Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan virus!


  • This topic is locked This topic is locked
4 replies to this topic

#1 Miss_N

Miss_N

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 21 April 2009 - 08:29 AM

Hello,
I'm new to this so my problem is that I got trojan virus and how I got it? Well earlier while I was surfing a screen pop up and said that I was infected with Trojan virus, and I ignore it thinking probably one of these cons I clicked cancel and a bit after another screen came up showing the the screen shot of "My Computer" and It said all my files were infected I actually thought It was real and install the application It suggested which was called "Personal Antivirus" then It took me seconds after to realise that screen shot was a CID!!!!

So It was too late I tried to go in "Add/remove programs" and delete it but It wasn't there, on my computer It's on my desktop called "PAV" and can't get deleted :thumbup2: So I went online in google type in "PAV" and came up with lots of forum of people saying that It can be fix with Combofix so I type in Combofix and installed it like It said and I got the logs from it as well. Can anyone help me?

Here's the log I got from Combofix :

ComboFix 09-04-21.A1 - User 20/04/2009 12:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.864 [GMT 1:00]
Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
FW: Symantec Client Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wincontrol.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-19 13:34 . 2009-04-19 13:34 -------- d-----w c:\documents and settings\User\Application Data\Lenovo
2009-04-19 13:04 . 2009-04-19 13:04 137 ----a-w c:\documents and settings\NetworkService\Local Settings\Application Data\fusioncache.dat
2009-04-19 13:04 . 2009-04-19 13:04 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\ApplicationHistory
2009-04-16 09:36 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 09:36 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 09:36 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 09:36 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 09:36 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 09:36 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 09:36 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-16 09:36 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 09:36 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 09:35 . 2009-03-27 07:09 1193414 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 09:35 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 12:41 . 2009-04-10 12:41 -------- d-----w c:\documents and settings\User\Local Settings\Application Data\Identities
2009-04-08 19:18 . 2009-04-08 19:18 0 ----a-w c:\windows\nsreg.dat
2009-04-08 19:18 . 2009-04-08 19:18 -------- d-----w c:\documents and settings\User\Local Settings\Application Data\Mozilla
2009-03-31 15:36 . 2009-03-31 15:36 -------- d-----w c:\windows\system32\KB905474
2009-03-31 15:36 . 2009-03-10 21:26 1403264 ------w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-03-31 15:36 . 2009-03-10 21:18 453512 ------w c:\windows\system32\KB905474\wgasetup.exe
2009-03-31 15:36 . 2009-02-09 17:51 12490 ------w c:\windows\system32\KB905474\wga_eula.txt
2009-03-29 17:28 . 2009-03-30 13:53 -------- d-----w c:\documents and settings\User\Application Data\uTorrent
2009-03-23 02:17 . 2009-03-23 02:17 -------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-03-23 02:06 . 2009-03-23 02:06 -------- d-----w c:\documents and settings\All Users\Application Data\hide cool shim link
2009-03-23 02:05 . 2009-03-23 02:06 -------- d-----w c:\documents and settings\User\Application Data\Drv ref fork
2009-03-23 01:50 . 2009-03-23 01:50 -------- d-----w c:\documents and settings\User\Local Settings\Application Data\Kiwee Toolbar
2009-03-23 01:50 . 2009-03-23 01:50 -------- d-----w c:\documents and settings\LocalService\Application Data\agi
2009-03-23 01:48 . 2009-03-23 01:48 339968 ------w c:\windows\system32\pythoncom25.dll
2009-03-23 01:48 . 2009-03-23 01:48 2117632 ------w c:\windows\system32\python25.dll
2009-03-23 01:48 . 2009-03-23 01:48 114688 ------w c:\windows\system32\pywintypes25.dll
2009-03-23 01:48 . 2008-09-16 16:26 1332197 ------w c:\windows\system32\pythondll.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 11:28 . 2008-12-03 16:35 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-20 11:18 . 2009-04-20 11:18 850557 ----a-w c:\program files\PAV.zip
2009-04-20 11:16 . 2009-04-20 11:03 -------- d-----w c:\program files\Common Files\Uninstall
2009-04-20 11:16 . 2009-02-18 06:42 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-20 11:03 . 2009-04-20 11:02 -------- d-----w c:\program files\PAV
2009-04-19 13:04 . 2008-12-03 16:59 127 ----a-w c:\documents and settings\User\Local Settings\Application Data\fusioncache.dat
2009-04-18 23:00 . 2008-12-03 16:41 5427 ----a-w c:\windows\system32\EGATHDRV.SYS
2009-04-08 09:59 . 2009-02-08 06:03 43528 ------w c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-30 13:34 . 2009-03-30 13:34 -------- d-----w c:\program files\TryMedia
2009-03-29 17:27 . 2009-03-29 16:16 -------- d-----w c:\program files\eMule
2009-03-23 02:05 . 2009-03-23 02:05 -------- d-----w c:\program files\Drv ref fork
2009-03-23 02:05 . 2009-03-23 02:05 -------- d-----w c:\program files\Cicle Developement
2009-03-23 02:05 . 2009-02-13 02:56 -------- d-----w c:\program files\Messenger Plus! Live
2009-03-21 14:18 . 2007-04-16 15:52 986112 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-13 01:07 . 2009-03-13 01:07 -------- d-----w c:\documents and settings\All Users\Application Data\pixelStorm
2009-03-09 04:09 . 2009-03-09 04:09 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-09 04:08 . 2009-03-09 04:05 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-09 04:05 . 2009-03-09 04:05 -------- d-----w c:\program files\NOS
2009-03-08 23:35 . 2009-03-08 23:35 -------- d-----w c:\documents and settings\User\Application Data\AdobeUM
2009-03-06 14:00 . 1980-01-01 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2009-02-09 04:20 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 1980-01-01 08:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 19:10 . 2009-02-21 23:33 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-28 04:54 . 2007-08-14 02:43 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-28 03:17 . 2009-02-28 03:17 -------- d-----w c:\documents and settings\Guest\Application Data\InterVideo
2009-02-21 23:32 . 2009-02-08 06:17 -------- d-----w c:\program files\Microsoft
2009-02-21 23:32 . 2009-02-21 23:32 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-02-21 23:32 . 2009-02-08 06:16 -------- d-----w c:\program files\Windows Live
2009-02-21 04:35 . 2009-02-21 04:35 -------- d-----w c:\program files\Common Files\Adobe
2009-02-20 10:20 . 2009-02-09 05:49 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2007-08-14 02:39 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2007-08-14 01:56 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-20 00:32 . 2009-02-20 00:32 -------- d-----w c:\program files\Nokia
2009-02-10 17:31 . 2009-02-10 17:31 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 10:19 . 2009-02-09 04:10 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 1980-01-01 08:00 1846272 ------w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2007-11-07 09:50 728576 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 10:01 . 1980-01-01 08:00 728576 ------w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 1980-01-01 08:00 617984 ------w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 1980-01-01 08:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 1980-01-01 08:00 715264 ------w c:\windows\system32\ntdll.dll
2009-02-07 02:52 . 2009-02-07 02:52 49504 ------w c:\windows\system32\sirenacm.dll
2009-02-06 10:32 . 2009-02-09 04:11 2186112 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 10:29 . 2009-02-09 04:11 2142720 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:29 . 1980-01-01 08:00 2142720 ------w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:22 . 1980-01-01 08:00 110592 ------w c:\windows\system32\services.exe
2009-02-06 09:54 . 1980-01-01 08:00 35328 ------w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2009-02-09 04:11 2020864 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 09:49 . 2004-08-04 06:59 2020864 ------w c:\windows\system32\ntkrnlpa.exe
2009-02-06 09:49 . 2009-02-09 04:11 2062976 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-03 20:08 . 2009-02-03 20:08 55808 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 20:08 . 1980-01-01 08:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-12-03 16:27 . 2009-02-28 02:55 136 ------w c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2008-12-03 16:27 . 2008-12-03 16:27 136 ------w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Ballbags"="c:\docume~1\User\APPLIC~1\DRVREF~1\Bits bike okay.exe" [2009-03-23 679936]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-20 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-10 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-03-23 106496]
"AMSG"="c:\progra~1\THINKV~1\AMSG\amsg.exe" [2005-11-14 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-03-23 69632]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-08-19 85696]
"cssauthe"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" [2005-12-22 1988144]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2005-10-28 335872]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-03-01 196710]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-03 169472]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-03-23 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-03-23 208896]
"SHIM LINK FREE BALL"="c:\documents and settings\All Users\Application Data\hide cool shim link\Grim Tray.exe" [2009-04-20 757760]
"PAV"="c:\program files\PAV\pav.exe" [2009-04-20 983040]
"TrackPointSrv"="tp4serv.exe" - c:\windows\system32\tp4serv.exe [2005-07-13 94208]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-1-17 618557]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-03-23 10:03 49152 ------w c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 21:01 32768 ------w c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 07:45 28672 ------w c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 04:16 24576 ------w c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli csspwntfye

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-07 533360]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
R3 SavRoam;SavRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2005-08-19 124608]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2005-11-08 11520]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\Drivers\IBMBLDID.sys [2006-01-13 6016]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2006-03-23 4442]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2009-02-07 55152]
S2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-22 12544]
S2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys [2005-11-15 46142]
S2 smi2;smi2;c:\program files\SMI2\smi2.sys [2005-12-22 3968]
S3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [2009-03-16 101936]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [2005-07-13 13840]

.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\B87AA1C79021526B.job
- c:\docume~1\user\applic~1\drvref~1\BalmSoftwareDebug.exe [2009-03-23 02:06]

2009-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3642592244-3905448276-2580478768-1005.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-20 11:19]

2009-04-20 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-12-03 09:13]

2008-12-03 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-12-03 01:32]

2009-04-20 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-31 21:18]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4AFC04A3-B551-4B68-9BEB-8677D90150D9} - c:\windows\system32\wincontrol.dll
HKCU-Run-DriverCure - c:\program files\ParetoLogic\DriverCure\DriverCure.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/us/en/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm302YYGB
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Save Page As PDF ... - file://c:\program files\Nitro PDF\PDF Download\nitroweb.htm
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: {{AD9E6088-E00B-42f9-9F0C-8480525D234E} - {FF5073C0-28A0-4223-9BDF-59FF020FE77C} -
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\8jl1m8v9.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 12:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(924)
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfye.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll

- - - - - - - > 'explorer.exe'(5164)
c:\windows\system32\PROCHLP.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\IBM ThinkVantage\Common\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
.
**************************************************************************
.
Completion time: 2009-04-20 12:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 11:38

Pre-Run: 31,667,187,712 bytes free
Post-Run: 31,911,194,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

292 --- E O F --- 2009-04-16 21:21

BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:01:30 PM

Posted 21 April 2009 - 08:55 AM

Hello Miss_N and welcome to BleepingComputer!

I'm DocSatan and I will be helping you with your computer problems. Please give me some time to research your ComboFix log and I will get back to you ASAP. :thumbup2:

Warning: Combofix is an extremely powerful program and should not be used by inexperienced users. Please do not follow any other combofix advice that you may receive through Internet Searches as these will be specific to the infected computer being worked on. Running ComboFix without the supervision of someone trained in its use could result in an inoperable computer.

In the meantime, please do not make any changes to the computer you are requesting help for. Examples of changes are:
  • Deleting Files and/or Folders
  • Installing/Uninstalling Programs
  • Running Antivirus, AntiSpyware, or AntiMalware programs
  • Etc..
Also, please do not ask for help with the infected computer at another Help Forum. If you are already working with another Help Forum, then please post back here in a Reply stating so. This way I can help another person in need. :)

Doc.

#3 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:01:30 PM

Posted 26 April 2009 - 04:51 PM

Miss_N you still with me? Please post back so I know you still are interested in receiving help.

Doc.

#4 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:01:30 PM

Posted 29 April 2009 - 05:02 PM

Hi Miss_N,

TryMedia - Adware

TryMedia is considered Aware:

Please go to Add/Remove Programs and uninstall TryMedia.
Start --> Control Panel --> Add or Remove Programs
  • Find the entry with TryMedia and choose to Uninstall/Remove it.


Run a ComboFix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\program files\PAV.zip

Folder::
c:\program files\PAV
c:\documents and settings\All Users\Application Data\hide cool shim link
c:\documents and settings\User\Application Data\Drv ref fork
c:\program files\Drv ref fork
c:\program files\TryMedia

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ballbags"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SHIM LINK FREE BALL"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



What I need in your next reply
  • lopR.txt
  • ComboFix.txt
  • Any problems following the Instructions?
Doc.

#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:30 PM

Posted 29 April 2009 - 05:23 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users