-20 18:00 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-09-20 17:59 . 2008-09-20 18:29 <DIR> d-------- C:\Documents and Settings\Gunnhildur gjella\Application Data\Sony
2008-09-20 17:55 . 2008-09-20 17:55 <DIR> d-------- C:\Program Files\Vstplugins
2008-09-20 17:55 . 2008-09-20 17:55 <DIR> d-------- C:\Program Files\Sony
2008-09-20 17:55 . 2008-10-09 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-09-20 17:46 . 2008-09-20 17:46 <DIR> d-------- C:\Documents and Settings\Gunnhildur gjella\Application Data\Sony Setup
2008-09-20 17:44 . 2008-09-20 17:44 <DIR> d-------- C:\Program Files\Sony Setup
2008-09-18 04:24 . 2008-09-18 04:24 <DIR> d-------- C:\Program Files\FM Modifier 2.2
2008-09-17 19:02 . 2008-09-17 19:02 <DIR> d-------- C:\Program Files\SopCast
2008-09-17 18:59 . 2008-09-17 18:59 <DIR> d-------- C:\Documents and Settings\Gunnhildur gjella\Application Data\ppStream
2008-09-17 18:59 . 2008-09-17 19:00 542 --a------ C:\WINDOWS\psnetwork.ini
2008-09-17 18:59 . 2008-09-17 19:00 20 --a------ C:\WINDOWS\powerplayer.ini
2008-09-17 18:54 . 2004-08-04 04:00 13,463,552 --a------ C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-09-17 18:53 . 2008-09-17 18:53 <DIR> d-------- C:\Program Files\Common Files\Synacast
2008-09-17 18:53 . 2008-09-17 18:53 <DIR> d-------- C:\Documents and Settings\Gunnhildur gjella\Application Data\PPMate
2008-09-10 20:58 . 2008-09-10 20:58 <DIR> d-------- C:\inteltemp
2008-09-10 20:52 . 2004-03-16 12:40 1,657,344 -ra------ C:\WINDOWS\system32\drivers\w22n51.sys
2008-09-10 20:52 . 2004-03-16 12:40 344,064 -ra------ C:\WINDOWS\system32\w22NCPA.dll
2008-09-10 20:51 . 2008-09-10 20:51 <DIR> d-------- C:\Program Files\NP35_WLANDrv2200_WinXP
2008-09-10 20:51 . 2004-03-16 12:40 991,232 -ra------ C:\WINDOWS\system32\W22MLRES.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-09 16:46 --------- d-----w C:\Program Files\Common Files\Logitech
2008-10-09 16:43 --------- d-----w C:\Program Files\Lavasoft
2008-10-01 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-28 13:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-28 13:21 --------- d-----w C:\Program Files\CyberLink
2008-09-27 17:53 --------- d-----w C:\Program Files\Full Tilt Poker
2008-09-17 18:59 --------- d-----w C:\Program Files\MSN Messenger
2008-09-06 16:32 --------- d-----w C:\Documents and Settings\Gunnhildur gjella\Application Data\Sports Interactive
2008-09-06 16:31 --------- d--h--r C:\Documents and Settings\Gunnhildur gjella\Application Data\SecuROM
2008-09-06 16:30 --------- d--h--w C:\Program Files\Zero G Registry
2008-09-06 16:26 --------- d-----w C:\Program Files\Sports Interactive
2008-09-06 15:55 --------- d-----w C:\Documents and Settings\Gunnhildur gjella\Application Data\LimeWire
2008-09-06 15:44 --------- d-----w C:\Program Files\Java
2008-09-03 14:26 --------- d-----w C:\Program Files\DIFX
2008-09-02 23:40 --------- d-----w C:\Program Files\Games
2008-09-02 23:29 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-10_14.15.13.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-10 14:10:53 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-10 15:30:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-10 14:10:53 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-10 15:30:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-10-10 14:10:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-10 15:30:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-21 67128]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-26 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 15:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati4saxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6ekxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7ipxx.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 ati6ekxx;ati6ekxx;C:\WINDOWS\system32\Drivers\ati6ekxx.sys [2008-10-10 32256]
R3 tcpsr;tcpsr;C:\WINDOWS\System32\drivers\tcpsr.sys [ ]
S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys [ ]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-10-10 30946]

*Newly Created Service* - TCPSR
.
Contents of the 'Scheduled Tasks' folder

2008-10-03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2006-09-19 16:36]

2008-10-10 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Gunnhildur gjella\Application Data\Mozilla\Firefox\Profiles\p9llrhut.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.blog.central.is/-blidurnar-
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-10 15:30:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-10 15:34:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-10 15:34:47
ComboFix2.txt 2008-10-10 14:15:42

Pre-Run: 2.964.103.168 bytes free
Post-Run: 2,948,325,376 bytes free

201 --- E O F --- 2008-10-09 17:58:10










From Malware:



Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 2

10.10.2008 15:05:15
mbam-log-2008-10-10 (15-05-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 89884
Time elapsed: 31 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{cbe2e6c4-5d09-4b13-9fba-dcac57b62417} (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9b20df6a-133d-474c-b9ca-f492d1a112e0} (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f4c61c25-da02-4cf3-be43-afe81ed3884e} (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01667638-abc1-4753-81fe-5e89fea93eb6} (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c6a5ed20-49a5-4b92-8131-d6d8c8f107ec} (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\ScanSpyware v3.8 (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ScanSpyware v3.8 (Rogue.ScanSpyware) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\ScanSpyware v3.8\baBackupRestore.dll (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
C:\Program Files\ScanSpyware v3.8\pests07-25-07.db (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
C:\Program Files\ScanSpyware v3.8\Scanner.exe (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
C:\Program Files\ScanSpyware v3.8\ScanSpyware.url (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
C:\Program Files\ScanSpyware v3.8\unins000.dat (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
C:\Program Files\ScanSpyware v3.8\unins000.exe (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ScanSpyware v3.8\Reset Internet Explorer Settings.lnk (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ScanSpyware v3.8\ScanSpyware on the Web.lnk (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ScanSpyware v3.8\ScanSpyware.lnk (Rogue.ScanSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ScanSpyware v3.8\Uninstall ScanSpyware.lnk (Rogue.ScanSpyware) -> Quarantined and deleted successfully.




From Hijackthis :



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:17:36, on 10.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fragbite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.mk.is:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://s01.mk.is;http://postur.mk.is;
https://www.inna.is;
http://s01.mk.is;
http://postur.mk.is;
http://ifolder.mk.is;;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?b33331d62ea5445899e40205189edf41
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?b33331d62ea5445899e40205189edf41
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7624 bytes

BC AdBot (Login to Remove)

 


m

#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:58 AM

Posted 19 October 2008 - 10:45 AM

Hello hatedude

Welcome to BleepingComputer :thumbsup:
========================
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users