Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible NEW infection...yet to be discovered!


  • This topic is locked This topic is locked
14 replies to this topic

#1 LadyDro

LadyDro

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:06:35 PM

Posted 10 January 2009 - 01:53 PM

I ended up at this site by direction of a friend when I discovered I had Vundo, Virtumonde and prunnet. As far as I know I have sucessfully removed them and the computer is running better than ever. However I had one program that was showing in msconfig startup that didnt belong there. The computer could not find this file, nor could I. So I started a thread here asking about this unheard of program that produces 3-5 google results....ALL of which being my comments on the net regarding this program. So I seem to be the only/first one to have it! The program is resfaxa - resfaxa.exe. I ended up going through the registry one by one searching for this resfaxa and finally found it. Posted back here and was told to delete it and proceed here with my HJT log....soooo here I go.........

Original thread
Unknown program on my pc

Screen shots prior to deletion
Posted Image

Posted Image



DDS (Ver_09-01-07.01) - FAT32x86
Run by Owner at 12:33:16.55 on Sat 01/10/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.448.173 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
SVCHOST.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
F:\Programs\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mcafee.com/us/
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Search_URL = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearchAssistant = hxxp://ie.search.msn.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {2BBC6C32-3B90-4F5B-84E4-C23280FD149A} - No File
BHO: Yahoo! IE Suggest: {5a263cf7-56a6-4d68-a8cf-345be45bc911} - c:\program files\yahoo!\searchsuggest\YSearchSuggest.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {B3984F15-3DCC-4063-93CA-61C4F4E788B7} - No File
BHO: {B6556891-00BD-70D8-EE87-8C8748D523A0} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MULTIMEDIA KEYBOARD] c:\program files\netropa\multimedia keyboard\MMKeybd.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [QuickTime Task] "f:\programs\quicktime\QTTask.exe" -atboottime
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [HP Software Update] f:\programs\hp\hp software update\HPWuSchd2.exe
IE: &AOL Toolbar search
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - f:\programs\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\programs\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-31 201320]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2005-2-20 6656]
R1 SASDIFSV;SASDIFSV;f:\programs\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;f:\programs\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-31 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-31 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-31 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-31 40488]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-31 203280]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-31 359248]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-12-31 144704]
R4 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe [2005-2-20 28672]
S3 ess;ESS Audio Driver (WDM);c:\windows\system32\drivers\ess.sys [2005-2-11 63360]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-31 33832]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2005-2-11 320384]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2005-2-11 9344]
S3 SASENUM;SASENUM;f:\programs\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;c:\windows\system32\drivers\w940nd.sys [2005-9-14 16925]

=============== Created Last 30 ================

2009-01-10 00:40 --d----- c:\program files\EsetOnlineScanner
2009-01-09 23:28 --d----- c:\docume~1\owner\applic~1\PixelMetrics
2009-01-09 23:28 82 a------- c:\docume~1\alluse~1\applic~1\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2009-01-07 18:12 --d----- c:\program files\common files\Nova Development
2009-01-07 18:08 --d----- c:\docume~1\alluse~1\applic~1\Nova Development
2009-01-07 18:07 --d----- c:\program files\common files\Ulead Systems
2009-01-07 17:33 --d----- c:\program files\common files\HP
2009-01-07 16:20 --d----- c:\docume~1\owner\applic~1\Registry Defender
2009-01-07 01:26 --d----- c:\program files\iPod
2009-01-07 01:26 --d----- c:\program files\iTunes
2009-01-07 01:26 --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-07 01:24 --d----- c:\program files\Bonjour
2009-01-07 00:35 --d----- c:\program files\common files\Wise Installation Wizard
2009-01-07 00:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 00:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 11:39 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-06 11:37 --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-01-05 16:59 26,000 a------- c:\windows\system32\E3TL.DLL
2009-01-05 16:58 --d----- c:\docume~1\alluse~1\applic~1\Zenturi
2009-01-04 16:15 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-04 15:28 --d----- c:\program files\HP
2009-01-04 11:56 61,224 a------- c:\documents and settings\owner\GoToAssistDownloadHelper.exe
2008-12-31 02:57 8,047 a------- c:\windows\system32\Config.MPF
2008-12-31 02:44 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2008-12-31 02:44 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2008-12-31 02:44 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2008-12-31 02:44 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2008-12-31 02:44 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2008-12-31 02:44 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2008-12-31 02:43 --d----- c:\program files\McAfee.com
2008-12-31 02:42 --d----- c:\program files\common files\McAfee
2008-12-31 02:41 --d----- c:\program files\McAfee
2008-12-30 01:22 --d----- c:\windows\McAfee.com
2008-12-29 16:03 131,569 -------- c:\windows\hpiins06.dat.temp
2008-12-29 16:03 0 -------- c:\windows\hpimdl06.dat.temp
2008-12-23 23:23 --d----- c:\docume~1\owner\applic~1\Malwarebytes
2008-12-23 23:20 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-23 23:01 33,832 a------- c:\windows\system32\wnwcxnhw.exe
2008-12-23 10:01 --d----- c:\docume~1\alluse~1\applic~1\Citrix
2008-12-22 14:47 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-21 23:14 1,661,209 ---sh--- c:\windows\system32\qniflbeo.ini
2008-12-21 23:09 874,603 a--sh--- c:\windows\system32\ghkllUvw.ini2
2008-12-21 23:09 874,603 a--sh--- c:\windows\system32\ghkllUvw.ini
2008-12-21 22:15 1,661,209 ---sh--- c:\windows\system32\dqkytfwd.ini
2008-12-21 22:05 873,802 a--sh--- c:\windows\system32\bdJllnnn.ini2
2008-12-21 22:05 874,491 a--sh--- c:\windows\system32\bdJllnnn.ini

==================== Find3M ====================

2009-01-07 18:00 131,556 a------- c:\windows\hpiins06.dat
2009-01-04 16:16 2,404 a------- c:\windows\system32\d3d9caps.dat
2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 07:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 07:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 01:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 01:04 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-03-22 19:49 24,192 a------- c:\documents and settings\owner\usbsermptxp.sys
2008-03-22 19:49 22,768 a------- c:\documents and settings\owner\usbsermpt.sys
2005-11-20 00:20 6,904 a------- c:\docume~1\alluse~1\applic~1\ypinfo.bin
2005-02-10 23:27 266 ---sh--- c:\program files\desktop.ini
2005-02-10 23:27 11,079 ----h--- c:\program files\folder.htt
2008-09-07 03:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 12:35:51.55 ===============
Attached File  Attach.txt   6.64KB   0 downloads

Edited by LadyDro, 10 January 2009 - 08:19 PM.


BC AdBot (Login to Remove)

 


#2 LadyDro

LadyDro
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:06:35 PM

Posted 13 January 2009 - 02:09 AM

Ok since posting my log I was hit with the Antivirus2009 ads that forced me to a webpage. So I ran scans and figured I should update my logs here. I also have been reading how you always advise to dump P2P programs so I uninstalled my LimeWire to be ready for my next instruction!

Malwarebytes' Anti-Malware 1.32
Database version: 1647
Windows 5.1.2600 Service Pack 3

1/12/2009 10:27:44 PM
mbam-log-2009-01-12 (22-27-44).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 123648
Time elapsed: 1 hour(s), 41 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/13/2009 at 00:45 AM

Application Version : 4.24.1004

Core Rules Database Version : 3707
Trace Rules Database Version: 1682

Scan type : Complete Scan
Total Scan Time : 02:12:08

Memory items scanned : 405
Memory threats detected : 0
Registry items scanned : 5017
Registry threats detected : 0
File items scanned : 17862
File threats detected : 63

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@content.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
C:\Documents and Settings\Owner\Cookies\owner@s02.flagcounter[5].txt
C:\Documents and Settings\Owner\Cookies\owner@server.cpmstar[1].txt
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@content.yieldmanager.edgesuite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@kontera[2].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-legacy.hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@s02.flagcounter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@stats.townnews[1].txt
C:\Documents and Settings\Owner\Cookies\owner@s02.flagcounter[3].txt
C:\Documents and Settings\Owner\Cookies\owner@media6degrees[2].txt
C:\Documents and Settings\Owner\Cookies\owner@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@s02.flagcounter[6].txt
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
C:\Documents and Settings\Owner\Cookies\owner@reunion.adbureau[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@flagcounter[1].txt
C:\Documents and Settings\Owner\Cookies\owner@leeenterprises.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner\Cookies\owner@onlinepromostats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adlegend[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@s02.flagcounter[4].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[2].txt
C:\Documents and Settings\Owner\Cookies\owner@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.bridgetrack[2].txt
C:\Documents and Settings\Owner\Cookies\owner@insightexpressai[2].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[1].txt
C:\Documents and Settings\Owner\Cookies\owner@viacom.adbureau[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@specificmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bannergraphic[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.burstnet[2].txt
C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@s02.flagcounter[7].txt
C:\Documents and Settings\Owner\Cookies\owner@mycounter.tinycounter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@cache.trafficmp[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@s02.flagcounter[1].txt
C:\Documents and Settings\Owner\Cookies\owner@media.legacy[2].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
C:\Documents and Settings\Owner\Cookies\owner@onlinestatsmanager[1].txt
C:\Documents and Settings\Owner\Cookies\owner@extrovert.122.2o7[1].txt





DDS (Ver_09-01-07.01) - FAT32x86
Run by Owner at 1:04:11.22 on Tue 01/13/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.448.163 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
SVCHOST.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\Programs\NovaDevelopment\Ipe.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mcafee.com/us/
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Search_URL = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearchAssistant = hxxp://ie.search.msn.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {2BBC6C32-3B90-4F5B-84E4-C23280FD149A} - No File
BHO: Yahoo! IE Suggest: {5a263cf7-56a6-4d68-a8cf-345be45bc911} - c:\program files\yahoo!\searchsuggest\YSearchSuggest.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {B3984F15-3DCC-4063-93CA-61C4F4E788B7} - No File
BHO: {B6556891-00BD-70D8-EE87-8C8748D523A0} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MULTIMEDIA KEYBOARD] c:\program files\netropa\multimedia keyboard\MMKeybd.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [QuickTime Task] "f:\programs\quicktime\QTTask.exe" -atboottime
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [HP Software Update] f:\programs\hp\hp software update\HPWuSchd2.exe
IE: &AOL Toolbar search
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - f:\programs\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\programs\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-31 201320]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2005-2-20 6656]
R1 SASDIFSV;SASDIFSV;f:\programs\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;f:\programs\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-31 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-31 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-31 33832]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-31 40488]
R3 SASENUM;SASENUM;f:\programs\superantispyware\SASENUM.SYS [2008-12-22 7408]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-31 203280]
S3 ess;ESS Audio Driver (WDM);c:\windows\system32\drivers\ess.sys [2005-2-11 63360]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2005-2-11 320384]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2005-2-11 9344]
S3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;c:\windows\system32\drivers\w940nd.sys [2005-9-14 16925]

=============== Created Last 30 ================

2009-01-09 23:28 <DIR> --d----- c:\docume~1\owner\applic~1\PixelMetrics
2009-01-09 23:28 82 a------- c:\docume~1\alluse~1\applic~1\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2009-01-07 18:12 <DIR> --d----- c:\program files\common files\Nova Development
2009-01-07 18:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nova Development
2009-01-07 18:07 <DIR> --d----- c:\program files\common files\Ulead Systems
2009-01-07 17:33 <DIR> --d----- c:\program files\common files\HP
2009-01-07 16:20 <DIR> --d----- c:\docume~1\owner\applic~1\Registry Defender
2009-01-07 01:26 <DIR> --d----- c:\program files\iPod
2009-01-07 01:26 <DIR> --d----- c:\program files\iTunes
2009-01-07 01:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-07 01:24 <DIR> --d----- c:\program files\Bonjour
2009-01-07 00:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-07 00:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 00:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 11:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-06 11:37 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-01-05 16:59 26,000 a------- c:\windows\system32\E3TL.DLL
2009-01-05 16:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Zenturi
2009-01-04 16:15 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-04 15:28 <DIR> --d----- c:\program files\HP
2009-01-04 11:56 61,224 a------- c:\documents and settings\owner\GoToAssistDownloadHelper.exe
2008-12-31 02:57 8,047 a------- c:\windows\system32\Config.MPF
2008-12-31 02:44 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2008-12-31 02:44 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2008-12-31 02:44 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2008-12-31 02:44 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2008-12-31 02:44 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2008-12-31 02:44 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2008-12-31 02:43 <DIR> --d----- c:\program files\McAfee.com
2008-12-31 02:42 <DIR> --d----- c:\program files\common files\McAfee
2008-12-31 02:41 <DIR> --d----- c:\program files\McAfee
2008-12-30 01:22 <DIR> --d----- c:\windows\McAfee.com
2008-12-29 16:03 131,569 -------- c:\windows\hpiins06.dat.temp
2008-12-29 16:03 0 -------- c:\windows\hpimdl06.dat.temp
2008-12-23 23:23 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2008-12-23 23:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-23 23:01 33,832 a------- c:\windows\system32\wnwcxnhw.exe
2008-12-22 14:47 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-21 23:14 1,661,209 ---sh--- c:\windows\system32\qniflbeo.ini
2008-12-21 23:09 874,603 a--sh--- c:\windows\system32\ghkllUvw.ini2
2008-12-21 23:09 874,603 a--sh--- c:\windows\system32\ghkllUvw.ini
2008-12-21 22:15 1,661,209 ---sh--- c:\windows\system32\dqkytfwd.ini
2008-12-21 22:05 873,802 a--sh--- c:\windows\system32\bdJllnnn.ini2
2008-12-21 22:05 874,491 a--sh--- c:\windows\system32\bdJllnnn.ini

==================== Find3M ====================

2009-01-07 18:00 131,556 a------- c:\windows\hpiins06.dat
2009-01-04 16:16 2,404 a------- c:\windows\system32\d3d9caps.dat
2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 07:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 07:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 01:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-03-22 19:49 24,192 a------- c:\documents and settings\owner\usbsermptxp.sys
2008-03-22 19:49 22,768 a------- c:\documents and settings\owner\usbsermpt.sys
2005-11-20 00:20 6,904 a------- c:\docume~1\alluse~1\applic~1\ypinfo.bin
2005-02-10 23:27 266 ---sh--- c:\program files\desktop.ini
2005-02-10 23:27 11,079 ----h--- c:\program files\folder.htt
2008-09-07 03:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 1:06:52.48 ===============

Attached Files



#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:35 PM

Posted 24 January 2009 - 11:41 PM

Hello, LadyDro
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

In your next reply, please include the following:
  • GMER's Log
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 LadyDro

LadyDro
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:06:35 PM

Posted 29 January 2009 - 12:31 PM

Im still here and will hopefully get these logs up here by tonight! ;)

#5 LadyDro

LadyDro
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:06:35 PM

Posted 31 January 2009 - 01:59 PM

Ok Billy as I said I have a whole new setup now but with a drive from the old system so here goes a fresh new log!


DDS (Ver_09-01-19.01) - NTFSx86
Run by Owner at 12:56:55.48 on Sat 01/31/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.233 [GMT -6:00]

AV: avast! antivirus 4.8.1296 [VPS 090130-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://att.yahoo.com
mStart Page = hxxp://att.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Yahoo! IE Suggest: {5a263cf7-56a6-4d68-a8cf-345be45bc911} - c:\program files\yahoo!\searchsuggest\YSearchSuggest.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-29 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-29 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-29 352920]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-30 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-29 155160]

=============== Created Last 30 ================


==================== Find3M ====================

2009-01-31 02:05 155,995 a------- c:\windows\java\packages\NHVB3D7H.ZIP
2009-01-31 02:05 2,232 a------- c:\windows\java\packages\data\VBN5VLN1.DAT
2009-01-31 02:05 2,678 a------- c:\windows\java\packages\data\TB9Z7Z3Z.DAT
2009-01-31 02:05 2,678 a------- c:\windows\java\packages\data\X3137HRZ.DAT
2009-01-31 02:05 2,678 a------- c:\windows\java\packages\data\QQTVL3LN.DAT
2009-01-31 02:05 2,678 a------- c:\windows\java\packages\data\D71VRLV3.DAT
2009-01-31 02:05 2,678 a------- c:\windows\java\packages\data\4GS7X7FD.DAT
2009-01-30 01:01 71,627 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-29 23:17 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys

============= FINISH: 12:57:17.75 ===============

Attached Files



#6 LadyDro

LadyDro
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:06:35 PM

Posted 31 January 2009 - 02:09 PM

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-31 13:08:01
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEFB76576]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEFB76432]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEFB76910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEFB7600A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEFB7650C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEFB75F4A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEFB75FAE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEFB7662C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEFB765EC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEFB7676C]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEFC7FF20]

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[672] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[672] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[1864] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.14 ----

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:35 PM

Posted 01 February 2009 - 04:43 PM

I'm confused... did you run ComboFix?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 LadyDro

LadyDro
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:06:35 PM

Posted 01 February 2009 - 05:13 PM

I am sorry.....I did GMER and completely overlooked combofix.....

ComboFix 09-02-01.01 - Owner 2009-02-01 16:05:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.260 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090201-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-31 23:08 . 2009-01-31 23:09 <DIR> d-------- c:\program files\Microsoft Home Publishing
2009-01-31 21:57 . 2009-01-31 21:57 <DIR> d-------- c:\windows\LastGood
2009-01-31 21:03 . 2009-01-31 21:03 <DIR> d-------- c:\documents and settings\Owner\Application Data\Nova Development
2009-01-31 21:01 . 2009-01-31 21:01 <DIR> d-------- c:\program files\Common Files\Nova Development
2009-01-31 20:59 . 2009-01-31 20:59 <DIR> d-------- c:\program files\Nova Development
2009-01-31 20:59 . 2009-01-31 20:59 <DIR> d-------- c:\program files\Common Files\Ulead Systems
2009-01-31 20:59 . 2009-01-31 21:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nova Development
2009-01-31 19:54 . 2009-01-31 19:54 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-31 14:37 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-31 13:02 . 2009-01-31 13:02 250 --a------ c:\windows\gmer.ini
2009-01-31 10:40 . 2009-01-31 10:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-31 10:40 . 2009-01-31 10:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2009-01-31 10:39 . 2009-01-31 10:41 <DIR> d-------- c:\program files\Common Files\HP
2009-01-31 10:37 . 2009-01-31 10:40 <DIR> d-------- c:\program files\HP
2009-01-31 10:30 . 2009-01-31 10:42 131,576 --a------ c:\windows\hpiins06.dat
2009-01-31 10:30 . 2007-03-29 11:02 0 --------- c:\windows\hpimdl06.dat
2009-01-31 10:29 . 2009-01-31 10:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\ArcSoft
2009-01-31 10:27 . 2009-01-31 10:27 <DIR> d-------- c:\documents and settings\Owner\Application Data\ArcSoft
2009-01-31 10:19 . 2009-01-31 10:19 <DIR> d--h----- c:\program files\InstallShield Installation Information
2009-01-31 10:19 . 2009-01-31 10:57 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-01-31 10:19 . 2009-01-31 10:19 <DIR> d-------- c:\program files\ArcSoft
2009-01-31 10:19 . 1995-07-31 13:44 212,480 --a------ c:\windows\PCDLIB32.DLL
2009-01-31 10:19 . 1998-07-21 20:29 21 --a------ c:\windows\PI3_SETUP.ini
2009-01-31 10:12 . 2009-01-31 10:12 <DIR> d-------- c:\documents and settings\Owner\Application Data\Motive
2009-01-31 10:10 . 2009-01-31 10:11 <DIR> d-------- c:\program files\ATT-SST
2009-01-31 10:10 . 2009-01-31 10:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive
2009-01-31 09:25 . 2009-01-31 10:10 <DIR> d-------- c:\program files\Common Files\Motive
2009-01-31 09:25 . 2003-10-22 10:54 81,920 --a------ c:\windows\system32\W32n50.dll
2009-01-31 09:25 . 2003-10-22 10:54 17,162 --a------ c:\windows\system32\Pcandis5.sys
2009-01-31 09:25 . 2003-10-22 10:54 16,848 --a------ c:\windows\system32\Pcandis4.sys
2009-01-31 09:25 . 2003-10-22 10:54 16,073 --a------ c:\windows\system32\Pcandis3.vxd
2009-01-31 08:32 . 2009-01-31 09:04 <DIR> d-------- c:\documents and settings\Owner\Application Data\Yahoo!
2009-01-31 08:31 . 2009-01-31 12:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-31 08:31 . 2002-01-05 07:37 344,064 --a------ c:\windows\system32\msvcr70.dll
2009-01-31 08:31 . 2003-03-18 22:05 89,088 --a------ c:\windows\system32\ATL71.DLL
2009-01-31 08:31 . 2002-01-05 06:18 84,992 --a------ c:\windows\system32\ATL70.DLL
2009-01-31 08:31 . 2001-10-11 11:26 65,536 --a------ c:\windows\system32\YCRWin32.dll
2009-01-31 08:31 . 2002-02-21 18:56 24,576 --a------ c:\windows\system32\msxml3a.dll
2009-01-31 08:28 . 2009-01-31 09:31 <DIR> d-------- c:\program files\Yahoo!
2009-01-31 03:28 . 2009-01-31 03:28 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-31 03:28 . 2009-01-31 03:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-01-31 03:28 . 2009-01-31 03:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-31 03:27 . 2009-01-31 03:27 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-31 03:23 . 2009-01-31 03:24 <DIR> d-------- c:\program files\SourceTec
2009-01-31 03:23 . 2009-01-31 03:23 <DIR> d-------- c:\program files\Common Files\SourceTec
2009-01-31 03:23 . 2007-03-31 23:00 82,432 --a------ c:\windows\system32\msxml4r.dll
2009-01-31 03:23 . 2007-03-31 23:00 44,544 --a------ c:\windows\system32\msxml4a.dll
2009-01-31 03:19 . 2009-01-31 03:19 <DIR> d-------- c:\program files\Java
2009-01-31 03:19 . 2009-01-31 03:19 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-31 03:19 . 2009-01-31 03:19 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-31 03:16 . 2009-01-31 23:12 <DIR> d-------- c:\program files\mIRC
2009-01-31 03:16 . 2009-01-31 23:25 <DIR> d-------- c:\documents and settings\Owner\Application Data\mIRC
2009-01-31 03:14 . 2009-01-31 03:14 <DIR> d-------- c:\program files\iTunes
2009-01-31 03:14 . 2009-01-31 03:14 <DIR> d-------- c:\program files\iPod
2009-01-31 03:14 . 2009-01-31 03:14 <DIR> d-------- c:\documents and settings\Owner\Application Data\Apple Computer
2009-01-31 03:14 . 2009-01-31 03:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-31 03:14 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-31 03:14 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-31 03:13 . 2009-01-31 03:13 <DIR> d-------- c:\program files\QuickTime
2009-01-31 03:13 . 2009-01-31 03:13 <DIR> d-------- c:\program files\Bonjour
2009-01-31 03:13 . 2009-01-31 03:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-31 03:12 . 2009-01-31 10:38 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-01-31 03:12 . 2009-01-31 03:14 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-31 03:12 . 2009-01-31 03:12 <DIR> d-------- c:\program files\Apple Software Update
2009-01-31 03:12 . 2009-01-31 03:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-31 03:03 . 2009-01-01 03:03 82 --a------ c:\documents and settings\All Users\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2009-01-31 03:02 . 2009-01-31 03:03 <DIR> d-------- c:\program files\CaptureWiz
2009-01-31 02:57 . 2009-01-31 02:58 <DIR> d-------- c:\program files\AnVir Task Manager Free
2009-01-31 02:42 . 2009-01-31 02:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 02:42 . 2009-01-31 02:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-31 02:42 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 02:42 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-31 02:32 . 2009-01-31 02:32 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-31 02:07 . 2009-01-31 09:25 <DIR> d-------- c:\program files\BroadJump
2009-01-31 02:04 . 2002-02-13 20:53 6,345 -ra------ c:\windows\system32\DevMngr.vxd
2009-01-31 02:02 . 2005-04-25 06:16 253,952 --------- c:\windows\SBCDSL.exe
2009-01-31 01:44 . 2009-01-31 19:31 207 --a------ c:\windows\LEXSTAT.INI
2009-01-31 01:29 . 2008-10-16 14:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-01-31 01:29 . 2007-04-17 03:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-31 01:29 . 2007-03-07 23:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-31 01:29 . 2008-10-16 14:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-01-31 01:29 . 2008-10-16 14:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-31 01:29 . 2008-10-16 14:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-01-31 01:29 . 2008-10-16 14:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-01-31 01:29 . 2008-10-16 14:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-31 01:29 . 2008-10-16 07:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-01-31 01:08 . 2009-01-31 01:08 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-31 00:44 . 2008-06-13 05:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-01-31 00:44 . 2008-05-08 08:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-01-31 00:43 . 2008-10-15 19:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll
2009-01-31 00:43 . 2008-10-16 14:38 1,160,192 -----c--- c:\windows\system32\dllcache\urlmon.dll
2009-01-31 00:43 . 2008-10-16 14:38 826,368 -----c--- c:\windows\system32\dllcache\wininet.dll
2009-01-31 00:42 . 2008-12-13 00:40 3,593,216 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-01-31 00:42 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-31 00:42 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-31 00:42 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-31 00:42 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-31 00:42 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-01-31 00:41 . 2008-04-11 13:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-01-31 00:41 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-31 00:41 . 2008-12-11 04:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-01-31 00:41 . 2008-05-01 08:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-01-31 00:39 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-01-31 00:39 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-01-31 00:38 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-01-31 00:38 . 2008-04-14 00:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-01-30 01:13 . 2009-01-31 19:54 <DIR> d--h----- c:\windows\$hf_mig$
2009-01-30 01:06 . 2009-01-30 01:07 316,640 --a------ c:\windows\WMSysPr9.prx
2009-01-30 00:58 . 2009-01-30 01:00 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-30 00:56 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe
2009-01-30 00:54 . 2009-01-30 00:54 <DIR> d-------- c:\windows\EHome
2009-01-30 00:27 . 2009-01-30 00:27 <DIR> d-------- c:\program files\Support Tools
2009-01-30 00:19 . 2009-01-30 00:19 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-30 00:17 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2009-01-30 00:05 . 2009-02-01 15:00 <DIR> d-------- C:\[ pc)_FULL GAMES Ten Pin Championship Bowling Pro
2009-01-27 04:35 . 2001-09-19 16:47 765,952 --a------ c:\windows\system\crlds3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 08:05 155,995 ----a-w c:\windows\java\Packages\NHVB3D7H.ZIP
2009-01-30 05:51 --------- d-----w c:\program files\Alwil Software
2009-01-30 05:34 --------- d-----w c:\program files\Analog Devices
2009-01-30 05:21 --------- d-----w c:\program files\microsoft frontpage
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-09-20 114688]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-31 136600]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Microsoft Greetings Reminders.lnk - c:\program files\Microsoft Home Publishing\MHPRMIND.EXE [1998-12-05 40960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-01-30 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-29 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-30 20560]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://att.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 16:07:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-02-01 16:08:13
ComboFix-quarantined-files.txt 2009-02-01 22:08:10

Pre-Run: 152,445,972,480 bytes free
Post-Run: 153,141,870,592 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

219 --- E O F --- 2009-02-01 01:54:49

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:35 PM

Posted 01 February 2009 - 08:41 PM

Hello, LadyDro
Alright... I'm a bit comfused at this point...

Starting from the DDS log above, we are dealing with a completely different machine? Or did you format/reinstall on the same machine?

I'm assuming this is the same machine but you format/reinstalled windows on it.

Do I have that correctly?

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 LadyDro

LadyDro
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:06:35 PM

Posted 01 February 2009 - 09:02 PM

Ok it is a new machine so the first set of logs are invalid! A new system (not store new but new to me). Although I kept and put in one of my original hard drives, from the questionable machine which is why I wanted to go forth with having my logs checked to be certain I am using a clean machine. So YES a fresh copy of windows and a new machine. The new/fresh logs are the last DDS, GMER and ComboFix and now I will run the new one and be right back with you!

#11 LadyDro

LadyDro
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:06:35 PM

Posted 01 February 2009 - 09:38 PM

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3817 (20090202)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=0e4bdeb889cef448bcee4565bf0bba13
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-02 02:35:43
# local_time=2009-02-01 08:35:43 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=114501
# found=0
# scan_time=1225

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:35 PM

Posted 01 February 2009 - 09:46 PM

Hello, LadyDro
Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 LadyDro

LadyDro
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:06:35 PM

Posted 01 February 2009 - 10:27 PM

Thank you very much for everything! One last question....when I followed steps to remove combofix I recieved a Trojan warning from my avast....is that normal? Also ComboFix is still there......

2/1/2009 9:19:09 PM SYSTEM 1512 Sign of "Win32:Oliga [Trj]" has been found in "C:\32788R22FWJFW\Tail.com" file.

Edited by LadyDro, 01 February 2009 - 10:29 PM.


#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:35 PM

Posted 01 February 2009 - 11:04 PM

That file is part of ComboFix. Your A/V complained when ComboFix uninstaller attempted to delete the file.

EDIT: You may need to disable your AV program in order to remove CF sucessfully.

Billy3

Edited by Billy O'Neal, 01 February 2009 - 11:05 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:35 PM

Posted 03 February 2009 - 08:38 PM

Hello, LadyDro
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users