Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible virus (facebook)-- internet connection very slow, please help


  • This topic is locked This topic is locked
38 replies to this topic

#1 screaminjoe

screaminjoe

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 29 October 2008 - 08:03 AM

Hello all,

Here is my problem:
I clicked on a facebook link (stupid, yes, I know, i was tricked into it),
and since then, my internet connection has been extremely slow.
There is definitely a problem somewhere, and assume it is probably due to this facebook link.

I am running windows XP pro, SP3, with firefox 3.0.3, zone alarm free version.
All windows security patches for windows XP are currently up to date.

I have followed all the guidelines here and have tried everything I can do before posting.
I am using bitdefender antivirus, and definitions were updated -- scan showed no problems.
I have cleaned out everything using ccleaner, my drives are all defragmented, and have tried spybot search & destroy, spyeraser, and scanned with mcaffe stinger with no luck.
update: also tried kapersky's online virus scanner = nothing

I am no expert, but usually can handle most problems myself, until now.

Thanks very much in advance-- any help is greatly appreciated.
joseph

Edited by screaminjoe, 29 October 2008 - 09:53 AM.


BC AdBot (Login to Remove)

 


#2 Maniac

Maniac

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria, EU
  • Local time:02:37 AM

Posted 29 October 2008 - 09:57 AM

Scan with MalwareBytes' Anti-Malware:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Then, submit log file ESET SysInspector, to see what the situation.

Download ESET SysInspector
http://www.eset.com/download/sysinspector.php

- Start program through the SysInspector.exe
The program will collect information about the situation on your machine.
- When "inspector" is ready and log file - generated, select File> Save Log
- Confirm their wish

Choose to save the file somewhere and then upload on http://4storing.com/ (when you open the page, click on the Great Britain flag to open the page in English), then give me the link.


Posted Image

#3 screaminjoe

screaminjoe
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 29 October 2008 - 11:01 AM

Hi nod32fen,

Thanks very much for your response.
Here is the log file from malwarebytes quick scan:
---

Malwarebytes' Anti-Malware 1.30
Database version: 1335
Windows 5.1.2600 Service Pack 3

29.10.2008 16:41:54
mbam-log-2008-10-29 (16-41-54).txt

Scan type: Quick Scan
Objects scanned: 50247
Time elapsed: 5 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---

then the ESET SYSinspector logs link is here:

http://4storing.com/pjmd7/3bc9e73ccdaa04b9...92b8a5472b.html

thank you again,
joseph

#4 Maniac

Maniac

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria, EU
  • Local time:02:37 AM

Posted 29 October 2008 - 11:28 AM

Log in Safe Mode and replace the original hosts file:
http://4storing.com/c556w/84f68dcf58c40349...3914e1d08b.html

with yours. Copy hosts file and paste it into:
C:\WINDOWS\System32\drivers\etc\
Posted Image

#5 screaminjoe

screaminjoe
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 29 October 2008 - 12:02 PM

Hello nod32fen,

I went to the link you supplied and was not able to download anything:
Message in bulgarian was:

Файлът е временно недостъпен.
Моля опитайте отново по-късно..

thanks.

#6 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 29 October 2008 - 03:04 PM

Please perform a Full Scan with Malwarebytes and post the log in your next reply.

#7 screaminjoe

screaminjoe
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 30 October 2008 - 12:00 PM

Hello xblindx,
Thanks for your help.
Here are the results. Nothing was found.


Malwarebytes' Anti-Malware 1.30
Database version: 1340
Windows 5.1.2600 Service Pack 3

30.10.2008 17:54:44
mbam-log-2008-10-30 (17-54-44).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 316711
Time elapsed: 2 hour(s), 43 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 30 October 2008 - 03:51 PM

Hmm.....are you still experience issues with your computer?

#9 screaminjoe

screaminjoe
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 31 October 2008 - 09:08 AM

yes, still the same problems.
And, I am positive something is wrong due to the slow internet connection.
Loading normal pages is taking ten times longer then they normally do.
thanks.

#10 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:06:37 PM

Posted 01 November 2008 - 07:04 PM

Hey screaminjoe, sorry for the delay here. There have been a few changes in the lineup, and I'll help you from here.
Do me a favor, restate the problems as of today. I think that we might move this topic to another area if you still need help.

Sorry for the confusion, and the delays.
Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#11 screaminjoe

screaminjoe
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 03 November 2008 - 06:58 AM

Hi Harry,
Thanks for your reply.
I am still having a problem and still believe that it is a virus affecting my computer, even though all scans I have run thus far haven't found much.
Thanks very much for your help.
All info is below as it stands now.

Ever since clicking on a facebook link (which I was tricked into clicking on) my internet connection has been extremely slow.
I have a hi speed internet connection, but now, all internet pages take very long to load.
spybot s&d & ad aware hasn't found anything. Malwarebytes' Anti-Malware 1.30 found nothing.

superantispyware found the problems listed below, but now scans clean, even though the problem still exists.

Unclassified.Unknown Origin/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265565.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265566.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265567.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265568.EXE
C:\WINDOWS\SYSTEM32\REINSTALLBACKUPS\0020\DRIVERFILES\SW20.EXE
C:\WINDOWS\SYSTEM32\REINSTALLBACKUPS\0020\DRIVERFILES\SW24.EXE
C:\WINDOWS\SYSTEM32\SW20.EXE
C:\WINDOWS\SYSTEM32\SW24.EXE

Uniblue's spyeraser found the following malware problems:
Infected registry keys/values detected
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\blazefind.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\clickspring.net\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mt-download.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmiracle.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotch.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\xxxtoolbar.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\ranges\range1\:range\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\05p.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\1987324.com\www\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\awmdabest.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\blazefind.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\clickspring.net\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\crazywinnings.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\elitemediagroup.net\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\flingstone.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\master69.biz\www\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mt-download.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\neededware.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\scoobidoo.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchbarcash.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmiracle.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\sgrunt.biz\www\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\skoobidoo.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotch.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotchbar.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\topconverting.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\windupdates.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\xxxtoolbar.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\ysbweb.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\awmdabest.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\crazywinnings.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\scoobidoo.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\skoobidoo.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotchbar.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\topconverting.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\windupdates.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\ysbweb.com\

#12 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:06:37 PM

Posted 03 November 2008 - 08:55 PM

Ok screaminjoe,
I am having this moved to another section of the forum :thumbsup:
Follow these instructions:
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Edited by Orange Blossom, 03 November 2008 - 08:58 PM.
Moving to HiJack This forum at harrythook' request. ~ OB

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#13 screaminjoe

screaminjoe
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 04 November 2008 - 10:22 AM

Hi Harry,
Thanks again for your help.
Yes, as you will notice, this isn't the first time I have run combofix. You can probably make more light of this than I have been able to. If there is anything else from previous scans that you need please let me know. I hope this doesn't make things harder for you.

I am also including the quarantined text file log from previous runs here:
1996-01-11 22:00:00 A------- 24,576 C:\Qoobox\Quarantine\C\WINDOWS\system32\REGSVR32.DLL.vir
2008-10-28 15:20:13 A------- 702 C:\Qoobox\Quarantine\catchme.log
2008-10-28 16:23:38 A------- 5,826 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-10-28 16:25:23 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-10-28 16:25:23 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-10-28 16:25:23 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
----


ComboFix 08-11-03.06 - joe 2008-11-04 16:01:44.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1501 [GMT 1:00]
Running from: c:\documents and settings\joe\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 )))))))))))))))))))))))))))))))
.

2008-11-03 19:42 . 2008-11-03 19:42 <DIR> d-------- C:\SAV32CLI
2008-11-03 15:00 . 2008-11-03 15:00 50,968 --a------ c:\windows\system32\avgfwdx.dll
2008-11-03 15:00 . 2008-11-03 15:00 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2008-11-03 13:01 . 2008-11-03 13:01 1,928 --a------ c:\windows\system32\tmp.reg
2008-11-03 12:42 . 2008-11-03 19:40 <DIR> d-------- c:\program files\a-squared Free
2008-10-30 21:36 . 2008-11-03 19:50 <DIR> d-------- C:\MGtools
2008-10-30 21:36 . 2008-10-30 21:37 55,287 --a------ C:\MGlogs.zip
2008-10-30 21:36 . 2005-01-14 04:41 11,254 --a------ c:\windows\system32\locate.com
2008-10-30 21:09 . 2008-10-30 21:09 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-10-30 21:06 . 2008-10-30 21:06 <DIR> d-------- c:\windows\ERUNT
2008-10-30 21:01 . 2008-11-03 19:43 <DIR> d-------- C:\SDFix
2008-10-30 20:29 . 2008-10-30 20:30 1,238,055 --a------ C:\MGtools.exe
2008-10-30 20:15 . 2008-10-30 20:15 <DIR> d-------- c:\documents and settings\joe\Application Data\Grisoft
2008-10-30 20:14 . 2008-10-30 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2008-10-30 20:13 . 2008-10-30 20:13 <DIR> d-------- c:\program files\RogueRemover FREE
2008-10-30 13:04 . 2007-11-20 20:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-10-30 13:04 . 2008-10-30 13:04 <DIR> d-------- c:\documents and settings\Administrator
2008-10-29 16:00 . 2008-10-29 16:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-29 15:59 . 2008-10-29 15:59 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-10-29 15:59 . 2008-10-29 15:59 <DIR> d-------- c:\documents and settings\joe\Application Data\SUPERAntiSpyware.com
2008-10-29 14:51 . 2008-10-29 14:51 <DIR> d-------- c:\program files\Lavasoft
2008-10-29 14:51 . 2008-10-29 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-29 14:50 . 2008-10-29 15:58 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-28 15:01 . 2008-10-28 15:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-28 15:01 . 2008-10-28 15:01 <DIR> d-------- c:\documents and settings\joe\Application Data\Malwarebytes
2008-10-28 15:01 . 2008-10-28 15:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-28 15:01 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-28 15:01 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-28 14:56 . 2008-10-28 14:56 <DIR> d-------- c:\windows\SxsCaPendDel
2008-10-28 14:43 . 2008-10-28 14:43 <DIR> d-------- c:\program files\Trend Micro
2008-10-27 16:40 . 2008-09-17 23:55 201,050 --a------ c:\windows\system32\nvapps.nvb
2008-10-27 16:39 . 2008-10-27 16:42 <DIR> d-------- c:\windows\NV28003780.TMP
2008-10-24 09:55 . 2008-10-15 17:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-19 21:09 . 2008-08-14 11:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-19 21:09 . 2008-08-14 11:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-19 21:09 . 2008-08-14 10:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-19 21:09 . 2008-08-14 10:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-19 21:09 . 2008-09-15 13:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-19 21:09 . 2008-09-08 11:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-09 13:13 . 2008-10-09 13:22 <DIR> d-------- C:\priska_old_comp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 15:04 81,984 ----a-w c:\windows\system32\bdod.bin
2008-11-04 14:48 221,600 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-04 14:48 18,835,488 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-03 10:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-03 10:47 --------- d-----w c:\program files\SpywareBlaster
2008-11-01 09:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-31 14:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-31 11:46 --------- d-----w c:\program files\Uniblue
2008-10-28 18:22 --------- d-----w c:\program files\XPcleanv5
2008-10-28 14:19 --------- d-----w c:\documents and settings\All Users\Application Data\BOC427
2008-10-27 18:18 --------- d-----w c:\program files\CCleaner
2008-10-27 18:17 --------- d-----w c:\program files\Bonjour
2008-10-27 16:24 --------- d-----w c:\documents and settings\joe\Application Data\.BitTornado
2008-10-27 08:30 --------- d-----w c:\program files\ZKB Onba
2008-10-21 07:31 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-01 12:31 --------- d-----w c:\program files\Apple Software Update
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-09-01 07:00 15,045,028 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_08_31_22_49_19_full.dmp.zip
2008-09-01 06:59 12,541,135 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_08_31_22_48_50_full.dmp.zip
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-06-02 09:48 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-06-02 09:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060220080603\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-19 368640]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-09-26 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2008-11-03 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2008-11-03 29208]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [2005-07-04 6828]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
S3 wacommousefilter;Wacom Mouse Filter Driver;c:\windows\system32\DRIVERS\wacommousefilter.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2008-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-08-20 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-02 08:50]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\joe\Application Data\Mozilla\Firefox\Profiles\akalo6vr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
FF -: plugin - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 16:04:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-04 16:06:25
ComboFix-quarantined-files.txt 2008-11-04 15:06:21
ComboFix2.txt 2008-10-30 21:19:05
ComboFix3.txt 2008-10-30 12:18:17
ComboFix4.txt 2008-10-28 20:19:13
ComboFix5.txt 2008-11-04 15:00:41

Pre-Run: 66'884'304'896 bytes free
Post-Run: 66,855,501,824 bytes free

159 --- E O F --- 2008-11-04 14:56:31

#14 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:06:37 PM

Posted 04 November 2008 - 10:17 PM

Hey screamin,
Do this:
Click Start > Run -then type in ComboFix /u (note the space before the/)
Hit enter and Combofix should remove itself.
Run ATF:
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Next, download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Lets see some results please :thumbsup:

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#15 screaminjoe

screaminjoe
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 05 November 2008 - 06:47 AM

Hi Harry,

Here are the results from the attached text doc.
Thanks again.
best,
screaminjoe

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users